Author Topic: Possible Adware.look2me or other worms infection (Read 1075 times)

sroza · « **on:** September 24, 2006, 09:55:12 AM »

Hi there... My computer started to have pop-ups and became slower when i left it to download two days ago. I have run Ad-aware, trend micro housecall, norman antivirus but none of them manage to remove the adware. I've read the other forums but decided not to follow those instructions in case the infection is different and i end up destroying my computer

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> . Please help me... I will really appreciate it! Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 3:16:37 PM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\nwnmff_e11.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\dfndrff_e11.exe
C:\kybrdff_e11.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~3\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-pc.asia.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsu-pc-asia.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e11.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e11.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e11.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-pc.asia.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\i060lajm1doa.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

guestolo · « **Reply #1 on:** September 24, 2006, 10:02:06 AM »

==Download and save [color=\"red\"]Brute Force Uninstaller[/color][/b] to the desktop

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to, click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

[color=\"red\"]RIGHT-CLICK HERE[/color][/b] and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"red\"]Alcan worm remover[/color].
Save it then transfer to the
same folder you made earlier (c:\BFU).

==Download this file - Combofix.exe and save it too desktop
Don't run this yet

==Go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Put a check in Show log after script ends
Next to the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Click the Save button to save the log, save it in the same folder as BFU.exe
Ensure to name it with a .txt extension>>Such as Report.txt
Press exit to terminate the BFU program.

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Can you post the log from combofix as well as a fresh hijackthis log please

scaminisbadd · « **Reply #2 on:** September 24, 2006, 11:23:39 AM »

REMOVED
What are you doing Scamminisbad

sroza · « **Reply #3 on:** September 24, 2006, 04:20:35 PM »

This is the fresh hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:16:39 PM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~3\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-pc.asia.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsu-pc-asia.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e11.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e11.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e11.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-pc.asia.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

and this is the combofix log

Shanty - 06-09-24 22:10:55.47 Service Pack 2
ComboFix 06.09.23.2 - Running from: "C:\Documents and Settings\Shanty\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{4FC62BD9-9AAD-4CFB-81DC-F8724522404D}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{4FC62BD9-9AAD-4CFB-81DC-F8724522404D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FC62BD9-9AAD-4CFB-81DC-F8724522404D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FC62BD9-9AAD-4CFB-81DC-F8724522404D}\InprocServer32]
@="C:\\WINDOWS\\system32\\ripcfgex.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{4751AA5C-178F-4474-8623-C8C207BCEEBB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4751AA5C-178F-4474-8623-C8C207BCEEBB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4751AA5C-178F-4474-8623-C8C207BCEEBB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4751AA5C-178F-4474-8623-C8C207BCEEBB}\InprocServer32]
@="C:\\WINDOWS\\system32\\kudsp.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{BB0FE80B-50FD-4933-A512-A9D131224144}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BB0FE80B-50FD-4933-A512-A9D131224144}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BB0FE80B-50FD-4933-A512-A9D131224144}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BB0FE80B-50FD-4933-A512-A9D131224144}\InprocServer32]
@="C:\\WINDOWS\\system32\\rIsdlg.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{80B6E47F-B589-4603-85C8-77D07FDBAB19}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{80B6E47F-B589-4603-85C8-77D07FDBAB19}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{80B6E47F-B589-4603-85C8-77D07FDBAB19}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{80B6E47F-B589-4603-85C8-77D07FDBAB19}\InprocServer32]
@="C:\\WINDOWS\\system32\\bjowselc.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{73A98BF7-EAC3-4729-805E-CDA9660616A7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73A98BF7-EAC3-4729-805E-CDA9660616A7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73A98BF7-EAC3-4729-805E-CDA9660616A7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73A98BF7-EAC3-4729-805E-CDA9660616A7}\InprocServer32]
@="C:\\WINDOWS\\system32\\uarsvpia.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{29C378CD-CE4A-4BB2-925D-AE5C4F1758EF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{29C378CD-CE4A-4BB2-925D-AE5C4F1758EF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{29C378CD-CE4A-4BB2-925D-AE5C4F1758EF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{29C378CD-CE4A-4BB2-925D-AE5C4F1758EF}\InprocServer32]
@="C:\\WINDOWS\\system32\\iWlmdnt5.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

FILES REMOVED:

C:\WINDOWS\system32\i060lajm1doa.dll
C:\WINDOWS\system32\en84l1lq1.dll
C:\WINDOWS\system32\hr0s05d7e.dll
C:\WINDOWS\system32\o2pq0c75ef.dll
C:\WINDOWS\system32\iWlmdnt5.dll

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Shanty\Application Data\Dxcknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\teller2.chk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar

((((((((((((((((((((((((((((((( Files Created from 2006-08-24 to 2006-09-24 ))))))))))))))))))))))))))))))))))

