Post by: 1yn on October 28, 2006, 12:49:07 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:18:15 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\tcpip.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlumwxy.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hfd59da9] RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab (http://\"http://download.ewido.net/ewidoOnlineScan.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Post by: guestolo on October 28, 2006, 12:53:57 PM
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post the log from combofix please
Post by: 1yn on October 28, 2006, 01:05:29 PM
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\Administrator\Application Data\Dxcdmns.dll
C:\Documents and Settings\Administrator\Application Data\Dxcknwrd.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\Administrator\Application Data\Install.dat
C:\WINDOWS\system32\aaa00000.sys
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Documents and Settings\All Users\Documents\Settings
C:\WINDOWS\RS1UZWNo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1\s?mbols
((((((((((((((((((((((((((((((( Files Created from 2006-09-28 to 2006-10-28 ))))))))))))))))))))))))))))))))))
2006-10-27 13:51 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-27 13:42 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-10-27 13:32 217,346 --a------ C:\WINDOWS\srvclxrcpe.exe
2006-10-27 13:31 217,346 --a------ C:\WINDOWS\srvevnbieo.exe
2006-10-27 02:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-27 02:50 217,346 --a------ C:\WINDOWS\srvwrgleib.exe
2006-10-27 00:15 217,346 --a------ C:\WINDOWS\srvmhtjglh.exe
2006-10-27 00:13 217,346 --a------ C:\WINDOWS\srvxstwlgm.exe
2006-10-27 00:12 217,346 --a------ C:\WINDOWS\srvwhebfkj.exe
2006-10-26 22:27 217,346 --a------ C:\WINDOWS\srvdfmdtpz.exe
2006-10-26 22:26 217,346 --a------ C:\WINDOWS\srvngogrwj.exe
2006-10-26 22:17 967 --a------ C:\WINDOWS\ScUnin.pif
2006-10-26 22:17 94,208 --a------ C:\WINDOWS\ScUnin.exe
2006-10-26 20:50 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-26 20:04 49,428 --a------ C:\WINDOWS\system32\rmuwoiss.dll
2006-10-26 20:03 971 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-26 20:03 69,652 --a------ C:\WINDOWS\system32\eucwried.exe
2006-10-26 20:03 645,804 ---hs---- C:\WINDOWS\system32\ttutv.bak2
2006-10-26 12:35 217,346 --a------ C:\WINDOWS\srvhsuncdb.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvposbxek.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvfoqqyfi.exe
2006-10-26 12:32 688,180 ---hs---- C:\WINDOWS\system32\vtutt.dll
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvqbfkjhp.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvgxdftpc.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvcfytgra.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-10-28 12:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-28 11:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-28 00:27 -------- d-------- C:\Program Files\Starcraft
2006-10-28 00:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-27 18:12 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-27 18:00 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-27 18:00 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 13:51 -------- d-------- C:\Program Files\MsnMusic
2006-10-27 13:50 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 13:47 -------- d-------- C:\Program Files\WinZip
2006-10-27 13:43 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-27 03:22 -------- d-------- C:\Program Files\Internet Explorer
2006-10-27 02:55 -------- d-------- C:\Program Files\Grisoft
2006-10-27 00:05 -------- d-------- C:\Program Files\Online Services
2006-10-27 00:01 -------- d-------- C:\Program Files\Messenger
2006-10-26 23:59 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 23:59 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 23:59 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-10-26 22:13 5468 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta
2006-10-26 22:13 17414 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
2006-10-26 20:03 -------- d-------- C:\Program Files\VSAdd-in
2006-10-26 02:11 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"hfd59da9"="RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"_mzu_stonedrv3"="c:\\windows\\system32\\_mzu_stonedrv3.exe"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="C:\\Program Files\\Internet Explorer\\pojogagag.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\meged.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\oqdsregq.exe GEN001"
"item"="TA_Start"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\swinppem.exe GEN001"
"item"="Think-Adz"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADeck"
"hkey"="HKLM"
"command"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKCU"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swinppem"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\swinppem.exe GEN001"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hnydjtb.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hnydjtb"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\hnydjtb.dll,ldaliqf"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmcrat06]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmputt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\mmputt.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quiwn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uhwems"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\uhwems.exe reg_run"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys027993650414]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys027993650414"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys027993650414.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_mzu_stonedrv3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="_mzu_stonedrv3"
