• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Nynaeve

My laptop is infected, help.

Recommended Posts

I get all kinds of system alerts. One of them is of: [email protected], but i've got some about a Worm and other kinds of trojans. I'm thinking this started because my Symantec Antivirus isn't working. I tried updating it but it said the update files are corrupted. I installed a new AntiVirus McAfee but it doesn't seem to be helping. I've used it's viruscleaning and spywarecleaning and it doesn't seem to find anything.

 

Also i can't acces certain webpages, like gmail (it says I can't because spyware on my computer is blocking it). And my homepage has turned into: http://awarninglist.com/ and it tells me that i've got [email protected] and tells me to buy a certain antivirus.

I can't formate my laptop right now so any advices on what I can do would be greatly appriciated.

 

Thanks!

 

 

here's the highjack

I hope i did it well because i'm not very knowing when it comes to computers ^_^

 

 

Logfile of HijackThis v1.99.1

Scan saved at 21:24:35, on 26/01/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\inet20126\winlogon.exe

C:\Program Files\Video ActiveX Object\isamonitor.exe

C:\Program Files\Video ActiveX Object\pmsngr.exe

C:\Program Files\Video ActiveX Object\pmmon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Video ActiveX Object\isamini.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\Program Files\HPQ\One-Touch\OneTouch.EXE

c:\progra~1\mcafee\mcafee antispyware\massrv.exe

C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe

c:\program files\mcafee.com\agent\mcdetect.exe

C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\progra~1\mcafee\MCAFEE~1\masalert.exe

C:\WINDOWS\inet20126\wpcem.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\DOCUME~1\MIRACLE\LOCALS~1\Temp\x1006.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\inet20126\wpcem.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\inet20126\wpcem.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\MIRACLE\~tmp0374.exe

C:\WINDOWS\inet20126\mmx41.exe

C:\WINDOWS\inet20126\free.exe

C:\WINDOWS\inet20126\wpcem.exe

C:\WINDOWS\inet20126\syswin.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

F3 - REG:win.ini: run=C:\WINDOWS\inet20126\winlogon.exe

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20126\126185621.dll

O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll

O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Remote Selector] D:\REMOTE~1\REMOTE~1.EXE startup

O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20126\winlogon.exe

O4 - HKLM\..\Run: [Microsoft WWW] C:\WINDOWS\inet20126\free.exe

O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20126\svchost.exe

O4 - HKLM\..\Run: [sDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"

O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"

O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

O4 - HKLM\..\Run: [syswin] C:\DOCUME~1\MIRACLE\LOCALS~1\Temp\x1006.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20126\winlogon.exe

O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...FreeInstall.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD735EA3-EB19-4AB0-BFD7-596BBA9C4AAB}: NameServer = 192.116.202.222 213.8.172.83

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll

O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll

O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\System32\zstkjr.dll

O21 - SSODL: System - {897EF7F8-3A39-4211-81F8-32E42966EC05} - dgflib.dll (file missing)

O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - C:\WINDOWS\System32\nbbrhbd.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\Documents and Settings\MIRACLE\~tmp0374.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Edited by Nynaeve

Share this post


Link to post
Share on other sites

Hello Nynaeve, and welcome to Lavasoft Support Forums. My name is Charles and I will be dealing with your log today.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

We are going to boot into Safe Mode later in the fix, and there is no internet access.

 

Please download SmitfraudFix (by S!Ri)

Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

 

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Now, please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

Let's clean out your temporary internet files:

Close all open windows before we start.

Go to Start | Control Panel | Internet Options | General.

Click the Delete Cookies button.

Next to it, click the Delete Files button.

When prompted, place a check in: 'Delete all offline content', click OK

 

If you have Firefox installed, we need to clean out these temporary files as well:

Go to Tools | Options.

Click Privacy.

Press the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to finish, before closing it.

Alternatively, you can clear all information stored while browsing by clicking Clear All.

A confirmation dialog box will be shown before clearing the information.

 

Now we'll clean other temporary files and your Recycle Bin:

Go to Start | Run | type: cleanmgr | OK.

Let it scan your system for files to remove.

Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.

Press OK to remove them.

 

Open the SmitfraudFix folder again.

Double-click smitfraudfix.cmd.

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it does, please restart it into Safe Mode again.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

 

Open the extracted SDFix folder and double click runThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any key and it will restart the PC.

When the PC restarts the fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Post this in your next reply.

 

Please post me back rapport.txt, report.txt, along with a new HijackThis log.

Thanks,

Charles

Share this post


Link to post
Share on other sites

Hey, Charles. I did as you told me. I did the cleaning throughout SDFix twice because after I did it the first time and the computer rebooted I opened it in safe mood and it didn't finish the proccess. So I did it again, this time going to normal mood after the computer rebooted and then it DID continue and finish the operation. I hope that's okay. The only thing that concerns me is that when it finished the operation it said something about not finiding the file: DGFLIB.dll. Is that a bad thing?

 

Anyway I don't have any virus warnings anymore from System alerts and my Symentic Antivirus is working so i'm taking that as a good sign ;)

 

Here's the Rapport:

 

 

SmitFraudFix v2.136

 

Scan done at 12:09:15.29, Sat 01/27/2007

Run from C:\Documents and Settings\MIRACLE\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="Network Neighborhood"

 

[HKEY_CLASSES_ROOT\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]

@="C:\WINDOWS\dbmmgr32.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]

@="C:\WINDOWS\dbmmgr32.dll"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"="DCOM Server 3339"

 

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB3339}\InProcServer32]

@="C:\WINDOWS\System32\zstkjr.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB3339}\InProcServer32]

@="C:\WINDOWS\System32\zstkjr.dll"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}"="hirtellous"

 

[HKEY_CLASSES_ROOT\CLSID\{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}\InProcServer32]

@="C:\WINDOWS\System32\nbbrhbd.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}\InProcServer32]

@="C:\WINDOWS\System32\nbbrhbd.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

C:\WINDOWS\System32\nbbrhbd.dll -> Hoax.Win32.Renos.gen.i

C:\WINDOWS\System32\nbbrhbd.dll -> Deleted

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted

C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted

C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted

C:\Program Files\Video ActiveX Object\ Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="Network Neighborhood"

 

[HKEY_CLASSES_ROOT\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]

@="C:\WINDOWS\dbmmgr32.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]

@="C:\WINDOWS\dbmmgr32.dll"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"="DCOM Server 3339"

 

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB3339}\InProcServer32]

@="C:\WINDOWS\System32\zstkjr.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB3339}\InProcServer32]

@="C:\WINDOWS\System32\zstkjr.dll"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

 

and here's the Report:

 

 

SDFix: Version 1.62

 

Sat 01/27/2007 - 12:18:48.31

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Name:

 

Path:

 

 

Restoring Windows Registry Entries

Restoring Default Hosts File

 

Killing PID 140 'smss.exe'

Killing PID 216 'winlogon.exe'

Killing PID 140 'smss.exe'

Killing PID 220 'winlogon.exe'

 

Rebooting...

 

Normal Mode:

Checking Files:

 

Files will be copied to Backups folder and removed:

 

C:\WINDOWS\SYSTEM32\DGFLIB.DLL - Deleted

C:\WINDOWS\SYSTEM32\DGFLIB.DLL - Deleted

C:\Documents and Settings\All Users\Documents\Settings\partnership.dll - Deleted

C:\WINDOWS\inet20126\124134536.dll - Deleted

C:\WINDOWS\inet20126\124144645.dll - Deleted

C:\WINDOWS\inet20126\126235254.dll - Deleted

C:\WINDOWS\inet20126\1271130.dll - Deleted

C:\WINDOWS\inet20126\data.ini - Deleted

C:\WINDOWS\inet20126\free.exe - Deleted

C:\WINDOWS\inet20126\free.exe.bak - Deleted

C:\WINDOWS\inet20126\mm.pid - Deleted

C:\WINDOWS\inet20126\mmx158.exe - Deleted

C:\WINDOWS\inet20126\mmx173.exe - Deleted

C:\WINDOWS\inet20126\mmx222.exe - Deleted

C:\WINDOWS\inet20126\mmx295.exe - Deleted

C:\WINDOWS\inet20126\mmx305.exe - Deleted

C:\WINDOWS\inet20126\mmx348.exe - Deleted

C:\WINDOWS\inet20126\mmx350.exe - Deleted

C:\WINDOWS\inet20126\mmx359.exe - Deleted

C:\WINDOWS\inet20126\mmx363.exe - Deleted

C:\WINDOWS\inet20126\mmx387.exe - Deleted

C:\WINDOWS\inet20126\mmx41.exe - Deleted

C:\WINDOWS\inet20126\mmx411.exe - Deleted

C:\WINDOWS\inet20126\mmx432.exe - Deleted

C:\WINDOWS\inet20126\mmx438.exe - Deleted

C:\WINDOWS\inet20126\mmx467.exe - Deleted

C:\WINDOWS\inet20126\mmx478.exe - Deleted

C:\WINDOWS\inet20126\mmx481.exe - Deleted

C:\WINDOWS\inet20126\mmx484.exe - Deleted

C:\WINDOWS\inet20126\mmx560.exe - Deleted

C:\WINDOWS\inet20126\mmx570.exe - Deleted

C:\WINDOWS\inet20126\mmx598.exe - Deleted

C:\WINDOWS\inet20126\mmx616.exe - Deleted

C:\WINDOWS\inet20126\mmx629.exe - Deleted

C:\WINDOWS\inet20126\mmx642.exe - Deleted

C:\WINDOWS\inet20126\mmx646.exe - Deleted

C:\WINDOWS\inet20126\mmx692.exe - Deleted

C:\WINDOWS\inet20126\mmx7.exe - Deleted

C:\WINDOWS\inet20126\mmx711.exe - Deleted

C:\WINDOWS\inet20126\mmx75.exe - Deleted

C:\WINDOWS\inet20126\mmx760.exe - Deleted

C:\WINDOWS\inet20126\mmx766.exe - Deleted

C:\WINDOWS\inet20126\mmx776.exe - Deleted

C:\WINDOWS\inet20126\mmx794.exe - Deleted

C:\WINDOWS\inet20126\mmx806.exe - Deleted

C:\WINDOWS\inet20126\mmx823.exe - Deleted

C:\WINDOWS\inet20126\mmx843.exe - Deleted

C:\WINDOWS\inet20126\mmx850.exe - Deleted

C:\WINDOWS\inet20126\mmx855.exe - Deleted

C:\WINDOWS\inet20126\mmx864.exe - Deleted

C:\WINDOWS\inet20126\mmx896.exe - Deleted

C:\WINDOWS\inet20126\mmx950.exe - Deleted

C:\WINDOWS\inet20126\mmx967.exe - Deleted

C:\WINDOWS\inet20126\mmx968.exe - Deleted

C:\WINDOWS\inet20126\OEM.exe - Deleted

C:\WINDOWS\inet20126\OEM.exe.bak - Deleted

C:\WINDOWS\inet20126\syswin.exe - Deleted

C:\WINDOWS\inet20126\syswin.exe.bak - Deleted

C:\WINDOWS\inet20126\winlogon.exe - Deleted

C:\WINDOWS\inet20126\wpcem.exe - Deleted

C:\WINDOWS\inet20126\7\avenge$201.5$20microdefs2$20corp$209_microdefsb.curdefs_symalllanguages_livetri.zip - Deleted