2006-09-21   16:16   1,233   --a------   C:\WINDOWS\system32\sqgb40de.sys
2006-09-21   16:14   32,768   --a------   C:\DXC1205b.exe
2006-09-12   20:59   5,632   --a------   C:\WINDOWS\system32\CNMVS3w.DLL
2006-09-12   20:54   97,280   ---------   C:\WINDOWS\system32\CNMLM3w.DLL
2006-09-12   20:54   36,864   --a------   C:\WINDOWS\system32\CNMCP3W.EXE
2006-09-11   22:22   11,776   ---------   C:\WINDOWS\system32\spnpinst.exe
2006-09-02   07:43   614,912   --a------   C:\WINDOWS\system32\h323msp.dll
2006-09-02   07:43   331,264   --a------   C:\WINDOWS\system32\ipnathlp.dll
2006-09-02   07:43   26,112   --a------   C:\WINDOWS\system32\xpsp1hfm.exe
2006-09-02   07:33   947,472   --a------   C:\WINDOWS\system32\msjava.dll
2006-09-02   07:33   63,248   --a------   C:\WINDOWS\system32\javaprxy.dll
2006-09-02   07:33   49,424   --a------   C:\WINDOWS\system32\clspack.exe
2006-09-02   07:33   46,352   --a------   C:\WINDOWS\setdebug.exe
2006-09-02   07:33   404,752   --a------   C:\WINDOWS\system32\javart.dll
2006-09-02   07:33   313,856   --a------   C:\WINDOWS\system32\dx3j.dll
2006-09-02   07:33   286,992   --a------   C:\WINDOWS\system32\vmhelper.dll
2006-09-02   07:33   21,264   --a------   C:\WINDOWS\system32\msjdbc10.dll
2006-09-02   07:33   187,152   --a------   C:\WINDOWS\system32\javacypt.dll
2006-09-02   07:33   172,304   --a------   C:\WINDOWS\system32\jview.exe
2006-09-02   07:33   171,792   --a------   C:\WINDOWS\system32\wjview.exe
2006-09-02   07:33   171,280   --a------   C:\WINDOWS\system32\jit.dll
2006-09-02   07:33   154,384   --a------   C:\WINDOWS\system32\msawt.dll
2006-09-02   07:33   15,120   --a------   C:\WINDOWS\system32\jdbgmgr.exe
2006-09-02   07:33   139,536   --a------   C:\WINDOWS\system32\javaee.dll
2006-09-02   07:33   113   --a------   C:\WINDOWS\system32\zonedon.reg
2006-09-02   07:33   113   --a------   C:\WINDOWS\system32\zonedoff.reg
2006-08-30   21:45   2,560   --a------   C:\WINDOWS\_MSRSTRT.EXE
2006-08-30   19:55   62,744   --a------   C:\WINDOWS\system32\xinput1_2.dll
2006-08-30   19:55   236,824   --a------   C:\WINDOWS\system32\xactengine2_3.dll
2006-08-30   19:55   2,297,552   --a------   C:\WINDOWS\system32\d3dx9_26.dll
2006-08-30   19:54   83,456   --a------   C:\WINDOWS\system32\dpvsetup.exe
2006-08-30   19:54   825,344   --a------   C:\WINDOWS\system32\d3dim700.dll
2006-08-30   19:54   82,432   --a------   C:\WINDOWS\system32\dmscript.dll
2006-08-30   19:54   8,192   --a------   C:\WINDOWS\system32\d3d8thk.dll
2006-08-30   19:54   733,696   --a------   C:\WINDOWS\system32\qedwipes.dll
2006-08-30   19:54   71,680   --a------   C:\WINDOWS\system32\dsdmoprp.dll
2006-08-30   19:54   70,656   --a------   C:\WINDOWS\system32\amstream.dll
2006-08-30   19:54   63,768   --a------   C:\WINDOWS\system32\dxdllreg.exe
2006-08-30   19:54   619,008   --a------   C:\WINDOWS\system32\dx7vb.dll
2006-08-30   19:54   61,440   --a------   C:\WINDOWS\system32\dmcompos.dll
2006-08-30   19:54   60,928   --a------   C:\WINDOWS\system32\dpnhupnp.dll
2006-08-30   19:54   59,904   --a------   C:\WINDOWS\system32\devenum.dll
2006-08-30   19:54   57,344   --a------   C:\WINDOWS\system32\dpwsockx.dll
2006-08-30   19:54   562,176   --a------   C:\WINDOWS\system32\qedit.dll
2006-08-30   19:54   50,688   --a------   C:\WINDOWS\system32\wstdecod.dll
2006-08-30   19:54   4,096   --a------   C:\WINDOWS\system32\ksuser.dll
2006-08-30   19:54   385,024   --a------   C:\WINDOWS\system32\qdvd.dll
2006-08-30   19:54   375,296   --a------   C:\WINDOWS\system32\dpnet.dll
2006-08-30   19:54   367,616   --a------   C:\WINDOWS\system32\dsound.dll
2006-08-30   19:54   363,520   --a------   C:\WINDOWS\system32\psisdecd.dll
2006-08-30   19:54   35,840   --a------   C:\WINDOWS\system32\dmloader.dll
2006-08-30   19:54   35,328   --a------   C:\WINDOWS\system32\mciqtz32.dll
2006-08-30   19:54   35,328   --a------   C:\WINDOWS\system32\dpnhpast.dll
2006-08-30   19:54   30,208   --a------   C:\WINDOWS\system32\dplaysvr.exe
2006-08-30   19:54   3,584   --a------   C:\WINDOWS\system32\dpnlobby.dll
2006-08-30   19:54   3,584   --a------   C:\WINDOWS\system32\dpnaddr.dll
2006-08-30   19:54   28,672   --a------   C:\WINDOWS\system32\dmband.dll
2006-08-30   19:54   279,040   --a------   C:\WINDOWS\system32\qdv.dll
2006-08-30   19:54   27,136   --a------   C:\WINDOWS\system32\ddrawex.dll
2006-08-30   19:54   266,240   --a------   C:\WINDOWS\system32\ddraw.dll
2006-08-30   19:54   237,568   --a------   C:\WINDOWS\system32\qasf.dll
2006-08-30   19:54   23,552   --a------   C:\WINDOWS\system32\dpmodemx.dll
2006-08-30   19:54   229,888   --a------   C:\WINDOWS\system32\dplayx.dll
2006-08-30   19:54   212,480   --a------   C:\WINDOWS\system32\dpvoice.dll
2006-08-30   19:54   21,504   --a------   C:\WINDOWS\system32\dpvacm.dll
2006-08-30   19:54   204,288   --a------   C:\WINDOWS\system32\mswebdvd.dll
2006-08-30   19:54   20,480   --a------   C:\WINDOWS\system32\encapi.dll
2006-08-30   19:54   2,113,536   --a------   C:\WINDOWS\system32\dxdiagn.dll
2006-08-30   19:54   192,512   --a------   C:\WINDOWS\system32\qcap.dll
2006-08-30   19:54   19,456   --a------   C:\WINDOWS\system32\dswave.dll
2006-08-30   19:54   181,760   --a------   C:\WINDOWS\system32\dsdmo.dll
2006-08-30   19:54   181,248   --a------   C:\WINDOWS\system32\dmime.dll
2006-08-30   19:54   18,432   --a------   C:\WINDOWS\system32\dpnsvr.exe
2006-08-30   19:54   17,408   --a------   C:\WINDOWS\system32\msyuv.dll
2006-08-30   19:54   14,336   --a------   C:\WINDOWS\system32\msdmo.dll
2006-08-30   19:54   116,736   --a------   C:\WINDOWS\system32\dpvvox.dll
2006-08-30   19:54   105,984   --a------   C:\WINDOWS\system32\dmstyle.dll
2006-08-30   19:54   104,448   --a------   C:\WINDOWS\system32\dmusic.dll
2006-08-30   19:54   103,424   --a------   C:\WINDOWS\system32\dmsynth.dll
2006-08-30   19:54   1,689,088   --a------   C:\WINDOWS\system32\d3d9.dll
2006-08-30   19:54   1,428,480   --a------   C:\WINDOWS\system32\msvidctl.dll
2006-08-30   19:54   1,298,432   --a------   C:\WINDOWS\system32\dxdiag.exe
2006-08-30   19:54   1,294,336   --a------   C:\WINDOWS\system32\dsound3d.dll
2006-08-30   19:54   1,227,264   --a------   C:\WINDOWS\system32\dx8vb.dll
2006-08-30   19:54   1,179,648   --a------   C:\WINDOWS\system32\d3d8.dll
2006-08-30   19:30   1,082,368   --a------   C:\WINDOWS\system32\esent.dll
2006-08-30   18:54   22,752   --a------   C:\WINDOWS\system32\spupdsvc.exe
2006-08-30   18:20   8,192   ---------   C:\WINDOWS\system32\bitsprx2.dll
2006-08-30   18:20   7,168   ---------   C:\WINDOWS\system32\bitsprx3.dll
2006-08-30   18:20   351,232   --a------   C:\WINDOWS\system32\winhttp.dll
2006-08-30   18:20   18,944   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2006-08-30   18:13   465,176   --a------   C:\WINDOWS\system32\wuapi.dll
2006-08-30   18:13   41,240   --a------   C:\WINDOWS\system32\wups.dll
2006-08-30   18:13   194,328   --a------   C:\WINDOWS\system32\wuaueng1.dll
2006-08-30   18:13   173,536   --a------   C:\WINDOWS\system32\wuweb.dll
2006-08-30   18:13   172,312   --a------   C:\WINDOWS\system32\wuauclt1.exe
2006-08-30   18:13   127,256   --a------   C:\WINDOWS\system32\wucltui.dll
2006-08-29   23:13   109,568   ---------   C:\WINDOWS\system32\pxinsi64.exe
2006-08-29   23:13   108,544   ---------   C:\WINDOWS\system32\pxcpyi64.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-24 15:45   --------   d--------   C:\Program Files\Common Files\ODBC
2006-09-22 08:42   --------   d--------   C:\Program Files\Qtn
2006-09-22 08:42   --------   d--------   C:\Program Files\Nse
2006-09-22 08:41   --------   d--------   C:\Program Files\config
2006-09-22 08:40   --------   d--------   C:\Program Files\bin
2006-09-22 08:37   --------   d--------   C:\Program Files\Temp
2006-09-22 08:37   --------   d--------   C:\Program Files\NVC
2006-09-22 08:37   --------   d--------   C:\Program Files\Logs
2006-09-22 00:30   --------   d--------   C:\Program Files\PrintView
2006-09-21 18:08   --------   d--------   C:\Program Files\SoftwareRevenue.org
2006-09-21 18:08   --------   d--------   C:\Program Files\Google Toolbar
2006-09-19 22:09   --------   d--------   C:\Documents and Settings\Shanty\Application Data\vlc
2006-09-19 22:00   --------   d--------   C:\Program Files\VideoLAN
2006-09-19 20:58   --------   d--------   C:\Program Files\WinRAR
2006-09-16 22:06   --------   d--------   C:\Documents and Settings\Shanty\Application Data\uTorrent
2006-09-16 21:12   --------   d--------   C:\Program Files\MSN Messenger
2006-09-12 20:51   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Gtek
2006-09-10 18:37   --------   d--------   C:\Program Files\Skype
2006-09-10 18:37   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Skype
2006-09-04 21:12   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Google
2006-09-04 19:39   --------   d--------   C:\Documents and Settings\Shanty\Application Data\AdobeUM
2006-09-01 00:55   875   --a------   C:\Documents and Settings\Shanty\Application Data\AdobeDLM.log
2006-09-01 00:55   0   --a------   C:\Documents and Settings\Shanty\Application Data\dm.ini
2006-09-01 00:55   --------   d--------   C:\Program Files\Adobe
2006-09-01 00:52   --------   d--------   C:\Program Files\Common Files\Adobe
2006-09-01 00:52   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Adobe
2006-08-30 21:49   --------   d--------   C:\Program Files\MyGlobalSearch
2006-08-30 21:45   2560   --a------   C:\WINDOWS\_MSRSTRT.EXE
2006-08-30 21:36   --------   d--------   C:\Documents and Settings\Shanty\Application Data\CyberLink
2006-08-30 19:44   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Macromedia
2006-08-30 19:44   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Help
2006-08-30 19:42   --------   d--------   C:\Program Files\BitTorrent
2006-08-29 23:14   --------   d--------   C:\Program Files\Mozilla Firefox
2006-08-29 23:14   --------   d--------   C:\Program Files\Google
2006-08-29 23:14   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Talkback
2006-08-29 23:14   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Mozilla
2006-08-29 23:12   --------   d--------   C:\Program Files\DivX
2006-08-29 22:59   --------   d--------   C:\Program Files\BearShare
2006-08-29 22:55   --------   d--------   C:\Documents and Settings\Shanty\Application Data\BitTorrent
2006-08-29 17:46   --------   d--------   C:\Documents and Settings\Shanty\Application Data\MSN6
2006-08-24 11:30   --------   d--------   C:\Program Files\Lavasoft
2006-08-24 11:30   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Lavasoft
2006-08-21 20:13   --------   d--------   C:\Program Files\Microsoft.NET
2006-08-21 20:13   --------   d--------   C:\Program Files\Microsoft ActiveSync
2006-08-21 20:10   --------   d--------   C:\Program Files\Microsoft Works
2006-08-21 20:10   --------   d--------   C:\Program Files\Microsoft Visual Studio
2006-08-21 13:21   16896   --a------   C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14   23040   --a------   C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14   128896   ---------   C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-04 16:37   73728   --a------   C:\WINDOWS\system32\dpl100.dll
2006-08-04 16:37   196608   --a------   C:\WINDOWS\system32\dtu100.dll
2006-07-29 19:32   48936   --a------   C:\WINDOWS\system32\sirenacm.dll
2006-07-27 14:24   679424   --a------   C:\WINDOWS\system32\inetcomm.dll
2006-07-27 03:06   3596288   --a------   C:\WINDOWS\system32\qt-dx331.dll
2006-07-27 03:05   20640   ---------   C:\WINDOWS\system32\drivers\pxhelp20.sys
2006-07-21 09:24   72704   --a------   C:\WINDOWS\system32\hlink.dll
2006-07-03 22:40   778240   --a------   C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 22:40   778240   --a------   C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 22:40   761856   --a------   C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 22:40   620180   --a------   C:\WINDOWS\system32\DivX.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Free Download Manager"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IndicatorUtility"="C:\\Program Files\\Fujitsu\\Fujitsu Hotkey Utility\\IndicatorUty.exe"
"LoadBtnHnd"="C:\\Program Files\\Fujitsu\\BtnHnd\\BtnHnd.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"LoadFujitsuQuickTouch"="C:\\Program Files\\Fujitsu\\Application Panel\\QuickTouch.exe"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"PVModule"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"
"AWMON"="\"C:\\PROGRA~1\\LAVASOFT\\AD-AWA~3\\Ad-Watch.exe\""
"Norman ZANDA"="C:\\Program Files\\bin\\ZLH.EXE /LOAD /SPLASH"
"outlook"="C:\\Program Files\\outlook\\outlook.exe /auto"
"winlog"="winlog.exe"
"newname"="C:\\\\nwnmff_e11.exe"
"defender"="C:\\\\dfndrff_e11.exe"
"keyboard"="C:\\\\kybrdff_e11.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"winlog"="winlog.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Online Services\\pomo.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Messenger\\mekefe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e1,00,00,00,00,00,00,00,1f,04,00,00,e5,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Sun 09/24/2006 22:12:56.68
ComboFix.txt

thanks so much for the quick reply...

guestolo · « **Reply #4 on:** September 24, 2006, 05:04:33 PM »

Can you do the following
Ensure that you have done the following

==Download and save [color=\"red\"]Brute Force Uninstaller[/color][/b] to the desktop

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to, click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

[color=\"red\"]RIGHT-CLICK HERE[/color][/b] and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"red\"]Alcan worm remover[/color].
Save it then transfer to the
same folder you made earlier (c:\BFU).

NEXT:
download [color=\"#FF0000\"]ATF-Cleaner[/color] by Atribune.
This program is for XP and Windows 2000 only
Don't run it yet

==Download, install, and update Ewido anti-spyware[list=1]

Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Close Ewido. Do not run it yet.

I just realized you have Ad-Aware's Adwatch running, I need you too disable it and leave it disabled till after we are sure you are all clean please, it will probably interfere with the fixes we are doing
Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both options.

Print the rest of these instructions, or copy them to a text file on your desktop for use in safe mode
Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

==Go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Put a check in Show log after script ends
Next to the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Click the Save button to save the log, save it in the same folder as BFU.exe
Ensure to name it with a .txt extension>>Such as Report.txt
Press exit to terminate the BFU program.

========================================================
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.
====================================================

Ewido Scan

Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e11.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e11.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e11.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal windows

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Afterwards
Post back all the following, even if takes more than one reply to do so please

1. Post a fresh hijackthis log
2. Post the report from Ewido's
3. Post the report from Combofix

Also, can you do the following
Go to either of these links
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the file on your harddrive

C:\Program Files\PrintView\pvmodule.exe <-this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

sroza · « **Reply #5 on:** September 25, 2006, 03:06:41 AM »

Hello... I followed all the instructions... except that when running hijackthis in safe mode, i could not find

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e11.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e11.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e11.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe

I hope that was good news actually... Hm judging from the long instructions as such, my computer seems to have lots of problems....

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> Thanks for your patience and time in sorting it out... really grateful for it!

1.Fresh hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:47:10 AM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-pc.asia.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsu-pc-asia.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-pc.asia.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

2. Ewido's report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at:   8:16:43 AM 9/25/2006

+ Scan result:

C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP126\A0007963.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP126\A0008089.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP126\A0008098.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP127\A0010093.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP127\A0010112.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP127\A0010113.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP127\A0010114.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP127\A0010115.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP127\A0010116.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\DXC1205b.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP124\A0007838.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP124\A0007839.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll -> Adware.Zango : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP127\A0009117.exe -> Downloader.Adload.fk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP127\A0009112.exe -> Downloader.Adload.fs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1FC7B5CA-D40C-4640-AD3E-947323350E2B}\RP127\A0009118.exe -> Downloader.Adload.fs : Cleaned with backup (quarantined).
C:\Documents and Settings\Shanty\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shanty\Cookies\shanty@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.70:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.63:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Shanty\Cookies\shanty@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.28:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.29:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.30:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.59:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.60:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Shanty\Cookies\[email protected][1].txt -> TrackingCookie.Paypopup : Cleaned.
:mozilla.53:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.54:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.55:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.56:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.46:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.47:C:\Documents and Settings\Shanty\Application Data\Mozilla\Firefox\Profiles\w26cytya.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

3. combofix scan

Shanty - 06-09-25 8:33:14.38 Service Pack 2
ComboFix 06.09.23.2 - Running from: "C:\Documents and Settings\Shanty\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))

2006-09-21   16:16   1,233   --a------   C:\WINDOWS\system32\sqgb40de.sys
2006-09-12   20:59   5,632   --a------   C:\WINDOWS\system32\CNMVS3w.DLL
2006-09-12   20:54   97,280   ---------   C:\WINDOWS\system32\CNMLM3w.DLL
2006-09-12   20:54   36,864   --a------   C:\WINDOWS\system32\CNMCP3W.EXE
2006-09-11   22:22   11,776   ---------   C:\WINDOWS\system32\spnpinst.exe
2006-09-02   07:43   614,912   --a------   C:\WINDOWS\system32\h323msp.dll
2006-09-02   07:43   331,264   --a------   C:\WINDOWS\system32\ipnathlp.dll
2006-09-02   07:43   26,112   --a------   C:\WINDOWS\system32\xpsp1hfm.exe
2006-09-02   07:33   947,472   --a------   C:\WINDOWS\system32\msjava.dll
2006-09-02   07:33   63,248   --a------   C:\WINDOWS\system32\javaprxy.dll
2006-09-02   07:33   49,424   --a------   C:\WINDOWS\system32\clspack.exe
2006-09-02   07:33   46,352   --a------   C:\WINDOWS\setdebug.exe
2006-09-02   07:33   404,752   --a------   C:\WINDOWS\system32\javart.dll
2006-09-02   07:33   313,856   --a------   C:\WINDOWS\system32\dx3j.dll
2006-09-02   07:33   286,992   --a------   C:\WINDOWS\system32\vmhelper.dll
2006-09-02   07:33   21,264   --a------   C:\WINDOWS\system32\msjdbc10.dll
2006-09-02   07:33   187,152   --a------   C:\WINDOWS\system32\javacypt.dll
2006-09-02   07:33   172,304   --a------   C:\WINDOWS\system32\jview.exe
2006-09-02   07:33   171,792   --a------   C:\WINDOWS\system32\wjview.exe
2006-09-02   07:33   171,280   --a------   C:\WINDOWS\system32\jit.dll
2006-09-02   07:33   154,384   --a------   C:\WINDOWS\system32\msawt.dll
2006-09-02   07:33   15,120   --a------   C:\WINDOWS\system32\jdbgmgr.exe
2006-09-02   07:33   139,536   --a------   C:\WINDOWS\system32\javaee.dll
2006-09-02   07:33   113   --a------   C:\WINDOWS\system32\zonedon.reg
2006-09-02   07:33   113   --a------   C:\WINDOWS\system32\zonedoff.reg
2006-08-30   21:45   2,560   --a------   C:\WINDOWS\_MSRSTRT.EXE
2006-08-30   19:55   62,744   --a------   C:\WINDOWS\system32\xinput1_2.dll
2006-08-30   19:55   236,824   --a------   C:\WINDOWS\system32\xactengine2_3.dll
2006-08-30   19:55   2,297,552   --a------   C:\WINDOWS\system32\d3dx9_26.dll
2006-08-30   19:54   83,456   --a------   C:\WINDOWS\system32\dpvsetup.exe
2006-08-30   19:54   825,344   --a------   C:\WINDOWS\system32\d3dim700.dll
2006-08-30   19:54   82,432   --a------   C:\WINDOWS\system32\dmscript.dll
2006-08-30   19:54   8,192   --a------   C:\WINDOWS\system32\d3d8thk.dll
2006-08-30   19:54   733,696   --a------   C:\WINDOWS\system32\qedwipes.dll
2006-08-30   19:54   71,680   --a------   C:\WINDOWS\system32\dsdmoprp.dll
2006-08-30   19:54   70,656   --a------   C:\WINDOWS\system32\amstream.dll
2006-08-30   19:54   63,768   --a------   C:\WINDOWS\system32\dxdllreg.exe
2006-08-30   19:54   619,008   --a------   C:\WINDOWS\system32\dx7vb.dll
2006-08-30   19:54   61,440   --a------   C:\WINDOWS\system32\dmcompos.dll
2006-08-30   19:54   60,928   --a------   C:\WINDOWS\system32\dpnhupnp.dll
2006-08-30   19:54   59,904   --a------   C:\WINDOWS\system32\devenum.dll
2006-08-30   19:54   57,344   --a------   C:\WINDOWS\system32\dpwsockx.dll
2006-08-30   19:54   562,176   --a------   C:\WINDOWS\system32\qedit.dll
2006-08-30   19:54   50,688   --a------   C:\WINDOWS\system32\wstdecod.dll
2006-08-30   19:54   4,096   --a------   C:\WINDOWS\system32\ksuser.dll
2006-08-30   19:54   385,024   --a------   C:\WINDOWS\system32\qdvd.dll
2006-08-30   19:54   375,296   --a------   C:\WINDOWS\system32\dpnet.dll
2006-08-30   19:54   367,616   --a------   C:\WINDOWS\system32\dsound.dll
2006-08-30   19:54   363,520   --a------   C:\WINDOWS\system32\psisdecd.dll
2006-08-30   19:54   35,840   --a------   C:\WINDOWS\system32\dmloader.dll
2006-08-30   19:54   35,328   --a------   C:\WINDOWS\system32\mciqtz32.dll
2006-08-30   19:54   35,328   --a------   C:\WINDOWS\system32\dpnhpast.dll
2006-08-30   19:54   30,208   --a------   C:\WINDOWS\system32\dplaysvr.exe
2006-08-30   19:54   3,584   --a------   C:\WINDOWS\system32\dpnlobby.dll
2006-08-30   19:54   3,584   --a------   C:\WINDOWS\system32\dpnaddr.dll
2006-08-30   19:54   28,672   --a------   C:\WINDOWS\system32\dmband.dll
2006-08-30   19:54   279,040   --a------   C:\WINDOWS\system32\qdv.dll
2006-08-30   19:54   27,136   --a------   C:\WINDOWS\system32\ddrawex.dll
2006-08-30   19:54   266,240   --a------   C:\WINDOWS\system32\ddraw.dll
2006-08-30   19:54   237,568   --a------   C:\WINDOWS\system32\qasf.dll
2006-08-30   19:54   23,552   --a------   C:\WINDOWS\system32\dpmodemx.dll
2006-08-30   19:54   229,888   --a------   C:\WINDOWS\system32\dplayx.dll
2006-08-30   19:54   212,480   --a------   C:\WINDOWS\system32\dpvoice.dll
2006-08-30   19:54   21,504   --a------   C:\WINDOWS\system32\dpvacm.dll
2006-08-30   19:54   204,288   --a------   C:\WINDOWS\system32\mswebdvd.dll
2006-08-30   19:54   20,480   --a------   C:\WINDOWS\system32\encapi.dll
2006-08-30   19:54   2,113,536   --a------   C:\WINDOWS\system32\dxdiagn.dll
2006-08-30   19:54   192,512   --a------   C:\WINDOWS\system32\qcap.dll
2006-08-30   19:54   19,456   --a------   C:\WINDOWS\system32\dswave.dll
2006-08-30   19:54   181,760   --a------   C:\WINDOWS\system32\dsdmo.dll
2006-08-30   19:54   181,248   --a------   C:\WINDOWS\system32\dmime.dll
2006-08-30   19:54   18,432   --a------   C:\WINDOWS\system32\dpnsvr.exe
2006-08-30   19:54   17,408   --a------   C:\WINDOWS\system32\msyuv.dll
2006-08-30   19:54   14,336   --a------   C:\WINDOWS\system32\msdmo.dll
2006-08-30   19:54   116,736   --a------   C:\WINDOWS\system32\dpvvox.dll
2006-08-30   19:54   105,984   --a------   C:\WINDOWS\system32\dmstyle.dll
2006-08-30   19:54   104,448   --a------   C:\WINDOWS\system32\dmusic.dll
2006-08-30   19:54   103,424   --a------   C:\WINDOWS\system32\dmsynth.dll
2006-08-30   19:54   1,689,088   --a------   C:\WINDOWS\system32\d3d9.dll
2006-08-30   19:54   1,428,480   --a------   C:\WINDOWS\system32\msvidctl.dll
2006-08-30   19:54   1,298,432   --a------   C:\WINDOWS\system32\dxdiag.exe
2006-08-30   19:54   1,294,336   --a------   C:\WINDOWS\system32\dsound3d.dll
2006-08-30   19:54   1,227,264   --a------   C:\WINDOWS\system32\dx8vb.dll
2006-08-30   19:54   1,179,648   --a------   C:\WINDOWS\system32\d3d8.dll
2006-08-30   19:30   1,082,368   --a------   C:\WINDOWS\system32\esent.dll
2006-08-30   18:54   22,752   --a------   C:\WINDOWS\system32\spupdsvc.exe
2006-08-30   18:20   8,192   ---------   C:\WINDOWS\system32\bitsprx2.dll
2006-08-30   18:20   7,168   ---------   C:\WINDOWS\system32\bitsprx3.dll
2006-08-30   18:20   351,232   --a------   C:\WINDOWS\system32\winhttp.dll
2006-08-30   18:20   18,944   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2006-08-30   18:13   465,176   --a------   C:\WINDOWS\system32\wuapi.dll
2006-08-30   18:13   41,240   --a------   C:\WINDOWS\system32\wups.dll
2006-08-30   18:13   194,328   --a------   C:\WINDOWS\system32\wuaueng1.dll
2006-08-30   18:13   173,536   --a------   C:\WINDOWS\system32\wuweb.dll
2006-08-30   18:13   172,312   --a------   C:\WINDOWS\system32\wuauclt1.exe
2006-08-30   18:13   127,256   --a------   C:\WINDOWS\system32\wucltui.dll
2006-08-29   23:13   109,568   ---------   C:\WINDOWS\system32\pxinsi64.exe
2006-08-29   23:13   108,544   ---------   C:\WINDOWS\system32\pxcpyi64.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-24 15:45   --------   d--------   C:\Program Files\Common Files\ODBC
2006-09-22 08:42   --------   d--------   C:\Program Files\Qtn
2006-09-22 08:42   --------   d--------   C:\Program Files\Nse
2006-09-22 08:41   --------   d--------   C:\Program Files\config
2006-09-22 08:40   --------   d--------   C:\Program Files\bin
2006-09-22 08:37   --------   d--------   C:\Program Files\Temp
2006-09-22 08:37   --------   d--------   C:\Program Files\NVC
2006-09-22 08:37   --------   d--------   C:\Program Files\Logs
2006-09-22 00:30   --------   d--------   C:\Program Files\PrintView
2006-09-21 18:08   --------   d--------   C:\Program Files\SoftwareRevenue.org
2006-09-21 18:08   --------   d--------   C:\Program Files\Google Toolbar
2006-09-19 22:09   --------   d--------   C:\Documents and Settings\Shanty\Application Data\vlc
2006-09-19 22:00   --------   d--------   C:\Program Files\VideoLAN
2006-09-19 20:58   --------   d--------   C:\Program Files\WinRAR
2006-09-16 22:06   --------   d--------   C:\Documents and Settings\Shanty\Application Data\uTorrent
2006-09-16 21:12   --------   d--------   C:\Program Files\MSN Messenger
2006-09-12 20:51   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Gtek
2006-09-10 18:37   --------   d--------   C:\Program Files\Skype
2006-09-10 18:37   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Skype
2006-09-04 21:12   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Google
2006-09-04 19:39   --------   d--------   C:\Documents and Settings\Shanty\Application Data\AdobeUM
2006-09-01 00:55   875   --a------   C:\Documents and Settings\Shanty\Application Data\AdobeDLM.log
2006-09-01 00:55   0   --a------   C:\Documents and Settings\Shanty\Application Data\dm.ini
2006-09-01 00:55   --------   d--------   C:\Program Files\Adobe
2006-09-01 00:52   --------   d--------   C:\Program Files\Common Files\Adobe
2006-09-01 00:52   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Adobe
2006-08-30 21:49   --------   d--------   C:\Program Files\MyGlobalSearch
2006-08-30 21:45   2560   --a------   C:\WINDOWS\_MSRSTRT.EXE
2006-08-30 21:36   --------   d--------   C:\Documents and Settings\Shanty\Application Data\CyberLink
2006-08-30 19:44   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Macromedia
2006-08-30 19:44   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Help
2006-08-30 19:42   --------   d--------   C:\Program Files\BitTorrent
2006-08-29 23:14   --------   d--------   C:\Program Files\Mozilla Firefox
2006-08-29 23:14   --------   d--------   C:\Program Files\Google
2006-08-29 23:14   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Talkback
2006-08-29 23:14   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Mozilla
2006-08-29 23:12   --------   d--------   C:\Program Files\DivX
2006-08-29 22:59   --------   d--------   C:\Program Files\BearShare
2006-08-29 22:55   --------   d--------   C:\Documents and Settings\Shanty\Application Data\BitTorrent
2006-08-29 17:46   --------   d--------   C:\Documents and Settings\Shanty\Application Data\MSN6
2006-08-24 11:30   --------   d--------   C:\Program Files\Lavasoft
2006-08-24 11:30   --------   d--------   C:\Documents and Settings\Shanty\Application Data\Lavasoft
2006-08-21 20:13   --------   d--------   C:\Program Files\Microsoft.NET
2006-08-21 20:13   --------   d--------   C:\Program Files\Microsoft ActiveSync
2006-08-21 20:10   --------   d--------   C:\Program Files\Microsoft Works
2006-08-21 20:10   --------   d--------   C:\Program Files\Microsoft Visual Studio
2006-08-21 20:08   --------   d--------   C:\Program Files\Microsoft Office
2006-08-21 13:21   16896   --a------   C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14   23040   --a------   C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14   128896   ---------   C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-04 16:37   73728   --a------   C:\WINDOWS\system32\dpl100.dll
2006-08-04 16:37   196608   --a------   C:\WINDOWS\system32\dtu100.dll
2006-07-29 19:32   48936   --a------   C:\WINDOWS\system32\sirenacm.dll
2006-07-27 14:24   679424   --a------   C:\WINDOWS\system32\inetcomm.dll
2006-07-27 03:06   3596288   --a------   C:\WINDOWS\system32\qt-dx331.dll
2006-07-27 03:05   20640   ---------   C:\WINDOWS\system32\drivers\pxhelp20.sys
2006-07-21 09:24   72704   --a------   C:\WINDOWS\system32\hlink.dll
2006-07-03 22:40   778240   --a------   C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 22:40   778240   --a------   C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 22:40   761856   --a------   C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 22:40   620180   --a------   C:\WINDOWS\system32\DivX.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Free Download Manager"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IndicatorUtility"="C:\\Program Files\\Fujitsu\\Fujitsu Hotkey Utility\\IndicatorUty.exe"
"LoadBtnHnd"="C:\\Program Files\\Fujitsu\\BtnHnd\\BtnHnd.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"LoadFujitsuQuickTouch"="C:\\Program Files\\Fujitsu\\Application Panel\\QuickTouch.exe"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"PVModule"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"
"Norman ZANDA"="C:\\Program Files\\bin\\ZLH.EXE /LOAD /SPLASH"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Online Services\\pomo.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Messenger\\mekefe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e5,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Mon 09/25/2006 8:33:38.05
ComboFix2.txt
ComboFix.txt

4. jotti virus scan

Service load:    0%              100%

File:    pvmodule.exe
Status:    POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5    1599c68387c28ea6d32a65941930d12c
Packers detected:    -
Scanner results
AntiVir     Found Trojan/Dldr.Agent.alb
ArcaVir     Found nothing
Avast     Found nothing
AVG Antivirus    Found nothing
BitDefender    Found nothing
ClamAV     Found nothing
Dr.Web     Found nothing
F-Prot Antivirus    Found nothing
Fortinet    Found nothing
Kaspersky Anti-Virus    Found nothing
NOD32     Found nothing
Norman Virus Control    Found nothing
UNA     Found nothing
VirusBuster    Found nothing
VBA32     Found nothing

I believe that's all.... cheers

guestolo · « **Reply #6 on:** September 25, 2006, 10:11:57 PM »

Can you do the following please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e5,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer into safe mode, sign in with your Normal user account
Find and delete these 2 files if found please, exact file names in the exact locations
C:\Program Files\Online Services\pomo.html
C:\Program Files\Messenger\mekefe.html

Double click on fix.reg and allow to add/merge to the registry

Reboot back to normal windows

Post a fresh hijacthis log
also, close Hijackthis>>reopen it
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

sroza · « **Reply #7 on:** September 30, 2006, 05:25:59 AM »

Halo.... i did as you instructed me too.... but when i tried to look for the two following files in safe mode,
C:\Program Files\Online Services\pomo.html
C:\Program Files\Messenger\mekefe.html

They were in housecall quarantine.... i deleted them anyway...

Here are the two logs you asked for... my computer is running so much better now... there is no pop-ups anymore... Thank you!!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Logfile of HijackThis v1.99.1
Scan saved at 11:18:01 AM, on 9/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-pc.asia.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsu-pc-asia.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-pc.asia.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

Ad-Aware SE Personal
Ad-Aware SE Professional
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Agere Systems AC'97 Modem
BitTorrent 4.20.9
Canon S200
DivX
DivX Converter
DivX Player
DivX Web Player
ewido anti-spyware 4.0
Fujitsu Hardware Diagnostics Tool
Fujitsu Hotkey Utility
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel® Extreme Graphics Driver
Intel® PROSet
LifeBook Application Panel
Microsoft Office Professional Edition 2003
PC-Doctor for Windows
PowerDVD
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup
Security Panel Application
Security Panel Application for Supervisor
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB925486)
SigmaTel AC97 Audio Drivers
Skype 2.5
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VERITAS DLA
VERITAS RecordNow DX
VERITAS RecordNow DX Update Manager
VideoLAN VLC media player 0.8.5
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

guestolo · « **Reply #8 on:** October 01, 2006, 10:29:47 AM »

Sorry for the delay sroza
Can you do the following please
Create a .reg file for me

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4E0C464-30CE-4075-9A10-71FD106C2847}]

[-HKEY_CURRENT_USER\Software\PrintView]

[-HKEY_CLASSES_ROOT\CLSID\{10ADD1E8-EC8A-4719-B39D-B46DD1D6A65D}]

[-HKEY_CLASSES_ROOT\CLSID\{51C5191A-9880-442f-897B-E96987522FBC}]

[-HKEY_CLASSES_ROOT\CLSID\{90FE6C53-F8B4-4631-B42A-02D63D1C949C}]

[-HKEY_CLASSES_ROOT\CLSID\{D4E0C464-30CE-4075-9A10-71FD106C2847}]

[-HKEY_CLASSES_ROOT\Interface\{6C07AC9A-A018-492B-9B55-6892254E09BF}]

[-HKEY_CLASSES_ROOT\Interface\{7B8AC03E-DAA5-441E-A480-78E743F63018}]

[-HKEY_CLASSES_ROOT\Interface\{A9B2B3D8-E6A7-49A0-BBAF-F27B7A500B54}]

[-HKEY_CLASSES_ROOT\Interface\{B0CDC23A-77FA-4B6D-A8A1-DECFE715A56D}]

[-HKEY_CLASSES_ROOT\PrintView.CSInstallInformation_PV]

[-HKEY_CLASSES_ROOT\PrintView.CSInstallInformation_PV.1]

[-HKEY_CLASSES_ROOT\PrintView.PrintViewBar]

[-HKEY_CLASSES_ROOT\PrintView.PrintViewBar.1]

[-HKEY_CLASSES_ROOT\PrintView.PrintViewBarH]

[-HKEY_CLASSES_ROOT\PrintView.PrintViewBarH.1]

[-HKEY_CLASSES_ROOT\PrintViewBar.PrintViewBHO]

[-HKEY_CLASSES_ROOT\PrintViewBar.PrintViewBHO.1]

[-HKEY_CLASSES_ROOT\PrintViewBHO Class]

[-HKEY_CLASSES_ROOT\TypeLib\{24723349-C5C0-44C2-837D-84250E6B2A12}]

Find and delete the following folders please

C:\Program Files\PrintView <-folder
C:\Program Files\SoftwareRevenue.org <-folder
C:\Program Files\MyGlobalSearch <-folder

Double click on fix.reg and allow to add/merge to the registry at the prompt
Reboot the computer
Back in Windows
Can you please post back one last hijackthis log, just to ensure it's still clean

sroza · « **Reply #9 on:** October 02, 2006, 02:00:01 AM »

Here is the hijackthis log... hopefully it's finally clean... thank you for you help!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 7:57:06 AM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-pc.asia.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsu-pc-asia.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-pc.asia.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

sroza · « **Reply #10 on:** October 02, 2006, 05:22:12 PM »

Hey... I am sorry but i need to bother you again.... this morning i did the previous reply and everything was fine... tonight, i did a scan with ad-aware professional and it found http://searchbar.findthewebsiteyouneed.com again

there is no pop-ups and my computer was working normally but I was suspicious so i ran the hijackthis program and saw that the entries you asked me to remove before are present again.

I don't know what i did that it all came back again. was it the ad-aware scan? I am such a technophobe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> .... did i do anything wrong in the ad-aware scan? Please look through this fresh log and help me....

Thanks.....

Sroza

Logfile of HijackThis v1.99.1
Scan saved at 11:12:30 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Documents and Settings\Shanty\My Documents\program downloads\utorrent.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~3\Ad-Watch.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-pc.asia.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsu-pc-asia.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e11.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e11.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e11.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-pc.asia.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

guestolo · « **Reply #11 on:** October 02, 2006, 06:29:32 PM »

I believe that AdWatch reset those entries in your log
Can you do the following please
Go back and turn off AdWatch in Ad-Aware
Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both options.

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e11.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e11.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e11.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Back in Windows
Go back and enable AdWatch
Be sure to ACCEPT the changes if prompted

Post back a fresh hijackthis log afterwards please

sroza · « **Reply #12 on:** October 02, 2006, 08:38:13 PM »

Phew.... hopefully now it's ok... i did get worried. This is the fresh log. Thanks for the superquick reply...

Logfile of HijackThis v1.99.1
Scan saved at 2:36:13 AM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~3\Ad-Watch.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-pc.asia.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsu-pc-asia.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-pc.asia.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

TheTechGuide Forum

News:

Author Topic: Possible Adware.look2me or other worms infection (Read 1075 times)

sroza

Possible Adware.look2me or other worms infection

guestolo

Possible Adware.look2me or other worms infection

scaminisbadd

Possible Adware.look2me or other worms infection

sroza

Possible Adware.look2me or other worms infection

guestolo

Possible Adware.look2me or other worms infection

sroza

Possible Adware.look2me or other worms infection

guestolo

Possible Adware.look2me or other worms infection

sroza

Possible Adware.look2me or other worms infection

guestolo

Possible Adware.look2me or other worms infection

sroza

Possible Adware.look2me or other worms infection

sroza

Possible Adware.look2me or other worms infection

guestolo

Possible Adware.look2me or other worms infection

sroza

Possible Adware.look2me or other worms infection