"hkey"="HKCU"
"command"="c:\\windows\\system32\\_mzu_stonedrv3.exe"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutt
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-10-28 14:00:57.26
C:\ComboFix.txt ... 06-10-28 14:00
Post by: guestolo on October 28, 2006, 01:24:34 PM
I need to see EVERYTHING running on startup, your disabling entries with msconfig
Go to START>>RUN>>Type in
msconfig
Hit OK
Under the STARTUP tab>>Enable ALL.>>Apply it
Under the SERVICES tab>>Enable ALL>>Apply it
Under the GENERAL tab>>Select NORMAL startup
APPLY it and CLOSE
Restart the computer
Supply a fresh Hijackthis log
Also
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
Post by: 1yn on October 28, 2006, 01:39:40 PM
Logfile of HijackThis v1.99.1
Scan saved at 2:31:15 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\mmputt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\tcpip.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlumwxy.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hfd59da9] RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [sys027993650414] C:\WINDOWS\sys027993650414.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hnydjtb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hnydjtb.dll,ldaliqf
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinppem.exe GEN001
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [quiwn] C:\WINDOWS\system32\uhwems.exe reg_run
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\oqdsregq.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinppem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab (http://\"http://download.ewido.net/ewidoOnlineScan.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Post by: guestolo on October 28, 2006, 01:44:33 PM
You should see Save in... at the top
Use the drop down menu and select Desktop
Post by: 1yn on October 28, 2006, 01:55:23 PM
ad-aware se
ati software uninstall utilty
ati catalyst control center
ati control panel
ati display driver
anv anti-spyware
avg free edition
HJT 1.99.1
microsoft .NET framwork 1.1
mozilla
msn mesenger 7.5
msn music assintent
spybot S&D
starcraft
VIP platform device manager
windows installer 3.1
winzip
Post by: guestolo on October 28, 2006, 02:04:10 PM
Download and unzip to your desktop InstalledPrograms.zip (http://\"http://www.billsway.com/vbspage/vbsfiles/InstalledPrograms.zip\")
Double click on InstalledPrograms.vbs
Click OK at the IP prompt and click YES to view the results now
A text file will open, can you copy and paste back here the whole contents
Post by: 1yn on October 28, 2006, 02:08:33 PM
Ad-Aware SE Personal
ATI - Software Uninstall Utility Ver: 6.14.10.1012
ATI Catalyst Control Center Ver: 1.2.1949.42406 Installed: 12/31/2001
ATI Control Panel Ver: 6.14.10.5154
ATI Display Driver Ver: 8.252-060503a-032464C-ATI
AVG Anti-Spyware 7.5
AVG Free Edition
HijackThis 1.99.1 Ver: 1.99.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 12/31/2001
Mozilla Firefox (1.0.7) Ver: 1.0.7 (en-US)
MSN Messenger 7.5 Ver: 7.5.0306.0 Installed: 10/27/2006
MSN Music Assistant
Platform Ver: 1.12 Installed: 1/1/2002
Security Update for Windows Media Player (KB911564) Installed: 10/27/2006
Security Update for Windows Media Player 10 (KB917734) Installed: 10/27/2006
Security Update for Windows Media Player 9 (KB917734) Installed: 10/27/2006
Security Update for Windows XP (KB890046) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB893756) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB896358) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB896423) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB896424) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB896428) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB899587) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB899589) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB899591) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB900725) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB901017) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB901190) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB901214) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB902400) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB904706) Ver: 2 Installed: 10/27/2006
Security Update for Windows XP (KB905414) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB905749) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB908519) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB911562) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB911567) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB911927) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB912919) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB914388) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB914389) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB917344) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB917422) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB917953) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB918439) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB918899) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB919007) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920214) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920670) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920683) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920685) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB921398) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB921883) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB922616) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB922819) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB923191) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB923414) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB924191) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB924496) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB925486) Ver: 1 Installed: 10/27/2006
Spybot - Search & Destroy 1.4 Ver: 1.4
Starcraft
Update for Windows XP (KB894391) Ver: 1 Installed: 10/26/2006
Update for Windows XP (KB898461) Ver: 1 Installed: 10/26/2006
Update for Windows XP (KB900485) Ver: 2 Installed: 10/27/2006
Update for Windows XP (KB908531) Ver: 2 Installed: 10/27/2006
Update for Windows XP (KB910437) Ver: 1 Installed: 10/27/2006
Update for Windows XP (KB911280) Ver: 2 Installed: 10/27/2006
Update for Windows XP (KB916595) Ver: 1 Installed: 10/27/2006
Update for Windows XP (KB920872) Ver: 1 Installed: 10/27/2006
Update for Windows XP (KB922582) Ver: 1 Installed: 10/27/2006
VIA Platform Device Manager Ver: 1.12 Installed: 1/1/2002
WebFldrs XP Ver: 9.50.7523 Installed: 12/31/2001
Windows Installer 3.1 (KB893803) Ver: 3.1
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890859 Ver: 1 Installed: 10/26/2006
Windows XP Hotfix - KB891781 Ver: 20050110.165439
WinZip Ver: 9.0 SR-1 (6224)
Post by: guestolo on October 28, 2006, 02:34:04 PM
I advise you too Print all these instructions or save them too a text file on desktop
Download [color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\") and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop.
Download Delcmdservice.zip (http://\"http://users.telenet.be/marcvn/tools/delcmdservice.zip\") to your Desktop.
Now, unpack(extract) delcmdservice-folder to you desktop.
Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip (http://\"http://www.malwarebytes.org/Qoofix.zip\")
Unzip all files to a convenient location such as C:\Qoofix.
We'll need it later
Download [color=\"blue\"]VundoFix.exe[/color] (http://\"http://www.atribune.org/ccount/click.php?id=4\")
to your desktop.
Do a "System scan only" with Hijackthis and put a check next to these entries:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlumwxy.exe
O4 - HKLM\..\Run: [hfd59da9] RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa
O4 - HKLM\..\Run: [sys027993650414] C:\WINDOWS\sys027993650414.exe
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [hnydjtb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hnydjtb.dll,ldaliqf
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinppem.exe GEN001
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [quiwn] C:\WINDOWS\system32\uhwems.exe reg_run
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\oqdsregq.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinppem.exe
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
close thedelcmdservice-folder
SDFix
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
- Go to the folder you unzipped all files and run Qoofix.exe.
- Click Begin Removal and wait for the scan to finish.
- If an infection has been found, select yes to restart your computer.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."
I need to see back here all the next logs please
Even if it takes more than one reply to do so
1. Post a fresh Hijackthis log
2. The report from SDFix>>Report.txt in the SDFix folder
3. The Qoofix report>>Found in the Qoofix folder
4. The report from Vundofix>>by default found here>>C:\Vundofix.txt
After the above, can I have your run combofix one more time and post the fresh log that opens please
- Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log[/s]
Post by: 1yn on October 28, 2006, 03:29:36 PM
Logfile of HijackThis v1.99.1
Scan saved at 4:15:29 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\tcpip.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {036BDF71-785C-4E29-9C2B-ED2A89EAE9DC} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {104FD479-1D03-1C5C-8D76-04C43703AE4D} - C:\WINDOWS\system32\dgaladd.dll (file missing)
O2 - BHO: (no name) - {249065D9-9A39-D14C-FCEF-038880B8B971} - C:\WINDOWS\system32\hnydjtb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\qmqhodsn.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: (no name) - {BE118DBF-BA95-4ECE-98D5-C9CC0E22449C} - C:\Program Files\MSN Gaming Zone\mebos.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\rmuwoiss.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab (http://\"http://download.ewido.net/ewidoOnlineScan.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
2. THE REPORT
SDFix: Version 1.32
-------------------
Scan run on:
Sat 10/28/2006
Time:
03:54 PM
Microsoft Windows XP [Version 5.1.2600]
Running from: C:\Documents and Settings\Administrator\Desktop\SDFix
Stage One...
Checking Services...
Name:
-----
MZU_RK
Path:
----
\??\C:\WINDOWS\system32\MZU_DRV.sys
MZU_RK Deleted...
Repairing Registry...
Restoring Default Hosts File...
Stage One Complete
Rebooting...
Stage Two...
Checking For Malware:
--------------------
C:\WINDOWS\system32\mini3tone.ini
C:\WINDOWS\system32\form.txt
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\ipv6monl.dll
Backing Up and Removing any Files Found...
Final Check:
Services:
---------
Files:
------
Any files removed are saved to the SDFix\backups Folder
FINISHED
3. QOOFIX REPORT
Qoofix v1.03 by http://www.malwarebytes.org (http://\"http://www.malwarebytes.org\")
Scan started on [10/28/2006] at [4:03:50 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [10/28/2006] at [4:04:58 PM]
Note: Some registry keys may have been removed.
4. VUNDOFIX REPORT
VundoFix V6.2.6
Checking Java version...
Sun Java not detected
Scan started at 4:06:05 PM 10/28/2006
Listing files found while scanning....
C:\WINDOWS\system32\dgaladd.dll
C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.bak2
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dgaladd.dll
C:\WINDOWS\system32\dgaladd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.bak2 Has been deleted!
Performing Repairs to the registry.
Done!
Rest i will continue on next post
Post by: 1yn on October 28, 2006, 03:33:25 PM
Administrator - 06-10-28 16:19:08.82 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1\s?mbols
((((((((((((((((((((((((((((((( Files Created from 2006-09-28 to 2006-10-28 ))))))))))))))))))))))))))))))))))
2006-10-27 13:51 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-27 13:42 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-10-27 13:32 217,346 --a------ C:\WINDOWS\srvclxrcpe.exe
2006-10-27 13:31 217,346 --a------ C:\WINDOWS\srvevnbieo.exe
2006-10-27 02:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-27 02:50 217,346 --a------ C:\WINDOWS\srvwrgleib.exe
2006-10-27 00:15 217,346 --a------ C:\WINDOWS\srvmhtjglh.exe
2006-10-27 00:13 217,346 --a------ C:\WINDOWS\srvxstwlgm.exe
2006-10-27 00:12 217,346 --a------ C:\WINDOWS\srvwhebfkj.exe
2006-10-26 22:27 217,346 --a------ C:\WINDOWS\srvdfmdtpz.exe
2006-10-26 22:26 217,346 --a------ C:\WINDOWS\srvngogrwj.exe
2006-10-26 22:17 967 --a------ C:\WINDOWS\ScUnin.pif
2006-10-26 22:17 94,208 --a------ C:\WINDOWS\ScUnin.exe
2006-10-26 20:50 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-26 20:04 49,428 --a------ C:\WINDOWS\system32\rmuwoiss.dll
2006-10-26 20:03 971 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-26 20:03 69,652 --a------ C:\WINDOWS\system32\eucwried.exe
2006-10-26 12:35 217,346 --a------ C:\WINDOWS\srvhsuncdb.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvposbxek.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvfoqqyfi.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvqbfkjhp.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvgxdftpc.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvcfytgra.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-10-28 12:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-28 11:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-28 00:27 -------- d-------- C:\Program Files\Starcraft
2006-10-28 00:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-27 18:12 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-27 18:00 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-27 18:00 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 13:51 -------- d-------- C:\Program Files\MsnMusic
2006-10-27 13:50 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 13:47 -------- d-------- C:\Program Files\WinZip
2006-10-27 13:43 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-27 03:22 -------- d-------- C:\Program Files\Internet Explorer
2006-10-27 02:55 -------- d-------- C:\Program Files\Grisoft
2006-10-27 00:05 -------- d-------- C:\Program Files\Online Services
2006-10-27 00:01 -------- d-------- C:\Program Files\Messenger
2006-10-26 23:59 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 23:59 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 23:59 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-10-26 22:13 5468 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta
2006-10-26 22:13 17414 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
2006-10-26 20:03 -------- d-------- C:\Program Files\VSAdd-in
2006-10-26 02:11 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="C:\\Program Files\\Internet Explorer\\pojogagag.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\meged.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-10-28 16:19:47.93
C:\ComboFix.txt ... 06-10-28 16:19
C:\ComboFix2.txt ... 06-10-28 14:00
THE REPORT LOG
SDFix: Version 1.32
-------------------
Scan run on:
Sat 10/28/2006
Time:
03:54 PM
Microsoft Windows XP [Version 5.1.2600]
Running from: C:\Documents and Settings\Administrator\Desktop\SDFix
Stage One...
Checking Services...
Name:
-----
MZU_RK
Path:
----
\??\C:\WINDOWS\system32\MZU_DRV.sys
MZU_RK Deleted...
Repairing Registry...
Restoring Default Hosts File...
Stage One Complete
Rebooting...
Stage Two...
Checking For Malware:
--------------------
C:\WINDOWS\system32\mini3tone.ini
C:\WINDOWS\system32\form.txt
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\ipv6monl.dll
Backing Up and Removing any Files Found...
Final Check:
Services:
---------
Files:
------
Any files removed are saved to the SDFix\backups Folder
FINISHED
THE NEW HJT PART 2 OF UR REQUEST
Logfile of HijackThis v1.99.1
Scan saved at 4:22:10 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\tcpip.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {036BDF71-785C-4E29-9C2B-ED2A89EAE9DC} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {104FD479-1D03-1C5C-8D76-04C43703AE4D} - C:\WINDOWS\system32\dgaladd.dll (file missing)
O2 - BHO: (no name) - {249065D9-9A39-D14C-FCEF-038880B8B971} - C:\WINDOWS\system32\hnydjtb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\qmqhodsn.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: (no name) - {BE118DBF-BA95-4ECE-98D5-C9CC0E22449C} - C:\Program Files\MSN Gaming Zone\mebos.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\rmuwoiss.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab (http://\"http://download.ewido.net/ewidoOnlineScan.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Post by: guestolo on October 28, 2006, 04:42:45 PM
I recommend you print this again or save too a text file
Download The Avenger.zip (http://\"http://swandog46.geekstogo.com/avenger.zip\") by Swandog46 to your Desktop.
* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop
Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#0000FF\"]
files to delete:
C:\WINDOWS\srvclxrcpe.exe
C:\WINDOWS\srvevnbieo.exe
C:\WINDOWS\srvwrgleib.exe
C:\WINDOWS\srvmhtjglh.exe
C:\WINDOWS\srvxstwlgm.exe
C:\WINDOWS\srvwhebfkj.exe
C:\WINDOWS\srvdfmdtpz.exe
C:\WINDOWS\srvngogrwj.exe
C:\WINDOWS\ScUnin.pif
C:\WINDOWS\ScUnin.exe
C:\WINDOWS\system32\rmuwoiss.dll
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\eucwried.exe
C:\WINDOWS\srvhsuncdb.exe
C:\WINDOWS\srvposbxek.exe
C:\WINDOWS\srvfoqqyfi.exe
C:\WINDOWS\srvqbfkjhp.exe
C:\WINDOWS\srvgxdftpc.exe
C:\WINDOWS\srvcfytgra.exe
C:\WINDOWS\system32\qmqhodsn.dll
C:\Program Files\BHO Plugin\plugin1.dll
C:\WINDOWS\system32\hnydjtb.dll
C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\uni_e6h.exe
C:\Program Files\Windows Media Player\meged.html
C:\Program Files\Internet Explorer\pojogagag.html
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
Folders to delete:
C:\Program Files\BHO Plugin[/color]
==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop
* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
* Answer "Yes" twice when prompted.
Avenger should now Reboot your computer
Back in Windows
===Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")
Do a "System scan only" with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {036BDF71-785C-4E29-9C2B-ED2A89EAE9DC} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {104FD479-1D03-1C5C-8D76-04C43703AE4D} - C:\WINDOWS\system32\dgaladd.dll (file missing)
O2 - BHO: (no name) - {249065D9-9A39-D14C-FCEF-038880B8B971} - C:\WINDOWS\system32\hnydjtb.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\qmqhodsn.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: (no name) - {BE118DBF-BA95-4ECE-98D5-C9CC0E22449C} - C:\Program Files\MSN Gaming Zone\mebos.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\rmuwoiss.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot your computer one more time
Can you post back the following please
1. Post a fresh Hijackthis log
2. Post the log from Avenger, found here>>C:\Avenger.txt
3. Can you run combofix again and post one more log please
Post by: 1yn on October 28, 2006, 05:03:18 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:58:21 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\tcpip.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab (http://\"http://download.ewido.net/ewidoOnlineScan.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
2. AVENGER TXT
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kxjdbbte
*******************
Script file located at: \??\C:\Program Files\pskdwwao.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\srvclxrcpe.exe deleted successfully.
File C:\WINDOWS\srvevnbieo.exe deleted successfully.
File C:\WINDOWS\srvwrgleib.exe deleted successfully.
File C:\WINDOWS\srvmhtjglh.exe deleted successfully.
File C:\WINDOWS\srvxstwlgm.exe deleted successfully.
File C:\WINDOWS\srvwhebfkj.exe deleted successfully.
File C:\WINDOWS\srvdfmdtpz.exe deleted successfully.
File C:\WINDOWS\srvngogrwj.exe deleted successfully.
File C:\WINDOWS\ScUnin.pif deleted successfully.
File C:\WINDOWS\ScUnin.exe deleted successfully.
File C:\WINDOWS\system32\rmuwoiss.dll deleted successfully.
File C:\WINDOWS\system32\winpfg32.sys deleted successfully.
File C:\WINDOWS\system32\eucwried.exe deleted successfully.
File C:\WINDOWS\srvhsuncdb.exe deleted successfully.
File C:\WINDOWS\srvposbxek.exe deleted successfully.
File C:\WINDOWS\srvfoqqyfi.exe deleted successfully.
File C:\WINDOWS\srvqbfkjhp.exe deleted successfully.
File C:\WINDOWS\srvgxdftpc.exe deleted successfully.
File C:\WINDOWS\srvcfytgra.exe deleted successfully.
File C:\WINDOWS\system32\qmqhodsn.dll deleted successfully.
File C:\Program Files\BHO Plugin\plugin1.dll deleted successfully.
File C:\WINDOWS\system32\hnydjtb.dll deleted successfully.
File C:\WINDOWS\system32\rpcc.dll deleted successfully.
File C:\WINDOWS\uni_e6h.exe deleted successfully.
File C:\Program Files\Windows Media Player\meged.html not found!
Deletion of file C:\Program Files\Windows Media Player\meged.html failed!
Could not process line:
C:\Program Files\Windows Media Player\meged.html
Status: 0xc0000034
File C:\Program Files\Internet Explorer\pojogagag.html not found!
Deletion of file C:\Program Files\Internet Explorer\pojogagag.html failed!
Could not process line:
C:\Program Files\Internet Explorer\pojogagag.html
Status: 0xc0000034
Could not open file C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll for deletion
Deletion of file C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll failed!
Could not process line:
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
Status: 0xc000003a
Folder C:\Program Files\BHO Plugin deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
3. COMBO FIX TXT
Administrator - 06-10-28 17:59:41.06 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1\s?mbols
((((((((((((((((((((((((((((((( Files Created from 2006-09-28 to 2006-10-28 ))))))))))))))))))))))))))))))))))
2006-10-27 13:51 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-27 13:42 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-10-27 02:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-26 20:50 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-28 17:50 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-10-28 12:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-28 11:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-28 00:27 -------- d-------- C:\Program Files\Starcraft
2006-10-28 00:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-27 18:00 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-27 18:00 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 13:51 -------- d-------- C:\Program Files\MsnMusic
2006-10-27 13:50 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 13:47 -------- d-------- C:\Program Files\WinZip
2006-10-27 13:43 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-27 03:22 -------- d-------- C:\Program Files\Internet Explorer
2006-10-27 02:55 -------- d-------- C:\Program Files\Grisoft
2006-10-27 00:05 -------- d-------- C:\Program Files\Online Services
2006-10-27 00:01 -------- d-------- C:\Program Files\Messenger
2006-10-26 23:59 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 23:59 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 23:59 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-10-26 22:13 5468 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta
2006-10-26 22:13 17414 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
2006-10-26 20:03 -------- d-------- C:\Program Files\VSAdd-in
2006-10-26 02:11 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-10-28 18:00:19.48
C:\ComboFix.txt ... 06-10-28 18:00
C:\ComboFix2.txt ... 06-10-28 16:19
C:\ComboFix3.txt ... 06-10-28 14:00
Post by: guestolo on October 28, 2006, 05:21:22 PM
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Can you delete this folder if found
C:\Program Files\BHO Plugin
In the same location of the Program Files folder
You can delete
Enigma Software Group folder, if you have nothing installed by them, looks as a leftover
Go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
OR
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Use the browse button and navigate to the file on your harddrive if you can find it
C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta <-this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Can you do the same with these files too please
C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
C:\WINDOWS\system32\tcpip.exe
One more scanner please
I just want to check on something
Download and save too desktop
F-Secure Blacklight(blbeta.exe) (http://\"https://europe.f-secure.com/exclude/blacklight/blbeta.exe\")
Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log
BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".
Post that log please
How's everything running?
EDIT>>Can you also check to see if you can run and save the Uninstall list from Hijackthis again
If you can, please post the contents
Post by: 1yn on October 28, 2006, 06:15:44 PM
RESULTS FOR C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta
Service load:
0% 100%
File: F66022CBC7AA4769BC48A3C22B3B57D4.sta
Status:
OK
MD5 3aae6789a625e5c7754af85c006a9580
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
RESULTS FOR C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
Service load:
0% 100%
File: F66022CBC7AA4769BC48A3C22B3B57D4.rul
Status:
OK
MD5 07806ccb15ba7e04b44cfeb0b89f4e93
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
RESULTS FOR C:\WINDOWS\system32\tcpip.exe
Service load:
0% 100%
File: tcpip.exe
Status:
POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 7d8241b2edcc6750e7719af24da153d9
Packers detected:
PE_PATCH.UPX, UPX
Scanner results
AntiVir
Found Heuristic/Crypted (probable variant)
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.Yd.FDABD5F9 (probable variant)
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found W32/AYL!tr.dldr
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
BLACK LIGHT REPORT
10/28/06 19:00:43 [Info]: BlackLight Engine 1.0.47 initialized
10/28/06 19:00:43 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/28/06 19:00:43 [Note]: 7019 4
10/28/06 19:00:43 [Note]: 7005 0
10/28/06 19:00:54 [Note]: 7006 0
10/28/06 19:00:54 [Note]: 7011 1180
10/28/06 19:00:55 [Note]: 7026 0
10/28/06 19:00:55 [Note]: 7026 0
10/28/06 19:00:59 [Note]: FSRAW library version 1.7.1020
10/28/06 19:06:04 [Note]: 2000 1012
10/28/06 19:06:04 [Note]: 2000 1012
10/28/06 19:11:17 [Note]: 7007 0
HJT UNINSTALL LIST
Ad-Aware SE Personal
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
HijackThis 1.99.1
Microsoft .NET Framework 1.1
Mozilla Firefox (1.0.7)
MSN Messenger 7.5
MSN Music Assistant
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Spybot - Search & Destroy 1.4
Starcraft
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VIA Platform Device Manager
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
Post by: guestolo on October 29, 2006, 10:50:17 AM
Can you do the following
Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#0000FF\"]
files to delete:
C:\WINDOWS\system32\tcpip.exe[/color]
==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop
* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
* Answer "Yes" twice when prompted.
Avenger should now Reboot your computer
Back in Windows
Since you already have AVG-Antispyware installed, can you do the following
- Load AVG-antispyware and then click the Update tab at the top. Under Manual Update click Start update.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Select the "Scanner" tab
- Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected
- Click back to the "Scan" tab and then click on Complete System Scan.
- Let this scan complete
- AVG will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
- Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Post a fresh Hijackthis log afterwards and the whole report from AVG-antispyware
That should do it, just some quick final steps
Post by: 1yn on October 29, 2006, 12:15:22 PM
Logfile of HijackThis v1.99.1
Scan saved at 12:12:31 PM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab (http://\"http://download.ewido.net/ewidoOnlineScan.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)
AVG REPORT
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:09:12 PM 10/29/2006
+ Scan result:
Nothing found.
::Report end
Post by: guestolo on October 29, 2006, 11:28:56 PM
Create a .reg file
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box
Code: [Select]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Browser Helper Objects\{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64}]
[HKEY_CLASSES_ROOT\CLSID\{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64}\InProcServer32]
(Define) =-
[HKEY_CLASSES_ROOT\CLSID\{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64}]
(Define) =-
[-HKEY_CLASSES_ROOT\CLSID\{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64}\InProcServer32]
[-HKEY_CLASSES_ROOT\CLSID\{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64}] Close down all browser windows, including this one
Do a "System scan only" with Hijackthis and put a check next to these entries:
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on fix.reg, allow to add/merge to the registry
Reboot the computer and post a fresh hijackthis log please
Post by: 1yn on October 30, 2006, 12:33:03 AM
Scan saved at 12:30:27 AM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab (http://\"http://download.ewido.net/ewidoOnlineScan.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Post by: guestolo on October 30, 2006, 07:23:09 PM
and post one last hijackthis log please
I just want to ensure it still looks ok
Let me know how things are running again>>I just like to keep informed
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />EDIT>>
Concerning this entry that was in your log
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)
The creator of SDFix has just updated his tool today to help combat that entry above that appeared after we killed this file
C:\WINDOWS\system32\tcpip.exe
Can I have you run it again please with the following instructions
Delete SDFix.exe and the SDFix folder on your desktop
REDownload [color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\") and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop.
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
2. The report from SDFix>>Report.txt in the SDFix folder
Post by: 1yn on October 30, 2006, 09:31:14 PM
SDFIX
SDFix: Version 1.34
-------------------
Scan run on:
Mon 10/30/2006
Time:
09:19 PM
Microsoft Windows XP [Version 5.1.2600]
Running from: C:\Documents and Settings\Administrator\Desktop\SDFix
Stage One...
Checking Services...
Name:
-----
TCP and UDP Support
Path:
----
C:\WINDOWS\system32\tcpip.exe /winnt
TCP and UDP Support Deleted...
Repairing Registry...
Restoring Default Hosts File...
Stage One Complete
Rebooting...
Stage Two...
Checking For Malware:
--------------------
Backing Up and Removing any Files Found...
Final Check:
Services:
---------
Files:
------
Any files removed are saved to the SDFix\backups Folder
FINISHED
HJT
Logfile of HijackThis v1.99.1
Scan saved at 9:28:58 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab (http://\"http://download.ewido.net/ewidoOnlineScan.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Post by: guestolo on October 30, 2006, 09:57:14 PM
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Name it and click create
When that's done
Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating
Select the 'More Options' tab
and click Cleanup under System Restore
This will clear all later restore points except for the one you just made
Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning
[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
*Make sure your Anti-Virus software is always kept up to date and actively running in the background
Keeping it set to Autoupdate is a good move to ensure you always have the latest available protection
Keep your Firewall software enabled
Always keep up to date with the latest High Priority updates from Windows Updates
Update and do scan's with your Anti-Spyware programs on a regular basis
In addition>>Open Spybot 1.4
Click Immunization>>OK>>Immunization a the top green cross
Optionally, If you just installed the free version of AVG AntiSpyware, it will become a limited free version after 30 days of install
But will still update, scan and remove malware after that time
You can also optionally, enter AVG's INFECTION tab>>Select All>>Remove finally from your machine
You can go ahead and delete the following files
fix.reg
Avenger.exe
SDFix.exe
Vundofix.exe
Combofix.exe
C:\ComboFix.txt
C:\ComboFix2.txt
C:\ComboFix3.txt
Qoofix.zip
C:\Vundofix.txt
Delcmdservice.zip
Blbeta.exe and the log it produced
the following folders
Qoofix folder
delcmdservice-folder
SDFix folder
C:\Avenger
C:\QooBox
C:\sUBs < if found
Hold onto Hijackthis for a bit, about a week or so, if you find things are still running good
You can access your add/remove programs and remove it
then manually delete Hijackthis
If you still have Windows set to show hidden files and folders
You can do the following
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Do not Show hidden files and folders.
* Check the Hide protected operating system files (recommended) option.
* Apply and OK out of there
If you haven't ran the Disk Defragmenter tool in some time
Now would be a good time, I find it best ran in safe mode
This leaves minimal running on startup
Stay safe
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: 1yn on October 31, 2006, 07:59:20 PM
Post by: guestolo on October 31, 2006, 09:28:56 PM
Take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />