TheTechGuide Forum

General Category => Tech Clinic => Topic started by: greazee on April 10, 2007, 07:41:08 PM

Title: ahh virus
Post by: greazee on April 10, 2007, 07:41:08 PM

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan.Nebuler
File:  C:\WINDOWS\system32\winrkp32.dll
Location:  C:\WINDOWS\system32
Computer:  MR-T
User:  SYSTEM
Action taken:  Clean failed : Quarantine failed : Access denied
Date found: Tue Apr 10 11:17:22 2007



yea this virus is a jerk and none of usual tricks work..... and in the processes it appears as lsass but is under the username of my log in name and proceeds to use all my cpu and crash my computer if i dont end it... HELP! plz

Title: ahh virus
Post by: MadHatter on April 10, 2007, 07:54:36 PM

http://www.thetechguide.com/forum/index.php?showtopic=22942 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=22942\")

read and post one it speeds Guestolo's job up a little bit

Title: ahh virus
Post by: greazee on April 10, 2007, 08:47:34 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:45:22 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\SEMBLY~1\smss.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Kyle.MR-T\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418 (http://\"http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418 (http://\"http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418 (http://\"http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418\")
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4915F644-3AD1-1773-A4A2-6143B763F297} - C:\WINDOWS\system32\jnwahep.dll (file missing)
O2 - BHO: (no name) - {49C3AC11-66D5-4C25-A140-6FE33CE9F292} - C:\WINDOWS\system32\hxemkahi.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {82DDC5FA-523B-289F-4508-5EF07CC83D9E} - C:\WINDOWS\system32\nmhedm.dll (file missing)
O2 - BHO: (no name) - {8FE6A545-6FD5-4772-A4A4-641342DD69CA} - C:\WINDOWS\system32\biysxso.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {d7d65006-49fe-48d3-868e-6e6f0503e481} - C:\WINDOWS\system32\dxmdos.dll (file missing)
O2 - BHO: (no name) - {F842DE1B-4B85-6571-A495-1244E6804ECE} - C:\WINDOWS\system32\amuag.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sys025717716919] C:\WINDOWS\sys025717716919.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwat.dll,startup
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ratp] "C:\Program Files\Common Files\s?curity\l?ass.exe" 99001162
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\COMMON~1\SEMBLY~1\smss.exe" -vt ndrv
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (http://\"http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab\")
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab\")
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab (http://\"http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://cdn2.zone.msn.com/binFramework/v10/...dy.cab55579.cab (http://\"http://cdn2.zone.msn.com/binFramework/v10/ZBuddy.cab55579.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab (http://\"http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab\")
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab (http://\"http://cabs.elitemediagroup.net/cabs/mediaview.cab\")
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://cdn2.zone.msn.com/binFramework/v10/...at.cab55579.cab (http://\"http://cdn2.zone.msn.com/binFramework/v10/ZPAChat.cab55579.cab\")
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (http://\"http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149641283812 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149641283812\")
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab (http://\"http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab\")
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab (http://\"http://awbeta.net-nucleus.com/FIX/WinATS.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab53083.cab (http://\"http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab53083.cab\")
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab\")
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab (http://\"http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab\")
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab\")
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab (http://\"http://a.download.toontown.com/sv1.0.20.19/ttinst.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab (http://\"http://zone.msn.com/binframework/v10/StProxy.cab55579.cab\")
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab (http://\"http://messenger.zone.msn.com/binary/WoF.cab57176.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab (http://\"http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://www.errorprotector.com/free/cab/Ins...tector-Free.cab (http://\"http://www.errorprotector.com/free/cab/Install-Errorprotector-Free.cab\")
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dxmdos - dxmdos.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: win23sys - win23sys.dll (file missing)
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Title: ahh virus
Post by: greazee on April 18, 2007, 09:27:02 AM

bump

Title: ahh virus
Post by: guestolo on April 18, 2007, 12:57:32 PM

Sorry for the delay, I'm on vacation and only have time to pop in at random times
But I should be around the next couple days

Since it's been awhile since you posted your hijackthis log, can you repost a fresh one

Also
Download and unzip to your desktop InstalledPrograms.zip (http://\"http://www.billsway.com/vbspage/vbsfiles/InstalledPrograms.zip\")
Double click on InstalledPrograms.vbs

Click OK at the IP prompt and click YES to view the results now
A text file will open, can you copy and paste back here the whole contents