C:\WINDOWS\inet20126\7\avenge$201.5$20microdefs2$20corp$209_microdefsb.old_symalllanguages_livetri.zip - Deleted

C:\WINDOWS\inet20126\7\liveupdate_2.0_english_livetri.zip - Deleted

C:\WINDOWS\inet20126\7\symantec$20antivirus$20corporate$20client$20nt_9.0_english_livetri.zip - Deleted

C:\WINDOWS\inet20126\7\hackerwatch\cache\123ED1056911\500406_MPFP_9036_4523BCFF_0.xdb - Deleted

C:\WINDOWS\inet20126\gif\chgif2.exe - Deleted

C:\WINDOWS\inet20126\www.google.com\favicon.ico - Deleted

C:\WINDOWS\inet20126\www.google.com\index.html - Deleted

C:\WINDOWS\inet20126\www.google.com\thank.html - Deleted

C:\WINDOWS\inet20126\www.google.com\ads\adwords.gif - Deleted

C:\WINDOWS\inet20126\www.google.com\afsonline\show_afs_search.js - Deleted

C:\WINDOWS\inet20126\www.google.com\Google_files\hp0.gif - Deleted

C:\WINDOWS\inet20126\www.google.com\Google_files\hp1.gif - Deleted

C:\WINDOWS\inet20126\www.google.com\Google_files\hp2.gif - Deleted

C:\WINDOWS\inet20126\www.google.com\Google_files\hp3.gif - Deleted

C:\WINDOWS\system32\drivers\etc\hosts.tim - Deleted

C:\WINDOWS\system32\drivers\msgegh.sys - Deleted

C:\WINDOWS\system32\rpcc.dll - Deleted

 

 

Folder C:\WINDOWS\inet20126 - Removed

 

Alternate Streams Check:

 

C:\WINDOWS\system32

No streams found.

 

Final Check:

 

Remaining Services:

------------------

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

 

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

 

Checking For Files with Hidden Attributes :

 

C:\NTDETECT.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com

C:\WINDOWS\www.google.com\favicon.ico

C:\WINDOWS\www.google.com\index.html

C:\WINDOWS\www.google.com\thank.html

C:\WINDOWS\www.google.com\Google_files\hp0.gif

C:\WINDOWS\www.google.com\Google_files\hp1.gif

C:\WINDOWS\www.google.com\Google_files\hp2.gif

C:\WINDOWS\www.google.com\Google_files\hp3.gif

C:\www.google.com\favicon.ico

C:\www.google.com\index.html

C:\www.google.com\thank.html

C:\www.google.com\Google_files\hp0.gif

C:\www.google.com\Google_files\hp1.gif

C:\www.google.com\Google_files\hp2.gif

C:\www.google.com\Google_files\hp3.gif

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe

C:\WINDOWS\system32\cdplayer.exe.manifest

C:\WINDOWS\system32\logonui.exe.manifest

C:\WINDOWS\Temp\1910196.exe

C:\hiberfil.sys

C:\IO.SYS

C:\MSDOS.SYS

C:\pagefile.sys

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS

 

Finished

 

 

 

 

P.S: Thank you for all your help!

Share this post


Link to post
Share on other sites

Surely ;)

The Antivirus isn't working in the end *lol*

But I guess there's nothing you can do about that.

But I can access gmail and google now so that's nice.

 

 

Here's the Hijack:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 13:53:26, on 27/01/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\HPQ\One-Touch\OneTouch.EXE

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe

C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe

C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe

c:\progra~1\mcafee\mcafee antispyware\massrv.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\progra~1\mcafee\MCAFEE~1\masalert.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

C:\PROGRA~1\ICQ\ICQ.exe

c:\PROGRA~1\mcafee.com\vso\OasClnt.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

c:\program files\mcafee.com\vso\mcmnhdlr.exe

c:\program files\mcafee.com\shared\mghtml.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Remote Selector] D:\REMOTE~1\REMOTE~1.EXE startup

O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE

O4 - HKLM\..\Run: [sDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"

O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"

O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

O4 - HKLM\..\Run: [syswin] C:\DOCUME~1\MIRACLE\LOCALS~1\Temp\x1006.exe

O4 - HKLM\..\Run: [ChkDisk] C:\WINDOWS\System32\chk_disk.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...FreeInstall.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD735EA3-EB19-4AB0-BFD7-596BBA9C4AAB}: NameServer = 192.116.202.222 213.8.172.83

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\System32\zstkjr.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

I'm afraid I have some bad news concerning your computer: one or more of the identified infections is a rootkit. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

 

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

 

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of infection, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

 

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

 

Let me know in your next post what you decide to do.

Thanks,

Charles

Share this post


Link to post
Share on other sites

Well, Charles, if you say the infection is identified and can be killed, i'd like to do that.

 

I don't do any banking or other finanial transaction through my lappy. I'm a student at a university so mainly I use it to access my grades and the learning material of my courses. I frequent some forums here and there and use icq and messanger...that's about the only things I do with the laptop.

 

I unfortunately cannot disconnect it right now because i'm in the finals term and it's the only computer i've got in the house. I can have it formated in 2 weeks, if you think it is necessary. Would rather not to because i'll have to take it to a shop and they'll over charge me, as usual *lol*.... not all of us know how to formate :)

But yeah...i'll do whatever you think is necessary.

 

I'm just thinking...if I do have it formated, what will stop the laptop from getting the very same virus again? My antivirus and firewall were obviously not enough to stop it now.

 

Oh and another question.... if I don't formate it and clean the virus, does that mean my computer will work properly only it can't be trusted?

 

Sorry for all the questions! I am totally open to whatever you think I should do. You're the expert ;)

Share this post


Link to post
Share on other sites
I'm just thinking...if I do have it formated, what will stop the laptop from getting the very same virus again? My antivirus and firewall were obviously not enough to stop it now.

I think one of the reasons that you got these is because your system isn't up-to-date; you don't even have ServicePack1 installed. These contain vital security updates for your computer, and definately help to prevent malware from being installed on your computer.

Oh and another question.... if I don't formate it and clean the virus, does that mean my computer will work properly only it can't be trusted?

Well, we can try our best to clean all the malware off your computer, cut I can't gurantee that everything will be removed. Running scanners will not show up every piece oof malware on your system, so there may be things that will never be caught, and will therefore be left on your computer.

Sorry for all the questions! I am totally open to whatever you think I should do. You're the expert ;)

Well I personally think that reformatting is the best option, it's definately not as hard as it looks, and if you're unsure, there are loads of great tutorials on the interent which you can follow.

Let me know what you think, I can only advise; the choice is up to you :)

Charles

Share this post


Link to post
Share on other sites

Could you talk me through how to formate my laptop? I've seen some online guidlines but they're so beyond my understanding and not as specific as your earlier instruction with the cleanup.

 

In any case...I can only have it formatted in 2 weeks. So...the question is...can it be left as it is for two weeks or should I do the cleaning thing you said before just to keep it 'stable' for the time being...

 

Oh and about the Antivirus updating deal, well, when I first realized my laptop was going crazy I used a program I have called: Ghost. Three years ago i've saved driver C: after my laptop was formatted so if I get a virus I can restore drive C: to the way it was. It's a nifty trick someone taught me to avoid formatting. Anyway...I did the restoring, which for some odd reason didn't help at all, and that meant the Antivirus was back to the way it was 3 years back, meaning it's last update was from 2004. When I tried updating it, it said it couldn't because the files of the update were corrupted. Not sure if that really was of any interest to you, but there is it *lol*

 

 

 

Nyn

Share this post


Link to post
Share on other sites

Hey Nyn,

I've got a suggestion for you. How about, we try our best to get your computer cleaned up; we'll be able to remove some of the malware? Obviously I can't guarantee you'll be clean, and if necessary you can format at a later date, but we can definately have a crack at getting rid of it all. Then I'll be happy to provide you with some instructions for how to reformat your computer...if cleaning doesn't work.

Does this sound OK to you? Let me know in you're next post and we can start cleaning. ;)

Thanks,

Charles

Share this post


Link to post
Share on other sites

Sounds perfect Charles ;)

We can totally go on.

 

One tiny thing though....ever since I did that thing with the cleaning ....I can't shut down the laptop properly. When I push Start and then Shut Down, i've got thre buttons to choose from: Log off, Turn off and Restart. When I push the Turn off button it does the same function it would do if i pushed the Restart button...meaning it closes the computer and turns itself on again.

Any thoughts on how to fix it? *lol*

 

 

 

Nyn

Share this post


Link to post
Share on other sites

Hey there,

To be honest, I'm not sure what is causing your shutdown problem, but since your system is pretty infected, malware could have something to do with it. Therefore, I think we should try and eliminate the malware, and this will hopefully solve your problem. If not, we can try some things to sort it out later.

Before we start with the fix, I see that you are using an unpatched version of Windows. We can help you, but first you need to help us.

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!

Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.

Please visit http://www.microsoft.com/windowsxp/downloa...p1/default.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.

When your system is clean afterwards, then update to SP2, because updating to SP2 can cause problems as long as you are infected.

It looks to me like you have two antiviruses installed on your computer- Symantec and AVG. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.

Since you say you're having some problems with them, I think it would be best to completely remove both of them from your computer; from Add/Remove Programs in the Control Panel. However, Symantec products are often very difficult to remove from your PC, so I'd like you to get rid of it first. One good way to remove it is to download and run the following tool.

 

Please download and save SymNRT.exe to your Desktop:

ftp://ftp.symantec.com/public/english_us_...sgen/SymNRT.exe

Close all programs and double click on the tool.

Follow the on-screen instructions.

Restart the computer if asked.

Then delete the SymNRT.exe tool from your desktop.

Open the Program Files folder on your local disk (normally C:)

Find and delete any folders with Norton/Symantec in it.

 

After you have done this, please remove McAfee. If you have any toruble doing this, let me know, there is another file similar to the Symantec one that will remove all traces of McAfee from your computer.

Then I'd like you to download AVG Antivirus, which is an excellent, free program and install it, using the following link:

AVG Link

Now, please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

Once in Safe Mode, I'd like you to run a full scan of your system using AVG, letting it remove anything it finds.

Then reboot back into Normal Mode, and post me back a new HijackThis log.

Thanks,

Charles

Share this post


Link to post
Share on other sites

Ok, first thing's first...i tried updating windows. The website is giving me some grief...it's getting stuck a lot...i know it downloaded something but i'm not sure if it downloaded what you told me. I'm assuming you can tell by an hijack log. So, here it is:

(Oh and after the updating is sorted i'll go on to deleting my antivirus and installing the one you suggested).

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 23:05:28, on 28/01/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

c:\progra~1\mcafee\mcafee antispyware\massrv.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\PROGRA~1\mcafee.com\vso\OasClnt.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

c:\program files\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\HPQ\One-Touch\OneTouch.EXE

C:\progra~1\mcafee\MCAFEE~1\masalert.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Remote Selector] D:\REMOTE~1\REMOTE~1.EXE startup

O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

O4 - HKLM\..\Run: [syswin] C:\DOCUME~1\MIRACLE\LOCALS~1\Temp\x1006.exe

O4 - HKLM\..\Run: [ChkDisk] C:\WINDOWS\System32\chk_disk.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...FreeInstall.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170004126860

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD735EA3-EB19-4AB0-BFD7-596BBA9C4AAB}: NameServer = 192.116.202.222 213.8.172.83

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\System32\zstkjr.dll (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

No, the update hasn't worked.

Can you try again for me please, it is very important that you install this update before we continue with the fix..

Share this post


Link to post
Share on other sites

I can try....It just seems to get stuck when it scans my laptop to see what updates are necessary...unless of course it's supposed to take over 30 minutes...then i'll just leave it running through the night or whatever...

 

 

Nyn

Share this post


Link to post
Share on other sites

ok, i'm pretty sure i've got it right this time. Let me know and i'll carry on to the antivirus removal after you do :D

 

 

Logfile of HijackThis v1.99.1

Scan saved at 14:09:05, on 29/01/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

c:\progra~1\mcafee\mcafee antispyware\massrv.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

c:\PROGRA~1\mcafee.com\vso\OasClnt.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\HPQ\One-Touch\OneTouch.EXE

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\progra~1\mcafee\MCAFEE~1\masalert.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Remote Selector] D:\REMOTE~1\REMOTE~1.EXE startup

O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

O4 - HKLM\..\Run: [syswin] C:\DOCUME~1\MIRACLE\LOCALS~1\Temp\x1006.exe

O4 - HKLM\..\Run: [ChkDisk] C:\WINDOWS\System32\chk_disk.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...FreeInstall.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170004126860

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD735EA3-EB19-4AB0-BFD7-596BBA9C4AAB}: NameServer = 192.116.202.222 213.8.172.83

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\System32\zstkjr.dll (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

Okay, Charles. Symentic and McAfee antivirus removed. AVG Antivirus installed. Took forever *lol*

I ran a scan on safe mode and it didn't find anything, which seems unaccurate to me, since my computer is still restarting itself when I try to shut it down, which screams virus :(

By the way, when i'm in safe mode, it lets me choose a user to enter it. Either my user or the administrator user. Does it make a difference? because I did the scan from my user.

 

 

Anyway...instead of babbling, here's the Hijack:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 00:49:23, on 30/01/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HPQ\One-Touch\OneTouch.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Hijackthis\HijackThis.exe

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\829fc082f2eb856d225a6bc93aca63a6\update\update.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [Remote Selector] D:\REMOTE~1\REMOTE~1.EXE startup

O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [syswin] C:\DOCUME~1\MIRACLE\LOCALS~1\Temp\x1006.exe

O4 - HKLM\..\Run: [ChkDisk] C:\WINDOWS\System32\chk_disk.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...FreeInstall.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170004126860

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD735EA3-EB19-4AB0-BFD7-596BBA9C4AAB}: NameServer = 192.116.202.222 213.8.172.83

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll

O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\System32\zstkjr.dll (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

 

 

 

 

Nyn

Share this post


Link to post
Share on other sites

Hey there,

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

We are going to boot into Safe Mode later in the fix, and there is no internet access.

 

Please download AVG Anti-Spyware to your Desktop.

Start the set-up program by double clicking the installer.

Follow the on screen instructions to install the program, making sure that "Launch AVG Anti-Spyware" is checked.

Click the Update tab then select Start update; a progress bar will show the updates being installed.

Now press the Scanner icon, and click the Settings tab.

Click Recommended actions, then set it to Quarantine.

Close the program now, we will scan with it later on.

 

Download KillBox from the following link :

http://www.bleepingcomputer.com/files/killbox.php

Unzip the folder to your Desktop.

 

Start Killbox.exe

Select the "Delete on Reboot" option.

Click on the "All Files" button,which will then flash green.

Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

 

C:\WINDOWS\System32\zstkjr.dll

C:\WINDOWS\dbmmgr32.dll

C:\WINDOWS\inet20126

C:\WINDOWS\www.google.com

C:\www.google.com

 

Open 'File' in the menu on top and choose Paste from clipboard

You must use the File menu--pasting by right-clicking the mouse will only enter one file.

Then press the button that looks like a red circle with a white X in it.

Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click Yes.

Click OK at any Pending File Rename Operations prompt, let me know if they appear.

If you don't get that message, reboot manually.

Your computer should reboot now. Please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

Let's clean out your temporary internet files:

Close all open windows before we start.

Go to Start | Control Panel | Internet Options | General.

Click the Delete Cookies button.

Next to it, click the Delete Files button.

When prompted, place a check in: 'Delete all offline content', click OK

 

If you have Firefox installed, we need to clean out these temporary files as well:

Go to Tools | Options.

Click Privacy.

Press the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to finish, before closing it.

Alternatively, you can clear all information stored while browsing by clicking Clear All.

A confirmation dialog box will be shown before clearing the information.

 

Now we'll clean other temporary files and your Recycle Bin:

Go to Start | Run | type: cleanmgr | OK.

Let it scan your system for files to remove.

Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.

Press OK to remove them.

 

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

 

Backup the Registry:

 

Navigate to Start | Run and paste the following:

 

regedit /e c:\registrybackup.reg

 

Now click OK

It won't appear to be doing anything, that's normal.

Your mouse pointer may turn to an hour glass for a minute.

Please continue when it no longer has the hour glass.

 

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"=-

 

[-HKEY_CLASSES_ROOT\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}]

 

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}]

 

[-HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB3339}]

 

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB3339}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"=-

Save this as fix.reg Choose to save as *all files and place it on your Desktop.

It should look like this: reg.gif

Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

 

Launch AVG Anti-Spyware by double clicking the icon on your Desktop.

Press the Scanner icon.

Then click on the Complete System Scan button.

If any infections are found, you will be asked for an action; select Apply all actions.

Now press the Reports icon at the top.

Choose Save report as and save the text file to your Desktop.

Please post this log in your next reply.

 

Reboot into Normal Mode.

 

Download F-Secure Blacklight and save it to your Desktop.

Double click on blbeta.exe to start the program.

Accept the user agreement and click Next.

Click Scan. You will then see a list of all the items found.

Do not choose to rename any yet! I want to see the log first because legitimate items can also be present.

BlackLight will have created a log on your Desktop named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).

Post that log in your next reply.

 

Please post me back the BlackLight report, AVG log, along with a fresh Hijackthis log.

Thanks,

Charles

Share this post


Link to post
Share on other sites

Hey Charles!

Here's everything. On a sidenote...it didn't find any hidden proccesses, files or folders on the Blacklight scan....it's all down there, I guess. Draw your own conclusions :huh:

Computer still restarting itself instead of closing. I hope plugging it off quickly before it restarts itself is okay and doesn't fry the lappie or something. Guess i'll find out! *lol*

 

 

AVG log:

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 21:51:38 01/02/2007

 

+ Scan result:

 

 

 

D:\System Volume Information\_restore{1793BB26-2415-4F16-A933-CC431034B131}\RP20\A0020947.EXE/Save.exe -> Adware.SaveNow : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{1793BB26-2415-4F16-A933-CC431034B131}\RP20\A0020947.EXE/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).

C:\WINDOWS\Temp\lafA8.tmp -> Adware.WorldSecurityOnline : Cleaned with backup (quarantined).

 

 

::Report end

 

 

Blacklight report:

 

 

02/01/07 22:26:27 [info]: BlackLight Engine 1.0.55 initialized

02/01/07 22:26:27 [info]: OS: 5.1 build 2600 (Service Pack 1)

02/01/07 22:26:27 [Note]: 7019 4

02/01/07 22:26:27 [Note]: 7005 0

02/01/07 22:26:32 [Note]: 7006 0

02/01/07 22:26:32 [Note]: 7011 1740

02/01/07 22:26:32 [Note]: 7026 0

02/01/07 22:26:32 [Note]: 7026 0

02/01/07 22:26:40 [Note]: FSRAW library version 1.7.1021

02/01/07 22:38:56 [Note]: 7007 0

 

 

 

Hijack log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 22:41:06, on 01/02/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HPQ\One-Touch\OneTouch.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\WINDOWS\System32\carpserv.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [Remote Selector] D:\REMOTE~1\REMOTE~1.EXE startup

O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [syswin] C:\DOCUME~1\MIRACLE\LOCALS~1\Temp\x1006.exe

O4 - HKLM\..\Run: [ChkDisk] C:\WINDOWS\System32\chk_disk.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...FreeInstall.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170004126860

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD735EA3-EB19-4AB0-BFD7-596BBA9C4AAB}: NameServer = 192.116.202.222 213.8.172.83

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll

O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - (no file)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

 

 

 

Nyn

Share this post


Link to post
Share on other sites

Hello Nyn,

Things are looking a bit better already. You can delete BlackLight now; we won't be needing it any more.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

We are going to boot into Safe Mode later in the fix, and there is no internet access.

 

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

 

O4 - HKLM\..\Run: [syswin] C:\DOCUME~1\MIRACLE\LOCALS~1\Temp\x1006.exe

O4 - HKLM\..\Run: [ChkDisk] C:\WINDOWS\System32\chk_disk.exe

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...FreeInstall.cab

O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll

O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - (no file)

 

Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

 

Please download ATF Cleaner.

Don't run it yet.

 

Start Killbox.exe

Select the "Delete on Reboot" option.

Click on the "All Files" button,which will then flash green.

Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

 

C:\WINDOWS\System32\chk_disk.exe

C:\WINDOWS\SYSTEM32\instcat.dll

 

Open 'File' in the menu on top and choose Paste from clipboard

You must use the File menu--pasting by right-clicking the mouse will only enter one file.

Then press the button that looks like a red circle with a white X in it.

Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click Yes.

Click OK at any Pending File Rename Operations prompt, let me know if they appear.

If you don't get that message, reboot manually.

Your computer should reboot now. PressF8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

Double click ATF-Cleaner.exe to run the program.

Under Main choose Select All

Click the Empty Selected button.

 

If you use Firefox browser

Click Firefox at the top and choose Select All

Click the Empty Selected button.

Note: If you would like to keep your saved passwords, please click "No" at the prompt.

 

If you use Opera browser

Click Opera at the top and choose: Select All

Click the Empty Selected button.

Note: If you would like to keep your saved passwords, please click "No" at the prompt.

 

Click Exit on the main menu to close the program.

 

Reboot into Normal Mode again.

 

Download Combofix to your Desktop.

Double click combofix.exe

Follow the prompts that are displayed.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Post that in your next reply.

 

Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on Next

Select a target to scan; click on My Computer

The scan will take a while so be patient and let it run.

Once the scan is complete choose the option to Save as Text

Post these results in your next reply.

 

Please post me back the Kaspersky report, along with a new Hijackthis log and the ComboFix log

Thanks,

Charles

Share this post


Link to post
Share on other sites

Okay. So the lappie is doing a little better. That's great news :huh:

Here's what you asked me to do, Charles.

 

Kaspersky report:

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Friday, February 02, 2007 1:27:09 PM

Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 2/02/2007

Kaspersky Anti-Virus database records: 249380

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: standard

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

 

Scan Statistics:

Total number of scanned objects: 49283

Number of viruses found: 1

Number of infected objects: 1 / 0

Number of suspicious objects: 0

Duration of the scan process: 01:19:53

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\MIRACLE\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\MIRACLE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\MIRACLE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\MIRACLE\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\MIRACLE\Local Settings\Temp\~DFC00C.tmp Object is locked skipped

C:\Documents and Settings\MIRACLE\Local Settings\Temp\~DFC023.tmp Object is locked skipped

C:\Documents and Settings\MIRACLE\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\MIRACLE\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\MIRACLE\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\_restore{A131C187-5301-4C16-8A32-27FDE6932940}\RP129\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\v6.exe Infected: Trojan-Downloader.Win32.Tiny.fk skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\_restore{A131C187-5301-4C16-8A32-27FDE6932940}\RP129\change.log Object is locked skipped

 

Scan process completed.

 

 

 

ComboFix log:

 

"MIRACLE" - 07-02-02 11:50:19 Service Pack 1

ComboFix 07.01.31 - Running from: "C:\Documents and Settings\MIRACLE\Desktop"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\INSTALL.LOG

C:\WINDOWS\system32\drivers\npf.sys

C:\Documents and Settings\All Users\Documents\Settings

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-01-02 to 2007-02-02 ))))))))))))))))))))))))))))))))))

 

 

2007-02-01 20:21 43,157,042 --a------ C:\registrybackup.reg

2007-02-01 20:10 <DIR> d-------- C:\!KillBox

2007-01-30 11:01 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys

2007-01-30 11:01 <DIR> d-------- C:\Program Files\CONEXANT

2007-01-30 00:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-01-29 23:41 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys

2007-01-29 23:41 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys

2007-01-29 23:41 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys

2007-01-29 23:41 <DIR> d-------- C:\DOCUME~1\MIRACLE\Application Data\AVG7

2007-01-29 23:41 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7

2007-01-29 23:40 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys

2007-01-29 23:40 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys

2007-01-29 23:40 <DIR> d-------- C:\Program Files\Grisoft

2007-01-29 23:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft

2007-01-29 23:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7

2007-01-29 21:00 <DIR> d-------- C:\WINDOWS\system32\appmgmt

2007-01-29 16:06 991,232 --a------ C:\WINDOWS\system32\esent.dll

2007-01-29 15:48 <DIR> d-------- C:\WINDOWS\system32\PreInstall

2007-01-29 15:47 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

2007-01-29 15:47 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2007-01-29 07:14 <DIR> d-------- C:\WINDOWS\Prefetch

2007-01-29 00:29 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2007-01-29 00:29 <DIR> d-------- C:\WINDOWS\ehome

2007-01-29 00:07 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll

2007-01-29 00:07 86,016 --a------ C:\WINDOWS\system32\xactsrv.dll

2007-01-29 00:07 56,832 --a------ C:\WINDOWS\system32\wzcdlg.dll

2007-01-29 00:07 446,464 --a------ C:\WINDOWS\system32\wmvdmoe.dll

2007-01-29 00:07 38,912 --a------ C:\WINDOWS\system32\wsnmp32.dll

2007-01-29 00:07 311,327 --a------ C:\WINDOWS\system32\wmv8dmod.dll

2007-01-29 00:07 296,448 --a------ C:\WINDOWS\system32\wmstream.dll

2007-01-29 00:07 264,704 --a------ C:\WINDOWS\system32\wzcsvc.dll

2007-01-29 00:07 247,808 --a------ C:\WINDOWS\system32\wow32.dll

2007-01-29 00:07 23,552 --a------ C:\WINDOWS\system32\wzcsapi.dll

2007-01-29 00:07 17,408 --a------ C:\WINDOWS\system32\wtsapi32.dll

2007-01-29 00:07 118,784 --a------ C:\WINDOWS\system32\wmsdmoe.dll

2007-01-29 00:06 86,528 --a------ C:\WINDOWS\system32\wlnotify.dll

2007-01-29 00:06 77,824 --a------ C:\WINDOWS\system32\wmpstub.exe

2007-01-29 00:06 51,200 --a------ C:\WINDOWS\system32\wmerrenu.dll

2007-01-29 00:06 48,128 --a------ C:\WINDOWS\system32\winsta.dll

2007-01-29 00:06 266,752 --a------ C:\WINDOWS\winhlp32.exe

2007-01-29 00:06 171,520 --a------ C:\WINDOWS\system32\winmm.dll

2007-01-29 00:06 168,448 --a------ C:\WINDOWS\system32\wldap32.dll

2007-01-29 00:05 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll

2007-01-29 00:05 81,920 --a------ C:\WINDOWS\system32\trkwks.dll

2007-01-29 00:05 72,192 --a------ C:\WINDOWS\system32\telnet.exe

2007-01-29 00:05 60,416 --a------ C:\WINDOWS\system32\wextract.exe

2007-01-29 00:05 48,640 --a------ C:\WINDOWS\system32\vdmredir.dll

2007-01-29 00:05 479,261 --a------ C:\WINDOWS\system32\vbscript.dll

2007-01-29 00:05 47,616 --a------ C:\WINDOWS\system32\utilman.exe

2007-01-29 00:05 409,088 --a------ C:\WINDOWS\system32\vssapi.dll

2007-01-29 00:05 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe

2007-01-29 00:05 384,000 --a------ C:\WINDOWS\system32\themeui.dll

2007-01-29 00:05 339,456 --a------ C:\WINDOWS\system32\usp10.dll

2007-01-29 00:05 32,256 --a------ C:\WINDOWS\system32\umandlg.dll

2007-01-29 00:05 316,416 --a------ C:\WINDOWS\system32\wiaservc.dll

2007-01-29 00:05 258,048 --a------ C:\WINDOWS\system32\webcheck.dll

2007-01-29 00:05 231,424 --a------ C:\WINDOWS\system32\upnpui.dll

2007-01-29 00:05 22,016 --a------ C:\WINDOWS\system32\udhisapi.dll

2007-01-29 00:05 203,264 --a------ C:\WINDOWS\system32\uxtheme.dll

2007-01-29 00:05 200,192 --a------ C:\WINDOWS\system32\termsrv.dll

2007-01-29 00:05 165,376 --a------ C:\WINDOWS\system32\w32time.dll

2007-01-29 00:05 164,864 --a------ C:\WINDOWS\system32\upnphost.dll

2007-01-29 00:05 16,384 --a------ C:\WINDOWS\system32\watchdog.sys

2007-01-29 00:05 16,384 --a------ C:\WINDOWS\system32\ups.exe

2007-01-29 00:05 128,512 --a------ C:\WINDOWS\system32\taskmgr.exe

2007-01-29 00:05 124,928 --a------ C:\WINDOWS\system32\webvw.dll

2007-01-29 00:05 120,320 --a------ C:\WINDOWS\system32\upnp.dll

2007-01-29 00:05 119,808 --a------ C:\WINDOWS\system32\wiadss.dll

2007-01-29 00:05 106,496 --a------ C:\WINDOWS\system32\url.dll

2007-01-29 00:05 10,752 --a------ C:\WINDOWS\system32\tracert.exe

2007-01-29 00:04 82,944 --a------ C:\WINDOWS\system32\smlogsvc.exe

2007-01-29 00:04 71,168 --a------ C:\WINDOWS\system32\storprop.dll

2007-01-29 00:04 667,648 --a------ C:\WINDOWS\system32\ss3dfo.scr

2007-01-29 00:04 66,560 --a------ C:\WINDOWS\system32\spoolss.dll

2007-01-29 00:04 66,048 --a------ C:\WINDOWS\system32\sigverif.exe

2007-01-29 00:04 638,976 --a------ C:\WINDOWS\system32\sstext3d.scr

2007-01-29 00:04 63,488 --a------ C:\WINDOWS\system32\srclient.dll

2007-01-29 00:04 62,976 --a------ C:\WINDOWS\system32\shgina.dll

2007-01-29 00:04 61,952 --a------ C:\WINDOWS\system32\sti.dll

2007-01-29 00:04 60,416 --a------ C:\WINDOWS\system32\shimeng.dll

2007-01-29 00:04 569,344 --a------ C:\WINDOWS\system32\sspipes.scr

2007-01-29 00:04 534,016 --a------ C:\WINDOWS\system32\spider.exe

2007-01-29 00:04 5,504 --------- C:\WINDOWS\system32\drivers\smbali.sys

2007-01-29 00:04 43,008 --a------ C:\WINDOWS\system32\ssdpsrv.dll

2007-01-29 00:04 420,864 --a------ C:\WINDOWS\system32\shimgvw.dll

2007-01-29 00:04 385,024 --a------ C:\WINDOWS\system32\sqlsrv32.dll

2007-01-29 00:04 364,544 --a------ C:\WINDOWS\system32\ssflwbox.scr

2007-01-29 00:04 334,848 --a------ C:\WINDOWS\system32\smlogcfg.dll

2007-01-29 00:04 33,280 --a------ C:\WINDOWS\system32\shmgrate.exe

2007-01-29 00:04 27,136 --a------ C:\WINDOWS\system32\ssdpapi.dll

2007-01-29 00:04 251,904 --a------ C:\WINDOWS\system32\strmdll.dll

2007-01-29 00:04 24,064 --a------ C:\WINDOWS\system32\skeys.exe

2007-01-29 00:04 22,528 --a------ C:\WINDOWS\system32\slayerxp.dll

2007-01-29 00:04 22,528 --a------ C:\WINDOWS\system32\shfolder.dll

2007-01-29 00:04 19,456 --a------ C:\WINDOWS\system32\ssmarque.scr

2007-01-29 00:04 18,944 --a------ C:\WINDOWS\system32\ssbezier.scr

2007-01-29 00:04 17,408 --a------ C:\WINDOWS\system32\ssmyst.scr

2007-01-29 00:04 165,376 --a------ C:\WINDOWS\system32\tapi32.dll

2007-01-29 00:04 16,896 --a------ C:\WINDOWS\system32\snmpapi.dll

2007-01-29 00:04 158,720 --a------ C:\WINDOWS\system32\srsvc.dll

2007-01-29 00:04 130,560 --a------ C:\WINDOWS\system32\sti_ci.dll

2007-01-29 00:04 13,312 --a------ C:\WINDOWS\system32\ssstars.scr

2007-01-29 00:04 117,760 --a------ C:\WINDOWS\system32\stobject.dll

2007-01-29 00:04 11,776 --a------ C:\WINDOWS\system32\sigtab.dll

2007-01-29 00:03 91,136 --a------ C:\WINDOWS\system32\rastls.dll

2007-01-29 00:03 87,304 --a------ C:\WINDOWS\system32\rdpdd.dll

2007-01-29 00:03 82,944 --a------ C:\WINDOWS\system32\psbase.dll

2007-01-29 00:03 8,192 --a------ C:\WINDOWS\system32\scrnsave.scr

2007-01-29 00:03 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll

2007-01-29 00:03 74,240 --a------ C:\WINDOWS\system32\rtcshare.exe

2007-01-29 00:03 71,168 --a------ C:\WINDOWS\system32\sdbinst.exe

2007-01-29 00:03 6,144 --a------ C:\WINDOWS\system32\sensapi.dll

2007-01-29 00:03 57,856 --a------ C:\WINDOWS\system32\raschap.dll

2007-01-29 00:03 56,320 --a------ C:\WINDOWS\system32\remotepg.dll

2007-01-29 00:03 52,224 --a------ C:\WINDOWS\system32\secur32.dll

2007-01-29 00:03 48,128 --a------ C:\WINDOWS\system32\reg.exe

2007-01-29 00:03 44,032 --a------ C:\WINDOWS\system32\regapi.dll

2007-01-29 00:03 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe

2007-01-29 00:03 423,424 --a------ C:\WINDOWS\system32\riched20.dll

2007-01-29 00:03 36,352 --a------ C:\WINDOWS\system32\sens.dll

2007-01-29 00:03 34,304 --a------ C:\WINDOWS\system32\rcimlby.exe

2007-01-29 00:03 3,338 --a------ C:\WINDOWS\system32\redir.exe

2007-01-29 00:03 297,984 --a------ C:\WINDOWS\system32\scesrv.dll

2007-01-29 00:03 20,992 --a------ C:\WINDOWS\system32\setup.exe

2007-01-29 00:03 193,536 --a------ C:\WINDOWS\system32\rasppp.dll

2007-01-29 00:03 174,592 --a------ C:\WINDOWS\system32\scecli.dll

2007-01-29 00:03 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll

2007-01-29 00:03 17,408 --------- C:\WINDOWS\system32\psapi.dll

2007-01-29 00:03 169,984 --a------ C:\WINDOWS\system32\sccbase.dll

2007-01-29 00:03 16,384 --a------ C:\WINDOWS\system32\ping.exe

2007-01-29 00:03 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll

2007-01-29 00:03 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll

2007-01-29 00:03 135,680 --a------ C:\WINDOWS\system32\rdchost.dll

2007-01-29 00:03 134,144 --a------ C:\WINDOWS\regedit.exe

2007-01-29 00:03 133,632 --a------ C:\WINDOWS\system32\rsaenh.dll

2007-01-29 00:03 133,120 --a------ C:\WINDOWS\system32\sfc_os.dll

2007-01-29 00:03 13,824 --a------ C:\WINDOWS\system32\rassapi.dll

2007-01-29 00:03 12,800 --a------ C:\WINDOWS\system32\runonce.exe

2007-01-29 00:03 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe

2007-01-29 00:03 1,350,144 --a------ C:\WINDOWS\system32\query.dll

2007-01-29 00:03 1,157,632 --a------ C:\WINDOWS\system32\sfcfiles.dll

2007-01-29 00:02 98,304 --a------ C:\WINDOWS\system32\oleprn.dll

2007-01-29 00:02 94,208 --a------ C:\WINDOWS\system32\odbccp32.dll

2007-01-29 00:02 891,711 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys

2007-01-29 00:02 686,080 --a------ C:\WINDOWS\system32\opengl32.dll

2007-01-29 00:02 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll

2007-01-29 00:02 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll

2007-01-29 00:02 58,880 --a------ C:\WINDOWS\system32\pautoenr.dll

2007-01-29 00:02 53,248 --a------ C:\WINDOWS\system32\packager.exe

2007-01-29 00:02 53,248 --a------ C:\WINDOWS\system32\odbcconf.exe

2007-01-29 00:02 392,704 --a------ C:\WINDOWS\system32\ntmssvc.dll

2007-01-29 00:02 38,400 --a------ C:\WINDOWS\system32\ntmsapi.dll

2007-01-29 00:02 38,400 --a------ C:\WINDOWS\system32\ntlanman.dll

2007-01-29 00:02 32,768 --a------ C:\WINDOWS\system32\odbcad32.exe

2007-01-29 00:02 3,494,303 --------- C:\WINDOWS\system32\nv4_disp.dll

2007-01-29 00:02 254,976 --a------ C:\WINDOWS\system32\pdh.dll

2007-01-29 00:02 24,576 --a------ C:\WINDOWS\system32\odbcbcp.dll

2007-01-29 00:02 212,480 --a------ C:\WINDOWS\system32\osk.exe

2007-01-29 00:02 200,704 --a------ C:\WINDOWS\system32\odbc32.dll

2007-01-29 00:02 165,888 --a------ C:\WINDOWS\system32\ntmsdba.dll

2007-01-29 00:02 16,384 --a------ C:\WINDOWS\system32\odbc32gt.dll

2007-01-29 00:02 147,456 --a------ C:\WINDOWS\system32\odbctrac.dll

2007-01-29 00:02 137,216 --a------ C:\WINDOWS\system32\ntshrui.dll

2007-01-29 00:02 122,880 --a------ C:\WINDOWS\system32\odbcconf.dll

2007-01-29 00:02 12,288 --a------ C:\WINDOWS\system32\odbcp32r.dll

2007-01-29 00:02 112,128 --a------ C:\WINDOWS\system32\ntmarta.dll

2007-01-29 00:02 109,568 --a------ C:\WINDOWS\system32\offfilt.dll

2007-01-29 00:01 95,744 --a------ C:\WINDOWS\system32\nlhtml.dll

2007-01-29 00:01 6,912 --------- C:\WINDOWS\system32\drivers\hidir.sys

2007-01-29 00:01 504,832 --------- C:\WINDOWS\system32\msftedit.dll

2007-01-29 00:01 5,120 --------- C:\WINDOWS\system32\hccoin.dll

2007-01-29 00:01 49,152 --a------ C:\WINDOWS\system32\npptools.dll

2007-01-29 00:01 403,456 --------- C:\WINDOWS\system32\winbrand.dll

2007-01-29 00:01 33,808 --a------ C:\WINDOWS\system32\ntio.sys

2007-01-29 00:01 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll

2007-01-29 00:01 238,080 --a------ C:\WINDOWS\system32\newdev.dll

2007-01-29 00:01 218,112 --------- C:\WINDOWS\system32\sbe.dll

2007-01-29 00:01 19,328 --------- C:\WINDOWS\system32\drivers\usbehci.sys

2007-01-29 00:01 187,904 --------- C:\WINDOWS\system32\xpsp1res.dll

2007-01-29 00:01 18,944 --------- C:\WINDOWS\system32\faxpatch.exe

2007-01-29 00:01 172,032 --------- C:\WINDOWS\system32\mssap.dll

2007-01-29 00:01 155,648 --------- C:\WINDOWS\system32\encdec.dll

2007-01-29 00:01 13,056 --------- C:\WINDOWS\system32\drivers\wacompen.sys

2007-01-29 00:01 110,080 --------- C:\WINDOWS\system32\sbeio.dll

2007-01-29 00:01 11,904 --------- C:\WINDOWS\system32\drivers\mutohpen.sys

2007-01-29 00:01 1,677,312 --------- C:\WINDOWS\system32\wmvcore2.dll

2007-01-29 00:00 857,600 --a------ C:\WINDOWS\system32\netplwiz.dll

2007-01-29 00:00 699,392 --a------ C:\WINDOWS\system32\msxml2.dll

2007-01-29 00:00 63,663 --------- C:\WINDOWS\system32\drivers\atinrvxx.sys

2007-01-29 00:00 584,192 --a------ C:\WINDOWS\system32\netcfgx.dll

2007-01-29 00:00 56,591 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys

2007-01-29 00:00 42,496 --a------ C:\WINDOWS\system32\ncobjapi.dll

2007-01-29 00:00 399,360 --a------ C:\WINDOWS\system32\netlogon.dll

2007-01-29 00:00 39,424 --a------ C:\WINDOWS\system32\net.exe

2007-01-29 00:00 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll

2007-01-29 00:00 36,463 --------- C:\WINDOWS\system32\drivers\atintuxx.sys

2007-01-29 00:00 34,735 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys

2007-01-29 00:00 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys

2007-01-29 00:00 326,656 --a------ C:\WINDOWS\system32\netsetup.exe

2007-01-29 00:00 30,671 --------- C:\WINDOWS\system32\drivers\atinraxx.sys

2007-01-29 00:00 3,584 --------- C:\WINDOWS\system32\dsprpres.dll

2007-01-29 00:00 29,455 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys

2007-01-29 00:00 26,367 --------- C:\WINDOWS\system32\drivers\atinsnxx.sys

2007-01-29 00:00 21,343 --------- C:\WINDOWS\system32\drivers\atinttxx.sys

2007-01-29 00:00 16,384 --a------ C:\WINDOWS\system32\nddenb32.dll

2007-01-29 00:00 12,047 --------- C:\WINDOWS\system32\drivers\atinpdxx.sys

2007-01-29 00:00 115,200 --a------ C:\WINDOWS\system32\net1.exe

2007-01-29 00:00 11,615 --------- C:\WINDOWS\system32\drivers\atinmdxx.sys

2007-01-29 00:00 105,984 --a------ C:\WINDOWS\system32\netdde.exe

2007-01-29 00:00 1,622,528 --a------ C:\WINDOWS\system32\netshell.dll

2007-01-28 23:59 91,136 --------- C:\WINDOWS\system32\MSOERT2.DLL

2007-01-28 23:59 9,728 --a------ C:\WINDOWS\system32\mstinit.exe

2007-01-28 23:59 598,016 --a------ C:\WINDOWS\system32\mstscax.dll

2007-01-28 23:59 401,462 --a------ C:\WINDOWS\system32\msvcp60.dll

2007-01-28 23:59 388,608 --a------ C:\WINDOWS\system32\mstsc.exe

2007-01-28 23:59 339,968 --a------ C:\WINDOWS\system32\mspaint.exe

2007-01-28 23:59 323,072 --a------ C:\WINDOWS\system32\msvcrt.dll

2007-01-28 23:59 319,760 --a------ C:\WINDOWS\system32\msnsspc.dll

2007-01-28 23:59 250,368 --a------ C:\WINDOWS\system32\mstask.dll

2007-01-28 23:59 241,725 --a------ C:\WINDOWS\system32\msuni11.dll

2007-01-28 23:59 229,376 --a------ C:\WINDOWS\system32\MSOEACCT.DLL

2007-01-28 23:59 182,784 --a------ C:\WINDOWS\system32\msutb.dll

2007-01-28 23:59 131,072 --a------ C:\WINDOWS\system32\msorcl32.dll

2007-01-28 23:59 113,664 --a------ C:\WINDOWS\system32\msvfw32.dll

2007-01-28 23:59 10,240 --a------ C:\WINDOWS\system32\msrle32.dll

2007-01-28 23:58 56,320 --a------ C:\WINDOWS\system32\mshtmler.dll

2007-01-28 23:58 4,608 --a------ C:\WINDOWS\system32\msimg32.dll

2007-01-28 23:58 368,710 --a------ C:\WINDOWS\system32\msisam11.dll

2007-01-28 23:58 230,400 --a------ C:\WINDOWS\system32\msieftp.dll

2007-01-28 23:58 22,528 --a------ C:\WINDOWS\system32\mslbui.dll

2007-01-28 23:58 143,872 --a------ C:\WINDOWS\system32\msimtf.dll

2007-01-28 23:57 67,584 --a------ C:\WINDOWS\system32\msctfp.dll

2007-01-28 23:57 65,536 --a------ C:\WINDOWS\system32\msconf.dll

2007-01-28 23:57 4,126 --a------ C:\WINDOWS\system32\msdxmlc.dll

2007-01-28 23:57 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll

2007-01-28 23:57 266,752 --a------ C:\WINDOWS\system32\msctf.dll

2007-01-28 23:57 210,944 --a------ C:\WINDOWS\system32\moricons.dll

2007-01-28 23:57 196,096 --a------ C:\WINDOWS\system32\mobsync.dll

2007-01-28 23:57 163,840 --a------ C:\WINDOWS\system32\mindex.dll

2007-01-28 23:57 126,976 --a------ C:\WINDOWS\system32\msdart.dll

2007-01-28 23:57 12,288 --a------ C:\WINDOWS\system32\mscpx32r.dll

2007-01-28 23:57 116,736 --a------ C:\WINDOWS\system32\mplay32.exe

2007-01-28 23:57 1,128,960 --a------ C:\WINDOWS\system32\mmcndmgr.dll

2007-01-28 23:56 57,856 --a------ C:\WINDOWS\system32\licwmi.dll

2007-01-28 23:56 504,320 --a------ C:\WINDOWS\system32\logonui.exe

2007-01-28 23:56 381,440 --a------ C:\WINDOWS\system32\lmrt.dll

2007-01-28 23:56 219,648 --a------ C:\WINDOWS\system32\logon.scr

2007-01-28 23:56 19,456 --a------ C:\WINDOWS\system32\licmgr10.dll

2007-01-28 23:56 10,240 --a------ C:\WINDOWS\system32\localui.dll

2007-01-28 23:53 7,040 --a------ C:\WINDOWS\system32\kd1394.dll

2007-01-28 23:53 49,664 --a------ C:\WINDOWS\system32\ixsso.dll

2007-01-28 23:53 42,537 --a------ C:\WINDOWS\system32\keyboard.sys

2007-01-28 23:53 318,464 --a------ C:\WINDOWS\system32\ippromon.dll

2007-01-28 23:53 27,648 --a------ C:\WINDOWS\system32\pidgen.dll

2007-01-28 23:53 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll

2007-01-28 23:52 88,576 --a------ C:\WINDOWS\system32\mqsec.dll

2007-01-28 23:52 73,728 --a------ C:\WINDOWS\system32\tlntsess.exe

2007-01-28 23:52 7,168 --a------ C:\WINDOWS\system32\tlntsvrp.dll

2007-01-28 23:52 67,584 --a------ C:\WINDOWS\system32\tlntsvr.exe

2007-01-28 23:52 67,584 --a------ C:\WINDOWS\system32\fdeploy.dll

2007-01-28 23:52 67,456 --a------ C:\WINDOWS\system32\drivers\mqac.sys

2007-01-28 23:52 608,768 --a------ C:\WINDOWS\system32\mqqm.dll

2007-01-28 23:52 596,480 --a------ C:\WINDOWS\system32\INETCOMM.DLL

2007-01-28 23:52 57,856 --a------ C:\WINDOWS\system32\tlntadmn.exe

2007-01-28 23:52 57,856 --a------ C:\WINDOWS\system32\nwwks.dll

2007-01-28 23:52 545,792 --a------ C:\WINDOWS\system32\wsecedit.dll

2007-01-28 23:52 51,712 --a------ C:\WINDOWS\system32\ipconfig.exe

2007-01-28 23:52 478,720 --a------ C:\WINDOWS\system32\mqsnap.dll

2007-01-28 23:52 467,456 --a------ C:\WINDOWS\system32\mqutil.dll

2007-01-28 23:52 29,696 --------- C:\WINDOWS\system32\asr_pfu.exe

2007-01-28 23:52 277,504 --a------ C:\WINDOWS\system32\appmgr.dll

2007-01-28 23:52 231,936 --a------ C:\WINDOWS\system32\tracerpt.exe

2007-01-28 23:52 183,808 --a------ C:\WINDOWS\system32\gptext.dll

2007-01-28 23:52 17,792 --------- C:\WINDOWS\system32\drivers\irbus.sys

2007-01-28 23:52 165,888 --a------ C:\WINDOWS\system32\mqrt.dll

2007-01-28 23:52 164,352 --a------ C:\WINDOWS\system32\mqtrig.dll

2007-01-28 23:52 156,672 --a------ C:\WINDOWS\system32\appmgmts.dll

2007-01-28 23:52 156,544 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys

2007-01-28 23:52 14,848 --a------ C:\WINDOWS\system32\mqise.dll

2007-01-28 23:52 130,048 --a------ C:\WINDOWS\system32\mqad.dll

2007-01-28 23:52 114,176 --a------ C:\WINDOWS\system32\input.dll

2007-01-28 23:52 113,664 --a------ C:\WINDOWS\system32\schtasks.exe

2007-01-28 23:52 113,152 --a------ C:\WINDOWS\system32\gpresult.exe

2007-01-28 23:52 103,936 --a------ C:\WINDOWS\system32\rsnotify.exe

2007-01-28 23:52 10,752 --------- C:\WINDOWS\system32\spiisupd.exe

2007-01-28 23:51 9,216 --a------ C:\WINDOWS\system32\icaapi.dll

2007-01-28 23:51 8,832 --a------ C:\WINDOWS\system32\framebuf.dll

2007-01-28 23:51 73,728 --a------ C:\WINDOWS\system32\ils.dll

2007-01-28 23:51 59,392 --a------ C:\WINDOWS\system32\iesetup.dll

2007-01-28 23:51 36,922 --a------ C:\WINDOWS\system32\imeshare.dll

2007-01-28 23:51 30,208 --a------ C:\WINDOWS\system32\imgutil.dll

2007-01-28 23:51 294,912 --a------ C:\WINDOWS\system32\iedkcs32.dll

2007-01-28 23:51 28,672 --a------ C:\WINDOWS\system32\ie4uinit.exe

2007-01-28 23:51 240,640 --a------ C:\WINDOWS\system32\hnetcfg.dll

2007-01-28 23:51 237,056 --a------ C:\WINDOWS\system32\icm32.dll

2007-01-28 23:51 204,288 --a------ C:\WINDOWS\system32\ieaksie.dll

2007-01-28 23:51 126,976 --a------ C:\WINDOWS\system32\ieakeng.dll

2007-01-28 23:51 123,904 --a------ C:\WINDOWS\system32\imapi.exe

2007-01-28 23:51 113,152 --a------ C:\WINDOWS\system32\idq.dll

2007-01-28 23:51 103,936 --a------ C:\WINDOWS\system32\imm32.dll

2007-01-28 23:50 9,216 --a------ C:\WINDOWS\system32\dumprep.exe

2007-01-28 23:50 802,304 --a------ C:\WINDOWS\system32\dxmrtp.dll

2007-01-28 23:50 66,560 --a------ C:\WINDOWS\system32\faultrep.dll

2007-01-28 23:50 498,205 --a------ C:\WINDOWS\system32\dxmasf.dll

2007-01-28 23:50 49,152 --a------ C:\WINDOWS\system32\eventlog.dll

2007-01-28 23:50 45,568 --a------ C:\WINDOWS\system32\docprop2.dll

2007-01-28 23:50 263,680 --a------ C:\WINDOWS\system32\duser.dll

2007-01-28 23:50 227,840 --a------ C:\WINDOWS\system32\dsquery.dll

2007-01-28 23:50 19,456 --a------ C:\WINDOWS\system32\fontview.exe

2007-01-28 23:50 19,456 --a------ C:\WINDOWS\system32\ersvc.dll

2007-01-28 23:50 180,224 --a------ C:\WINDOWS\system32\dwwin.exe

2007-01-28 23:50 178,688 --a------ C:\WINDOWS\system32\eudcedit.exe

2007-01-28 23:50 165,376 --a------ C:\WINDOWS\system32\els.dll

2007-01-28 23:50 16,384 --a------ C:\WINDOWS\system32\ds32gt.dll

2007-01-28 23:50 135,680 --a------ C:\WINDOWS\system32\dsprop.dll

2007-01-28 23:50 124,928 --a------ C:\WINDOWS\system32\dssenh.dll

2007-01-28 23:50 1,004,032 --a------ C:\WINDOWS\explorer.exe

2007-01-28 23:49 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe

2007-01-28 23:49 76,288 --a------ C:\WINDOWS\system32\dfrgfat.exe

2007-01-28 23:49 71,680 --a------ C:\WINDOWS\system32\browsewm.dll

2007-01-28 23:49 70,656 --a------ C:\WINDOWS\system32\defrag.exe

2007-01-28 23:49 70,144 --a------ C:\WINDOWS\system32\cryptdlg.dll

2007-01-28 23:49 64,512 --a------ C:\WINDOWS\system32\ciodm.dll

2007-01-28 23:49 61,440 --a------ C:\WINDOWS\system32\dbnetlib.dll

2007-01-28 23:49 59,904 --a------ C:\WINDOWS\system32\cabinet.dll

2007-01-28 23:49 55,296 --a------ C:\WINDOWS\system32\digest.dll

2007-01-28 23:49 54,272 --a------ C:\WINDOWS\system32\clusapi.dll

2007-01-28 23:49 53,248 --a------ C:\WINDOWS\system32\cryptsvc.dll

2007-01-28 23:49 489,984 --a------ C:\WINDOWS\system32\dbghelp.dll

2007-01-28 23:49 41,472 --a------ C:\WINDOWS\system32\cmdl32.exe

2007-01-28 23:49 35,328 --a------ C:\WINDOWS\system32\dfrgsnap.dll

2007-01-28 23:49 324,608 --a------ C:\WINDOWS\system32\cmdial32.dll

2007-01-28 23:49 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll

2007-01-28 23:49 307,712 --a------ C:\WINDOWS\system32\cscui.dll

2007-01-28 23:49 28,672 --a------ C:\WINDOWS\system32\dbnmpntw.dll

2007-01-28 23:49 263,168 --a------ C:\WINDOWS\system32\devmgr.dll

2007-01-28 23:49 25,600 --a------ C:\WINDOWS\system32\dfsshlex.dll

2007-01-28 23:49 24,576 --a------ C:\WINDOWS\system32\dbmsvinn.dll

2007-01-28 23:49 24,576 --a------ C:\WINDOWS\system32\dbmsrpcn.dll

2007-01-28 23:49 24,576 --a------ C:\WINDOWS\system32\conime.exe

2007-01-28 23:49 238,592 --a------ C:\WINDOWS\system32\compatui.dll

2007-01-28 23:49 20,480 --a------ C:\WINDOWS\system32\dbmsadsn.dll

2007-01-28 23:49 186,880 --a------ C:\WINDOWS\system32\certcli.dll

2007-01-28 23:49 158,720 --a------ C:\WINDOWS\system32\credui.dll

2007-01-28 23:49 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe

2007-01-28 23:49 113,152 --a------ C:\WINDOWS\system32\dfrgui.dll

2007-01-28 23:49 103,424 --a------ C:\WINDOWS\system32\dgnet.dll

2007-01-28 23:48 91,648 --a------ C:\WINDOWS\system32\ahui.exe

2007-01-28 23:48 91,136 --a------ C:\WINDOWS\system32\advpack.dll

2007-01-28 23:48 8,192 --a------ C:\WINDOWS\system32\autolfn.exe

2007-01-28 23:48 76,288 --a------ C:\WINDOWS\system32\avifil32.dll

2007-01-28 23:48 74,810 --a------ C:\WINDOWS\system32\atl.dll

2007-01-28 23:48 62,976 --a------ C:\WINDOWS\system32\browselc.dll

2007-01-28 23:48 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll

2007-01-28 23:48 6,656 --a------ C:\WINDOWS\system32\batt.dll

2007-01-28 23:48 49,152 --a------ C:\WINDOWS\system32\browser.dll

2007-01-28 23:48 41,984 --a------ C:\WINDOWS\system32\alg.exe

2007-01-28 23:48 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll

2007-01-28 23:48 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys

2007-01-28 23:48 239,616 --a------ C:\WINDOWS\system32\adsnt.dll

2007-01-28 23:48 22,528 --a------ C:\WINDOWS\system32\at.exe

2007-01-28 23:48 162,816 --a------ C:\WINDOWS\system32\adsldp.dll

2007-01-28 23:48 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll

2007-01-28 23:48 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll

2007-01-28 23:48 115,712 --a------ C:\WINDOWS\system32\apphelp.dll

2007-01-28 21:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage

2007-01-28 20:29 <DIR> d-------- C:\WINDOWS\system32\bits

2007-01-28 20:12 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll

2007-01-28 20:12 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll

2007-01-28 20:12 331,776 --a------ C:\WINDOWS\system32\winhttp.dll

2007-01-28 20:12 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll

2007-01-28 19:13 127,208 --a------ C:\WINDOWS\system32\mucltui.dll

2007-01-27 12:09 3,872 --a------ C:\WINDOWS\system32\tmp.reg

2007-01-27 12:07 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe

2007-01-27 12:07 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-01-27 12:07 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-01-27 12:07 40,960 --a------ C:\WINDOWS\system32\swsc.exe

2007-01-27 12:07 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-01-27 12:07 135,168 --a------ C:\WINDOWS\system32\swreg.exe

2007-01-27 11:56 <DIR> d-------- C:\SDFix

2007-01-26 21:22 <DIR> d-------- C:\Program Files\Hijackthis

2007-01-26 13:10 <DIR> d-------- C:\DOCUME~1\MIRACLE\Application Data\Skype

2007-01-26 01:53 <DIR> d-------- C:\DOCUME~1\MIRACLE\Application Data\Adobe

2007-01-25 21:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe

2007-01-25 21:01 <DIR> d-------- C:\Program Files\Common Files\Adobe

2007-01-25 13:23 8,704 --a------ C:\WINDOWS\system32\v6.exe

2007-01-25 12:54 <DIR> d-------- C:\Program Files\eMule

2007-01-25 01:44 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution

2007-01-25 01:40 <DIR> d-------- C:\WINDOWS\SoftwareDistribution

2007-01-25 01:39 465,176 --a------ C:\WINDOWS\system32\wuapi.dll

2007-01-25 01:39 41,240 --a------ C:\WINDOWS\system32\wups.dll

2007-01-25 01:39 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll

2007-01-25 01:39 173,536 --a------ C:\WINDOWS\system32\wuweb.dll

2007-01-25 01:39 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe

2007-01-25 01:39 127,256 --a------ C:\WINDOWS\system32\wucltui.dll

2007-01-25 01:22 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy

2007-01-24 23:36 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\McAfee.com Personal Firewall

2007-01-24 23:35 <DIR> d-------- C:\DOCUME~1\MIRACLE\Application Data\McAfee.com Personal Firewall

2007-01-24 23:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee.com Personal Firewall

2007-01-24 22:49 <DIR> d-------- C:\DOCUME~1\MIRACLE\Application Data\ICQ

2007-01-24 22:48 <DIR> d-------- C:\WINDOWS\aod

2007-01-24 22:46 <DIR> d-------- C:\Program Files\ICQ

2007-01-24 22:08 <DIR> d-------- C:\DOCUME~1\MIRACLE\Application Data\ICQ Toolbar

2007-01-24 22:05 <DIR> d-------- C:\Program Files\ICQToolbar

2007-01-24 20:58 <DIR> d-------- C:\WINDOWS\7

2007-01-24 19:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee.com

2007-01-24 18:03 <DIR> d-------- C:\WINDOWS\www.google.com

2007-01-24 17:29 <DIR> d-------- C:\www.google.com

2007-01-24 17:23 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\SystemDoctor 2006 Free

2007-01-24 16:49 <DIR> d-------- C:\DOCUME~1\MIRACLE\Application Data\DriveCleaner Free

2007-01-24 16:28 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\DriveCleaner Free

2007-01-24 16:17 89,088 --a------ C:\WINDOWS\system32\atl71.dll

2007-01-24 16:17 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

2007-01-24 16:17 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

2007-01-24 16:17 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll

2007-01-24 16:17 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Free

2007-01-24 15:46 81,920 --a------ C:\WINDOWS\system32\Packet.dll

2007-01-24 15:46 61,440 --a------ C:\WINDOWS\system32\WanPacket.dll

2007-01-24 15:46 53,299 --a------ C:\WINDOWS\system32\pthreadVC.dll

2007-01-24 15:46 233,472 --a------ C:\WINDOWS\system32\wpcap.dll

2007-01-24 15:37 32,768 --a------ C:\DOCUME~1\MIRACLE\~tmp0374.exe

2007-01-24 15:07 17,616 -ra------ C:\WINDOWS\system32\drivers\tj2knd5.sys

2007-01-24 15:05 69,680 -ra------ C:\WINDOWS\system32\drivers\tj2kunic.sys

2007-01-24 15:05 5,712 -ra------ C:\WINDOWS\system32\drivers\tj2kwh.sys

2007-01-24 15:05 3,904 -ra------ C:\WINDOWS\system32\drivers\tj2kcr.sys

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-01-30 10:24 -------- d-------- C:\Program Files\messenger

2007-01-30 07:54 -------- d---s---- C:\DOCUME~1\MIRACLE\Application Data\microsoft

2007-01-29 00:27 -------- d-------- C:\Program Files\movie maker

2007-01-25 01:40 -------- d--h----- C:\Program Files\windowsupdate

2007-01-24 22:08 -------- d-------- C:\Program Files\icqlite

2007-01-24 22:07 -------- d-------- C:\DOCUME~1\MIRACLE\Application Data\icqlite

2007-01-24 15:18 -------- d-------- C:\Program Files\msn messenger

2007-01-24 15:15 -------- d-------- C:\DOCUME~1\MIRACLE\Application Data\macromedia

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"Remote Selector"="D:\\REMOTE~1\\REMOTE~1.EXE startup"

"QT4HPOT"="C:\\Program Files\\HPQ\\One-Touch\\OneTouch.EXE"

"Mirabilis ICQ"="C:\\PROGRA~1\\ICQ\\ICQNet.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

"CARPService"="carpserv.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"xp_system"="C:\\WINDOWS\\inet20126\\winlogon.exe"

"WinMedia"="C:\\WINDOWS\\TEMP\\1910196.exe"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"xp_system"="C:\\WINDOWS\\inet20126\\winlogon.exe"

"WinMedia"="C:\\WINDOWS\\TEMP\\1910196.exe"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

 

 

Completion time: 07-02-02 11:52:34

 

 

HiJack Log:

 

Logfile of HijackThis v1.99.1

Scan saved at 13:34:30, on 02/02/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program Files\HPQ\One-Touch\OneTouch.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\System32\carpserv.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [Remote Selector] D:\REMOTE~1\REMOTE~1.EXE startup

O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170004126860

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD735EA3-EB19-4AB0-BFD7-596BBA9C4AAB}: NameServer = 192.116.202.222 213.8.172.83

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: instcat - instcat.dll (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

 

 

 

Nyn

Share this post


Link to post
Share on other sites

Hello Nyn,

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

We are going to boot into Safe Mode later in the fix, and there is no internet access.

 

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

 

O20 - Winlogon Notify: instcat - instcat.dll (file missing)

 

Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

 

Please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

Set your system to show all files.

Navigate to Start | My Computer | Tools | Folder Options.

Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

 

Next, please find and delete the following files/folders (if present):

C:\WINDOWS\www.google.com <--Folder

C:\www.google.com <--Folder

C:\Documents and Settings\Local Settings\Application Data\SystemDoctor 2006 Free <--Folder

C:\Documents and Settings\MIRACLE\Application Data\DriveCleaner Free <--Folder

C:\Documents and Settings\Local Settings\Application Data\DriveCleaner Free <--Folder

C:\Program Files\Common Files\DriveCleaner Free <--Folder

C:\Documents and Settings\MIRACLE\~tmp0374.exe <--File

C:\WINDOWS\system32\v6.exe <--File

 

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

 

Backup the Registry:

 

Navigate to Start | Run and paste the following:

 

regedit /e c:\registrybackup.reg

 

Now click OK

It won't appear to be doing anything, that's normal.

Your mouse pointer may turn to an hour glass for a minute.

Please continue when it no longer has the hour glass.

 

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

 

REGEDIT4

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"xp_system"=-

"WinMedia"=-

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"xp_system"=-

"WinMedia"=-

 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat]

Save this as fix.reg Choose to save as *all files and place it on your Desktop.

It should look like this: reg.gif

Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

 

Reboot into Normal Mode.

 

Open Notepad and copy and paste the following text in the quote box into the window:

@echo off

dir "C:\WINDOWS\aod" >> look.txt

dir "C:\WINDOWS\7" >> look.txt

start look.txt

Save this as fix.bat

Choose to save as all files.

This is how the batch must look afterwards: bat.gif

Doubleclick fix.bat and let the program run.

A small black dos window will flash, this is normal.

Please post the contents of the text reply that opens back here.

 

Please run Panda's ActiveScan.

Once you are on the Panda site click the Scan your PC button

A new window will open, click the Check Now button.

Enter your personal details.

Click the big Scan Now button.

It will ask to install various content - please allow this.

It will start downloading the files it requires for the scan, which may take a while.

When download is complete, click on Local Disks to start the scan.

When the scan completes, click the See Report button.

Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

 

Please post me back look.txt, along with a new HijackThis log and the Panda report

Thanks,

Charles

Share this post


Link to post
Share on other sites

Okay, Charles. Here it is ;)

Oh I was wondering if it's ok to delete some of the programs you told me to download since my C drive is filling up.

 

 

look.txt:

 

Volume in drive C is SYS

Volume Serial Number is 0005-2DEA

 

Directory of C:\WINDOWS\aod

 

01/24/2007 10:48 PM <DIR> .

01/24/2007 10:48 PM <DIR> ..

10/23/2002 10:30 AM 36,864 aodres_en_us.dll

10/31/2002 01:15 PM 69,632 aodshext.dll

04/26/2002 05:23 PM 2,494 icon1.ico

04/26/2002 05:55 PM 2,494 icon2.ico

09/25/2002 03:04 PM 16 locales.ini

5 File(s) 111,500 bytes

2 Dir(s) 945,684,480 bytes free

Volume in drive C is SYS

Volume Serial Number is 0005-2DEA

 

Directory of C:\WINDOWS\7

 

01/25/2007 07:11 PM <DIR> .

01/25/2007 07:11 PM <DIR> ..

01/25/2007 07:11 PM <DIR> hackerwatch

01/24/2007 08:58 PM <DIR> RegistrationWizard

01/24/2007 11:59 PM <DIR> search

0 File(s) 0 bytes

5 Dir(s) 945,680,384 bytes free

 

 

 

 

 

Panda report:

 

 

Incident Status Location

 

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\MIRACLE\Cookies\[email protected][2].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\MIRACLE\Cookies\[email protected][1].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\MIRACLE\Cookies\[email protected][1].txt

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\MIRACLE\Cookies\[email protected][2].txt

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\MIRACLE\Cookies\[email protected][1].txt

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\MIRACLE\Desktop\SDFix.exe[sDFix\apps\Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\MIRACLE\Desktop\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Spyware:Cookie/Systemdoctor Not disinfected D:\eMule\Incoming\systemdoctor-serial.txt

Adware:Adware/SaveNow Not disinfected D:\MIRACLE\ToBurn\Icq stuff\RadLight3.exe[RPK.exe]

Adware:Adware/SaveNow Not disinfected D:\MIRACLE\ToBurn\Icq stuff\RadLight3.exe[VVSN_RDLT0541Inst.exe]

Adware:Adware/WeatherCast Not disinfected D:\MIRACLE\ToBurn\Icq stuff\RadLight3SE.exe[VVSN_RDLT0504Inst.exe]

Adware:Adware/SaveNow Not disinfected D:\MIRACLE\ToBurn\Icq stuff\RadLight3SE.exe[RPK.exe]

Potentially unwanted tool:Application/Altnet Not disinfected D:\System Volume Information\_restore{F5C77EAF-F2EC-419B-A578-56334B676CD3}\RP29\A0011077.dll

 

 

 

Hijack log:

 

Logfile of HijackThis v1.99.1

Scan saved at 17:42:45, on 04/02/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HPQ\One-Touch\OneTouch.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\System32\carpserv.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll (file missing)

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [Remote Selector] D:\REMOTE~1\REMOTE~1.EXE startup

O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170004126860

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD735EA3-EB19-4AB0-BFD7-596BBA9C4AAB}: NameServer = 192.116.202.222 213.8.172.83

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

 

 

Nyn

Share this post


Link to post
Share on other sites

Hey Nyn,

You can delete all of the tools I've asked you to download if you want to. ;)

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

We are going to boot into Safe Mode later in the fix, and there is no internet access.

 

Please download ATF Cleaner.

Don't run it yet.

 

Please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

Double click ATF-Cleaner.exe to run the program.

Under Main choose Select All

Click the Empty Selected button.

 

If you use Firefox browser

Click Firefox at the top and choose Select All

Click the Empty Selected button.

Note: If you would like to keep your saved passwords, please click "No" at the prompt.

 

If you use Opera browser

Click Opera at the top and choose: Select All

Click the Empty Selected button.

Note: If you would like to keep your saved passwords, please click "No" at the prompt.

 

Click Exit on the main menu to close the program.

 

Next, please find and delete the following files/folders (if present):

 

C:\WINDOWS\aod <--Folder

D:\MIRACLE\ToBurn\Icq stuff\RadLight3.exe[RPK.exe] <--File

D:\MIRACLE\ToBurn\Icq stuff\RadLight3.exe[VVSN_RDLT0541Inst.exe] <--File

D:\MIRACLE\ToBurn\Icq stuff\RadLight3SE.exe[VVSN_RDLT0504Inst.exe] <--File

D:\MIRACLE\ToBurn\Icq stuff\RadLight3SE.exe[RPK.exe] <--File

 

Reboot into Normal Mode.

 

In your next post please let me know- how are things running?

Thanks,

Charles

Share this post


Link to post
Share on other sites
Sign in to follow this