ALLOW this script to run if prompted by your AntiVirus

Title: ahh virus
Post by: greazee on April 18, 2007, 01:04:47 PM

yea i figured you were on vacation lol no rush i got it under wraps in controlling it but im not sure what else it could be doing so i will get those thingys in a minute

ty for helping

Title: ahh virus
Post by: greazee on April 19, 2007, 12:02:41 PM

INSTALLED SOFTWARE (230) - MR-T - 4/19/2007 11:59:15 AM

Adobe Bridge 1.0   Ver: 001.000.004   Installed: 2/2/2007
Adobe Common File Installer   Ver: 1.00.0000   Installed: 2/2/2007
Adobe Flash Player 9 ActiveX   Ver: 9
Adobe Help Center 1.0   Ver: 001.000.000   Installed: 2/2/2007
Adobe Illustrator 9.0   Ver: 9.0
Adobe Photoshop CS2   Ver: 9.0
Adobe Photoshop CS2   Ver: 9.0   Installed: 2/2/2007
Adobe Reader 7.0.8   Ver: 7.0.8   Installed: 7/18/2006
Adobe Stock Photos 1.0   Ver: 1.0.8   Installed: 3/7/2007
Adobe SVG Viewer   Ver: 1.0
Adobe® Photoshop® Album Starter Edition 3.0   Ver: 3.00.000   Installed: 7/18/2006
AOL Coach Version 2.0(Build:20041026.5 en)   
AOL Instant Messenger   
Apple Software Update   Ver: 1.1.0.3   Installed: 4/8/2007
ArcSoft PhotoImpression 4   
BigFix   
Browser Address Error Redirector   
Camera Driver   
Command & Conquer Renegade   
Cowabanga by OIN   
Digital Media Reader   Ver: 1.13   Installed: 1/31/2006
Digital Media Reader   Ver: 1.13   Installed: 1/31/2006
Disney's Toontown Online   
DVD Solution   
EA SPORTS online 2006   
Enhanced Browser Overlay   Ver: 1.0.3.9
ewido anti-spyware 4.0   
HijackThis 1.99.1   Ver: 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)      Installed: 3/16/2007
Hotfix for Windows XP (KB893357)   Ver: 2
Hotfix for Windows XP (KB895953)   Ver: 4
Hotfix for Windows XP (KB896256)   Ver: 3   Installed: 1/31/2006
Hotfix for Windows XP (KB896344)   Ver: 2
Hotfix for Windows XP (KB906569)   Ver: 2
Hotfix for Windows XP (KB926239)   Ver: 2   Installed: 2/26/2007
InterActual Player   
iPod for Windows 2006-03-23   Ver: 4.7.0   Installed: 5/6/2006
iPod for Windows 2006-03-23   Ver: 4.7.0   Installed: 5/6/2006
IrfanView (remove only)   
iTunes   Ver: 7.1.1.5   Installed: 4/8/2007
J2SE Runtime Environment 5.0 Update 2   Ver: 1.5.0.20   Installed: 1/31/2006
J2SE Runtime Environment 5.0 Update 6   Ver: 1.5.0.60   Installed: 5/7/2006
KODAK Pictures Now Desktop Software   
LimeWire PRO 4.12.11   Ver: 4.12.11
LiveUpdate 1.7 (Symantec Corporation)   
Macromedia Shockwave Player   Ver: 10.1.0.11
MiaMath   
Microsoft .NET Framework 1.1   Ver: 1.1.4322   Installed: 7/26/2006
Microsoft .NET Framework 2.0   
Microsoft .NET Framework 2.0   Ver: 2.0.50727   Installed: 10/11/2006
Microsoft Age of Empires Gold   
Microsoft Age of Empires II   
Microsoft Compression Client Pack 1.0 for Windows XP   Ver: 1   Installed: 2/26/2007
Microsoft Digital Image Library 9 - Blocker   Ver: 9.00.0000
Microsoft Digital Image Starter Edition 2006   Ver: 11.0.0422
Microsoft Digital Image Starter Edition 2006 Editor   Ver: 11.0.0422   Installed: 1/31/2006
Microsoft Digital Image Starter Edition 2006 Library   Ver: 11.0.0422   Installed: 1/31/2006
Microsoft Internet Explorer Administration Kit 5   
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1      Installed: 12/6/2006
Microsoft Money 2006   Ver: 15
Microsoft Office XP Professional with FrontPage   Ver: 10.0.2627.0   Installed: 2/15/2007
Microsoft Office XP Resource Kit   Ver: 10.0.2627.0   Installed: 2/15/2007
Microsoft Office XP Web Components   Ver: 10.0.2627.0   Installed: 2/15/2007
Microsoft Publisher 2002   Ver: 10.0.2627.01   Installed: 2/15/2007
Microsoft User-Mode Driver Framework Feature Pack 1.0      Installed: 2/26/2007
Microsoft Works   Ver: 08.05.0818   Installed: 1/31/2006
Move Networks Player for Firefox      Installed: 3/28/2007
Mozilla Firefox (2.0.0.3)   Ver: 2.0.0.3 (en-US)
MSN   
MSXML 4.0 SP2 (KB927978)   Ver: 4.20.9841.0   Installed: 11/16/2006
MSXML 6.0 Parser (KB927977)   Ver: 6.00.3890.0   Installed: 2/25/2007
NBA LIVE 06   
Norton AntiVirus Corporate Edition   Ver: 7.6.1.0000   Installed: 5/6/2006
NVIDIA Drivers   
OIN Search   
Outerinfo   
Outerinfo   
Outerinfo   Ver: 5.2.99001162
Power2Go 4.0   
PowerDVD   
Project64 1.6   Ver: 1.6   Installed: 2/5/2007
QuickTime   Ver: 7.1.5.120   Installed: 4/8/2007
RealPlayer Basic   
Realtek AC'97 Audio   Ver: 5.17   Installed: 1/31/2006
Recovery Software Suite eMachines   Ver: 1.00.0000   Installed: 1/31/2006
Related Page   
RollerCoaster Tycoon 2   
Samsung ML-2010 Series   
Scholastic's I SPY Treasure Hunt   
Security Update for Microsoft .NET Framework 2.0 (KB917283)   Ver: 1
Security Update for Microsoft .NET Framework 2.0 (KB922770)   Ver: 1
Security Update for Step By Step Interactive Training (KB898458)   Ver: 20050502.101010
Security Update for Windows Media Player (KB911564)      Installed: 9/5/2006
Security Update for Windows Media Player 10 (KB917734)      Installed: 9/8/2006
Security Update for Windows Media Player 6.4 (KB925398)      Installed: 12/14/2006
Security Update for Windows XP (KB883939)   Ver: 1
Security Update for Windows XP (KB890046)   Ver: 1
Security Update for Windows XP (KB893756)   Ver: 1
Security Update for Windows XP (KB896358)   Ver: 1   Installed: 4/24/2006
Security Update for Windows XP (KB896422)   Ver: 1
Security Update for Windows XP (KB896423)   Ver: 1   Installed: 4/24/2006
Security Update for Windows XP (KB896424)   Ver: 1   Installed: 1/31/2006
Security Update for Windows XP (KB896428)   Ver: 1
Security Update for Windows XP (KB896688)   Ver: 1
Security Update for Windows XP (KB899587)   Ver: 1
Security Update for Windows XP (KB899588)   Ver: 1
Security Update for Windows XP (KB899589)   Ver: 1
Security Update for Windows XP (KB899591)   Ver: 1
Security Update for Windows XP (KB900725)   Ver: 1
Security Update for Windows XP (KB901017)   Ver: 1
Security Update for Windows XP (KB901214)   Ver: 1
Security Update for Windows XP (KB902400)   Ver: 1   Installed: 4/24/2006
Security Update for Windows XP (KB903235)   Ver: 1
Security Update for Windows XP (KB904706)   Ver: 2   Installed: 2/1/2006
Security Update for Windows XP (KB905414)   Ver: 1
Security Update for Windows XP (KB905749)   Ver: 1
Security Update for Windows XP (KB905915)   Ver: 1   Installed: 2/1/2006
Security Update for Windows XP (KB908519)   Ver: 1   Installed: 2/1/2006
Security Update for Windows XP (KB911562)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB911567)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB911927)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB912919)   Ver: 1   Installed: 2/1/2006
Security Update for Windows XP (KB913580)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB914388)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB914389)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB917159)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB917344)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB917422)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB917953)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB918118)   Ver: 1   Installed: 2/15/2007
Security Update for Windows XP (KB918439)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB918899)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB919007)   Ver: 1   Installed: 9/13/2006
Security Update for Windows XP (KB920213)   Ver: 1   Installed: 11/16/2006
Security Update for Windows XP (KB920214)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB920670)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB920683)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB920685)   Ver: 1   Installed: 9/13/2006
Security Update for Windows XP (KB921398)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB921883)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB922616)   Ver: 1   Installed: 9/5/2006
Security Update for Windows XP (KB922760)   Ver: 1   Installed: 11/16/2006
Security Update for Windows XP (KB922819)   Ver: 1   Installed: 10/11/2006
Security Update for Windows XP (KB923191)   Ver: 1   Installed: 10/11/2006
Security Update for Windows XP (KB923414)   Ver: 1   Installed: 10/11/2006
Security Update for Windows XP (KB923689)      Installed: 12/14/2006
Security Update for Windows XP (KB923694)   Ver: 1   Installed: 12/14/2006
Security Update for Windows XP (KB923980)   Ver: 1   Installed: 11/16/2006
Security Update for Windows XP (KB924191)   Ver: 1   Installed: 10/11/2006
Security Update for Windows XP (KB924270)   Ver: 1   Installed: 11/16/2006
Security Update for Windows XP (KB924496)   Ver: 1   Installed: 10/11/2006
Security Update for Windows XP (KB924667)   Ver: 1   Installed: 2/15/2007
Security Update for Windows XP (KB925454)   Ver: 1   Installed: 12/14/2006
Security Update for Windows XP (KB925486)   Ver: 1   Installed: 9/27/2006
Security Update for Windows XP (KB925902)   Ver: 1   Installed: 4/5/2007
Security Update for Windows XP (KB926255)   Ver: 1   Installed: 12/14/2006
Security Update for Windows XP (KB926436)   Ver: 1   Installed: 2/15/2007
Security Update for Windows XP (KB927779)   Ver: 1   Installed: 2/15/2007
Security Update for Windows XP (KB927802)   Ver: 1   Installed: 2/15/2007
Security Update for Windows XP (KB928090)   Ver: 1   Installed: 2/15/2007
Security Update for Windows XP (KB928255)   Ver: 1   Installed: 2/15/2007
Security Update for Windows XP (KB928843)   Ver: 1   Installed: 2/15/2007
Security Update for Windows XP (KB929969)   Ver: 1   Installed: 1/13/2007
Security Update for Windows XP (KB930178)   Ver: 1   Installed: 4/11/2007
Security Update for Windows XP (KB931261)   Ver: 1   Installed: 4/11/2007
Security Update for Windows XP (KB931784)   Ver: 1   Installed: 4/11/2007
Security Update for Windows XP (KB932168)   Ver: 1   Installed: 4/11/2007
Shockwave Director 10.1.1   
Soft Data Fax Modem with SmartCP   
SwiftSwitch   
TargetSaver   
TeamSpeak 2 RC2   Ver: 2.0.32.60
The Sims 2   
Update for Windows XP (KB894391)   Ver: 1
Update for Windows XP (KB896727)   Ver: 1
Update for Windows XP (KB898461)   Ver: 1   Installed: 4/22/2006
Update for Windows XP (KB900485)   Ver: 2   Installed: 9/5/2006
Update for Windows XP (KB908531)   Ver: 2   Installed: 9/5/2006
Update for Windows XP (KB910437)   Ver: 1   Installed: 2/1/2006
Update for Windows XP (KB911280)   Ver: 2   Installed: 9/5/2006
Update for Windows XP (KB916595)   Ver: 1   Installed: 9/5/2006
Update for Windows XP (KB920872)   Ver: 1   Installed: 9/13/2006
Update for Windows XP (KB922582)   Ver: 1   Installed: 9/13/2006
Update for Windows XP (KB929338)   Ver: 1   Installed: 3/16/2007
Update for Windows XP (KB931836)   Ver: 1   Installed: 2/15/2007
Ventrilo Client   Ver: 2.3.0   Installed: 4/18/2007
Viewpoint Manager (Remove Only)   
Viewpoint Media Player   
WebFldrs XP   Ver: 9.50.7523   Installed: 8/26/2004
Windows Backup Utility   Ver: 5.1   Installed: 8/26/2004
Windows Driver Package - Microsoft WPD  (12/01/2006 1.2.0.0)   Ver: 12/01/2006 1.2.0.0
Windows Installer 3.1 (KB893803)   Ver: 3.1
Windows Installer 3.1 (KB893803)   Ver: 3.1
Windows Live Messenger   Ver: 8.1.0178.00   Installed: 4/12/2007
Windows Live OneCare safety scanner   
Windows Live Sign-in Assistant   Ver: 4.100.313.1   Installed: 2/5/2007
Windows Media Format 11 runtime   
Windows Media Format 11 runtime      Installed: 2/26/2007
Windows Media Player 10   
Windows XP Hotfix - KB834707   Ver: 20040929.110854
Windows XP Hotfix - KB867282   Ver: 20050127.090417
Windows XP Hotfix - KB873333   Ver: 20050114.005213
Windows XP Hotfix - KB873339   Ver: 20041117.092459
Windows XP Hotfix - KB885250   Ver: 20050118.202711
Windows XP Hotfix - KB885835   Ver: 20041027.181713
Windows XP Hotfix - KB885836   Ver: 20041028.173203
Windows XP Hotfix - KB885884   Ver: 20040924.025457
Windows XP Hotfix - KB886185   Ver: 20041021.090540
Windows XP Hotfix - KB887472   Ver: 20041014.162858
Windows XP Hotfix - KB888113   Ver: 20041116.131036
Windows XP Hotfix - KB888239   Ver: 20041124.162528
Windows XP Hotfix - KB888302   Ver: 20041207.111426
Windows XP Hotfix - KB890047   Ver: 20041221.124506
Windows XP Hotfix - KB890175   Ver: 20041201.233338
Windows XP Hotfix - KB890859   Ver: 1
Windows XP Hotfix - KB890923   Ver: 1
Windows XP Hotfix - KB891781   Ver: 20050110.165439
Windows XP Hotfix - KB893066   Ver: 1
Windows XP Hotfix - KB893086   Ver: 1
WinRAR archiver   
WinZip   Ver:  10.0  (6698)
WSEM Update   
Yahoo! Browser Services   
Yahoo! Install Manager   
Yahoo! Internet Mail   
Yahoo! Messenger   
Yahoo! Toolbar   
Yahoo! Toolbar   
Zune   Ver: 1.2.5511.0   Installed: 2/25/2007
µTorrent   Ver: 1.6






Logfile of HijackThis v1.99.1
Scan saved at 12:00:47 PM, on 4/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\SEMBLY~1\smss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Kyle.MR-T\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418 (http://\"http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418 (http://\"http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418 (http://\"http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418\")
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {189FAA16-32D2-4673-A140-6FE33CE6FAC0} - C:\WINDOWS\system32\mxup.dll
O2 - BHO: (no name) - {4915F644-3AD1-1773-A4A2-6143B763F297} - C:\WINDOWS\system32\jnwahep.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {82DDC5FA-523B-289F-4508-5EF07CC83D9E} - C:\WINDOWS\system32\nmhedm.dll (file missing)
O2 - BHO: (no name) - {8FE6A545-6FD5-4772-A4A4-641342DD69CA} - C:\WINDOWS\system32\biysxso.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {d7d65006-49fe-48d3-868e-6e6f0503e481} - C:\WINDOWS\system32\dxmdos.dll (file missing)
O2 - BHO: (no name) - {F842DE1B-4B85-6571-A495-1244E6804ECE} - C:\WINDOWS\system32\amuag.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sys025717716919] C:\WINDOWS\sys025717716919.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwat.dll,startup
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ratp] "C:\Program Files\Common Files\s?curity\l?ass.exe" 99001162
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\COMMON~1\SEMBLY~1\smss.exe" -vt ndrv
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (http://\"http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab\")
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab\")
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab (http://\"http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://cdn2.zone.msn.com/binFramework/v10/...dy.cab55579.cab (http://\"http://cdn2.zone.msn.com/binFramework/v10/ZBuddy.cab55579.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab (http://\"http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab\")
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab (http://\"http://cabs.elitemediagroup.net/cabs/mediaview.cab\")
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://cdn2.zone.msn.com/binFramework/v10/...at.cab55579.cab (http://\"http://cdn2.zone.msn.com/binFramework/v10/ZPAChat.cab55579.cab\")
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (http://\"http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149641283812 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149641283812\")
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab (http://\"http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab\")
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab (http://\"http://awbeta.net-nucleus.com/FIX/WinATS.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab53083.cab (http://\"http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab53083.cab\")
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab\")
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab (http://\"http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab\")
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab\")
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab (http://\"http://a.download.toontown.com/sv1.0.20.19/ttinst.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab (http://\"http://zone.msn.com/binframework/v10/StProxy.cab55579.cab\")
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab (http://\"http://messenger.zone.msn.com/binary/WoF.cab57176.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab (http://\"http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://www.errorprotector.com/free/cab/Ins...tector-Free.cab (http://\"http://www.errorprotector.com/free/cab/Install-Errorprotector-Free.cab\")
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dxmdos - dxmdos.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: win23sys - win23sys.dll (file missing)
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Title: ahh virus
Post by: guestolo on April 19, 2007, 10:09:15 PM

Can you do the following
Download this Uninstaller (http://\"http://www.outerinfo.com/OiUninstaller.exe\")
to your desktop, we'll need it in a bit

Access your add/remove programs and remove all the following if you can
Remove older versions of Java, they are out of date, close down your browser windows before removal of Java
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Continue removing the following from add/remove
Enhanced Browser Overlay
Related Page
TargetSaver
WSEM Update
Remove what you can from the above 4 entries, carry on if something won't uninstall

I suggest that you also remove entries related to Viewpoint, typically installed unknowingly
This includes
Viewpoint Manager (Remove Only)
Viewpoint Media Player

Finally, remove the following
Cowabanga by OIN
OIN Search
Outerinfo
Again, remove what you can from the above, carry on it you have troubles

Afterwards, run the uninstaller you saved earlier on desktop
Follow all the prompts
Reboot the computer afterwards

Back in Windows

Do a "System scan only" with Hijackthis and put a check next to these entries:
Not all may be found, but tick what you see from the below list

O2 - BHO: (no name) - {4915F644-3AD1-1773-A4A2-6143B763F297} - C:\WINDOWS\system32\jnwahep.dll (file missing)
O2 - BHO: (no name) - {49C3AC11-66D5-4C25-A140-6FE33CE9F292} - C:\WINDOWS\system32\hxemkahi.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {82DDC5FA-523B-289F-4508-5EF07CC83D9E} - C:\WINDOWS\system32\nmhedm.dll (file missing)
O2 - BHO: (no name) - {8FE6A545-6FD5-4772-A4A4-641342DD69CA} - C:\WINDOWS\system32\biysxso.dll (file missing)

O2 - BHO: (no name) - {d7d65006-49fe-48d3-868e-6e6f0503e481} - C:\WINDOWS\system32\dxmdos.dll (file missing)
O2 - BHO: (no name) - {F842DE1B-4B85-6571-A495-1244E6804ECE} - C:\WINDOWS\system32\amuag.dll

O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [sys025717716919] C:\WINDOWS\sys025717716919.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwat.dll,startup
O4 - HKCU\..\Run: [Ratp] "C:\Program Files\Common Files\s?curity\l?ass.exe" 99001162

O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\COMMON~1\SEMBLY~1\smss.exe" -vt ndrv
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab (http://\"http://www.drivecleaner.com/.freeware/inst...leanerstart.cab\")
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab (http://\"http://cabs.elitemediagroup.net/cabs/mediaview.cab\")
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab (http://\"http://awbeta.net-nucleus.com/FIX/WinATS.cab\")

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab (http://\"http://download.games.yahoo.com/games/web_...aploader_v6.cab\")
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://www.errorprotector.com/free/cab/Ins...tector-Free.cab (http://\"http://www.errorprotector.com/free/cab/Ins...tector-Free.cab\")

O20 - Winlogon Notify: dxmdos - dxmdos.dll (file missing)

O20 - Winlogon Notify: win23sys - win23sys.dll (file missing)
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

I assume that you are running the free version of Ewido, can we update it and run a scan
Access your add/remove programs again and remove
ewido anti-spyware 4.0

Reboot the computer afterwards

Back in Windows
Let's update your version of Java

• Download the latest version of   Java(tm) SE Runtime Environment 6 Update 1 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
  
• Scroll down to where it says "Java Runtime Environment (JRE) 6u1, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  
• Click the "Download" button to the right.
  
• Check the box that says: "Accept License Agreement[/i]".
  
• The page will refresh.
• Click on the link to download Windows Offline Installation, Multi-language  and save it to your desktop (13.16 MB).
  
• Double click on the installer on desktop and follow the prompts to install

==Download [color=\"#FF0000\"]AVG Anti-Spyware 7.5[/color] (http://\"http://www.ewido.net/en/download/\") (Ewido)

• Save the installer to desktop
• Double click the installer, select your language, and then select "OK"
• Click NEXT>>>Select I Agree>>>NEXT>>>INSTALL
     
  
• AVG will now install and afterwards click FINISH
     
  
• AVG Anti-Spyware 7.5 should now Load
• Click the Update tab at the top. Under Manual Update click Start update.
     
  
• After the update finishes (the status bar at the bottom will display "Update successful")
• Click on the Scanner tab at the top
     
  
• Click the "Settings" tab and then change the recommended action under "How to Act" to Quarantine and ensure that "Automatically generate report after every scan" IS selected and
  "Only if Threats are found" IS NOT selected
  

CLOSE AVG-Antispyware for now, as we will need it later
An AVG icon will be placed in your system tray next to your clock, can you right on it and uncheck
"Resident Shield" , "Automatic updates" and "Start with Windows"

Reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

Load AVG Anti-Spyware 7.5

• Click on the Scanner tab at the top
     
  
• Cick on Complete System Scan.
  This scan can take a while to run, let it run uninterrupted
   
  
• When the scan is complete it will list any infections found on the left hand side.
• Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
   
  
• Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file  (like on the Desktop).
  

I will need to see this log later

Restart the computer back to Normal windows

One more tool
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

I need to see back here all the following

1. Post the log from Combofix
2. Post the report you saved earlier from AVG-Antispyware
3. Post a fresh hijackthis log

If it takes more than one reply to post all the info, please do so

Title: ahh virus
Post by: greazee on June 19, 2007, 03:03:49 AM

ok sorry i procrastinated a bit (a lot) with this, i was able to get all those things uninstalled

however i cant seem to install the uninstaller, keeps saying im uninstalling it and that its been removed and stuff....

EDIT: wait i think i misunderstood how that works lol, ill keep on going with the instructions



ok i did that all and i think my virus had babies cuz i got a new one just tonight (strange enough it showed up right after everlasting death hacked the ACP on runecore.... but thats beyond any point)

its name in the processes is WLLoginProxy.exe, and there is this other program that was installed called APDproxy, and i did the uninstal through add/remove programs and yet it still shows up... any help with that would be helpful and i will post a hijack this log thing once im done with your instructions above.

Title: ahh virus
Post by: greazee on June 19, 2007, 01:24:58 PM

ok here we go, i got the combofix log, but after 4 hours of scanning the AVG didnt log it even though i set it so it would... if you need i could scan it again and get a new one but not sure if that would do anything


anyway here is the combofix




ComboFix 07-06-18.2 - C:\Documents and Settings\Kyle.MR-T\Desktop\ComboFix.exe
"Kyle" - 2007-06-19 13:11:29 - Service Pack 2  NTFS  


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\crosof~1.net
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\curity~1
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\icroso~1.net
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\macromedia\Flash Player\#SharedObjects\SC9UCULY\www.broadcaster.com
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\mcroso~1
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\racle~1
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\racle~2
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\sembly~1
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\sstem3~1
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\wnsxs~1
C:\DOCUME~1\KYLE~1.MR-\APPLIC~1.\ymante~1
C:\DOCUME~1\KYLE~1.MR-\MYDOCU~1.\asembl~1
C:\DOCUME~1\KYLE~1.MR-\MYDOCU~1.\dobe~1
C:\DOCUME~1\KYLE~1.MR-\MYDOCU~1.\fnts~1
C:\DOCUME~1\KYLE~1.MR-\MYDOCU~1.\icroso~1.net
C:\DOCUME~1\KYLE~1.MR-\MYDOCU~1.\scurit~1
C:\DOCUME~1\KYLE~1.MR-\MYDOCU~1.\sembly~1
C:\DOCUME~1\KYLE~1.MR-\MYDOCU~1.\ssembl~1
C:\DOCUME~1\KYLE~1.MR-\MYDOCU~1.\ymbols~1
C:\Program Files\asks~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\sstem3~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\ystem~1
C:\Program Files\cowabanga
C:\Program Files\cowabanga\License.txt
C:\Program Files\crosof~1
C:\Program Files\curity~1
C:\Program Files\dobe~1
C:\Program Files\fnts~1
C:\Program Files\popupwithcast
C:\Program Files\popupwithcast\CastGen\h44ffe5ed29.dat
C:\Program Files\popupwithcast\CastGen\Owner\f44ffea9d4d06.dat
C:\Program Files\popupwithcast\CastGen\Stephanie\f44ffea9d4d06.dat
C:\Program Files\popupwithcast\CastGen\u44ffe5f04ae1.dat
C:\Program Files\popupwithcast\CastStat\cast.dat
C:\Program Files\popupwithcast\CastSys\log.txt
C:\Program Files\popupwithcast\cload.dat
C:\Program Files\popupwithcast\cp.dat
C:\Program Files\popupwithcast\csys.dat
C:\Program Files\racle~1
C:\Program Files\racle~2
C:\Program Files\sembly~1
C:\Program Files\sks~1
C:\Program Files\smante~1
C:\Program Files\sstem3~1
C:\Program Files\stem~1
C:\Program Files\stem32~1
C:\Program Files\wnsxs~1
C:\Program Files\ystem3~1
C:\WINDOWS\appatc~1
C:\WINDOWS\asembl~1
C:\WINDOWS\asks~1
C:\WINDOWS\dobe~1
C:\WINDOWS\ecurit~1
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~2
C:\WINDOWS\icroso~1
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\mantec~1
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\ppatch~1
C:\WINDOWS\pppatc~1
C:\WINDOWS\racle~1
C:\WINDOWS\smbols~1
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\asks~2
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\mcroso~1.net
C:\WINDOWS\system32\mcroso~1.net\w?auclt.exe
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\ssembl~1
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\stem~1
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\Uninst2.htm
C:\WINDOWS\Unist1.htm
C:\WINDOWS\ystem~1


(((((((((((((((((((((((((   Files Created from 2007-05-19 to 2007-06-19  )))))))))))))))))))))))))))))))


2007-06-19 13:10   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-19 03:35   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-09 03:28   <DIR>   d--------   C:\Program Files\Full Tilt Poker
2007-06-09 03:14   <DIR>   d--------   C:\Program Files\PokerStars
2007-06-03 23:39   <DIR>   d--------   C:\DOCUME~1\KYLE~1.MR-\APPLIC~1\Winamp
2007-05-31 11:28   <DIR>   d--------   C:\Program Files\Winamp
2007-05-31 11:28   <DIR>   d--------   C:\DOCUME~1\STEPHA~1\APPLIC~1\Winamp
2007-05-30 15:40   <DIR>   d--------   C:\DOCUME~1\KYLE~1.MR-\APPLIC~1\Google
2007-05-24 17:15   <DIR>   d--------   C:\DOCUME~1\Jenny\APPLIC~1\Leadertech
2007-05-24 17:15   <DIR>   d--------   C:\DOCUME~1\Jenny\APPLIC~1\AdobeAUM
2007-05-24 12:35   <DIR>   d--------   C:\Program Files\Bonjour
2007-05-24 12:19   <DIR>   d--------   C:\Program Files\Common Files\Macrovision Shared


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-19 08:42:59   --------   d-----w   C:\Program Files\ewido anti-spyware 4.0
2007-06-19 07:57:22   --------   d-----w   C:\Program Files\Viewpoint
2007-06-19 06:29:58   --------   d-----w   C:\Program Files\Folder Lock
2007-06-18 20:24:41   --------   d-----w   C:\Program Files\Trillian
2007-06-18 06:08:42   --------   d-----w   C:\Program Files\SwiftSwitch
2007-06-18 02:55:22   --------   d-----w   C:\Program Files\EA SPORTS
2007-06-18 02:54:45   --------   d-----w   C:\Program Files\eMule
2007-06-18 02:52:30   --------   d-----w   C:\Program Files\SatelliteTVforPC
2007-06-18 02:52:21   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-06-18 02:51:40   --------   d-----w   C:\Program Files\Project64 1.6
2007-06-14 00:40:24   --------   d-----w   C:\Program Files\iPod
2007-06-14 00:39:22   --------   d-----w   C:\Program Files\LimeWire
2007-06-14 00:37:16   --------   d-----w   C:\Program Files\Yahoo!
2007-06-14 00:34:40   --------   d-----w   C:\Program Files\AIM
2007-06-12 21:35:50   --------   d-----w   C:\DOCUME~1\KYLE~1.MR-\APPLIC~1\LimeWire
2007-05-30 20:40:15   --------   d-----w   C:\Program Files\Google
2007-05-24 14:55:53   --------   d-----w   C:\DOCUME~1\KYLE~1.MR-\APPLIC~1\uTorrent
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-05-04 02:43:43   --------   d-----w   C:\DOCUME~1\KYLE~1.MR-\APPLIC~1\Ventrilo
2007-05-04 00:46:40   682,232   ----a-w   C:\WINDOWS\system32\drivers\sptd.sys
2007-04-29 14:46:27   --------   d-----w   C:\Program Files\MoparScape
2007-04-26 03:47:16   --------   d-----w   C:\DOCUME~1\KYLE~1.MR-\APPLIC~1\DivX
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-25 00:23:13   --------   d-----w   C:\DOCUME~1\KYLE~1.MR-\APPLIC~1\CyberLink
2007-04-23 13:48:35   --------   d-----w   C:\Program Files\DivX
2007-04-23 02:28:49   4,413   ----a-w   C:\WINDOWS\mozver.dat
2007-04-20 04:54:41   --------   d-----w   C:\DOCUME~1\KYLE~1.MR-\APPLIC~1\Opera
2007-04-20 01:10:40   35,363   ----a-w   C:\WINDOWS\system32\windrvNT.sys
2007-04-19 02:40:26   --------   d-----w   C:\Program Files\Ventrilo
2007-04-19 02:38:26   --------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll
2007-03-27 07:55:57   524,288   ----a-w   C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48   3,596,288   ----a-w   C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31   118,520   ------w   C:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:31   116,472   ------w   C:\WINDOWS\system32\pxcpyi64.exe
2007-03-27 07:55:23   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07   73,728   ----a-w   C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07   196,608   ----a-w   C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05   53,248   ----a-w   C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03   593,920   ----a-w   C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02   57,344   ----a-w   C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02   344,064   ----a-w   C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02   294,912   ----a-w   C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02   294,912   ----a-w   C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59   823,296   ----a-w   C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58   823,296   ----a-w   C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58   802,816   ----a-w   C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58   639,066   ----a-w   C:\WINDOWS\system32\DivX.dll
2007-03-22 01:54:16   77,312   ----a-w   C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-22 01:54:16   69,632   ----a-w   C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-22 01:54:16   48,560   ----a-w   C:\WINDOWS\system32\TWUNK_16.EXE


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:29]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 21:33]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}=c:\windows\system32\BAE.dll [2006-02-01 06:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 06:01]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 C:\WINDOWS\soundman.exe]
"nwiz"="nwiz.exe" [2005-09-18 11:32 C:\WINDOWS\system32\nwiz.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-12-05 11:53]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-12-12 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbef03f5-9bec-11da-9785-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


Contents of the \'Scheduled Tasks\' folder
2007-06-07 18:35:20  C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-04-15 01:33:10  C:\WINDOWS\tasks\ISP signup reminder 2.job
2006-04-15 01:33:10  C:\WINDOWS\tasks\ISP signup reminder 3.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-06-19 13:18:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan
**************************************************************************

Completion time: 2007-06-19 13:19:39
C:\ComboFix-quarantined-files.txt ... 2007-06-19 13:19

   --- E O F ---


Hijack this log:



Logfile of HijackThis v1.99.1
Scan saved at 1:24:34 PM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\KYLE~1.MR-\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418 (http://\"http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra \'Tools\' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (http://\"http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab\")
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab\")
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://cdn2.zone.msn.com/binFramework/v10/...dy.cab55579.cab (http://\"http://cdn2.zone.msn.com/binFramework/v10/ZBuddy.cab55579.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab (http://\"http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab\")
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://cdn2.zone.msn.com/binFramework/v10/...at.cab55579.cab (http://\"http://cdn2.zone.msn.com/binFramework/v10/ZPAChat.cab55579.cab\")
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab\")
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (http://\"http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149641283812 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149641283812\")
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab (http://\"http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab53083.cab (http://\"http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab53083.cab\")
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab\")
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab (http://\"http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab\")
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab\")
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab (http://\"http://a.download.toontown.com/sv1.0.20.19/ttinst.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab (http://\"http://zone.msn.com/binframework/v10/StProxy.cab55579.cab\")
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab (http://\"http://messenger.zone.msn.com/binary/WoF.cab57176.cab\")
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab (http://\"http://messenger.zone.msn.com/binary/Chess.cab57176.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Title: ahh virus
Post by: guestolo on June 26, 2007, 03:40:27 PM

I forgot all about this thread, may have been the response time since I posted instructions

How are things running on your end now?

Title: ahh virus
Post by: greazee on June 27, 2007, 02:23:08 PM

virus is gone now, computer is running much better

only thing is this apdproxy thing that i cant figure out how to get rid of as well as this WLlogin.exe thing

Title: ahh virus
Post by: guestolo on June 27, 2007, 09:47:13 PM

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in Windows

Post a fresh hijackthis log, after the fresh log, close Hijackthis
then Reopen it
Do the following please
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

Also, explain more clearly what you mean by this

Quote

only thing is this apdproxy thing that i cant figure out how to get rid of as well as this WLlogin.exe thing

Title: ahh virus
Post by: greazee on June 28, 2007, 03:40:38 AM

well the apdproxy would be solved once i do that

but i went to a site that apparently had a keylogger, and everyone in a while when i look in Processes i see an application called WLlogin.exe, i havent seen it in a while maybe it was gotten rid of with a previous scan.

Title: ahh virus
Post by: guestolo on June 28, 2007, 05:17:02 PM

Are you talking about
WLLoginProxy.exe??

This is related to the following
 Microsoft® Windows Live Login Helper
Installed from a MSN Messenger update more likely
You can see in the uninstall list you posted earlier, you have the following installed
Windows Live Sign-in Assistant

Do you need it installed or not? I'm not sure what benefits it supplies as I don't use it

Title: ahh virus
Post by: greazee on June 28, 2007, 06:26:03 PM

oh, well i didnt get that untill after i visited a site that was keylogged so i was nervous about it... plus it was lagging my computer but i dont have windows live so it shouldnt bug me anymore

thank you a TON for all your help

Title: ahh virus
Post by: guestolo on June 30, 2007, 12:58:45 PM

Again, sorry for the delay
If you have no further problems, I suggest that you do the following

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name and click Create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
I Hope that helps  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />