Author Topic: my hijackthis log please help me (Read 1359 times)

skategoodtimes · « **on:** October 31, 2005, 12:38:59 AM »

Here's my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:37:53 PM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\hmfosiw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://skateperception.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://skateperception.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://skateperception.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysa.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysa.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\ServicePackFiles\nutvga.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [rundll32] C:\Documents and Settings\Aaron\rundll32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125824763578
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: msconfd.dll
O20 - Winlogon Notify: nutvga - C:\WINDOWS\ServicePackFiles\nutvga.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\hmfosiw.exe

Guest · « **Reply #1 on:** October 31, 2005, 10:00:25 AM »

Damn! He was told to post log here and no one replies!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

skategoodtimes · « **Reply #2 on:** October 31, 2005, 09:59:21 PM »

guestolo · « **Reply #3 on:** November 01, 2005, 01:05:06 AM »

You have to be patient

We're going to work on a couple infections you have then try and get the rest
Please print out all these instructions or save to a text file on your desktop for reference

Please download [color=\"red\"]VundoFix.exe[/color][/url] to your desktop.

*Double-click VundoFix.exe to extract the files
*This will create a VundoFix folder on your desktop.

==Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Access your add/remove programs and remove if found
Windows Overlay Components

RESTART your Computer in SAFE MODE without networking
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

*Once in safe mode

==Open the SmitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning.

It should look like this

Quote

[color=\"blue\"]VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
[/color]

* At this point press enter one time.

* Next you will see:

Quote

[color=\"blue\"]Please Type in the filepath as instructed by the forum staff
and then press enter:[/color]

*At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\ServicePackFiles\nutvga.dll

*Press [color=\"red\"]Enter[/color] to continue with the fix.

*Next you will see:

Quote

[color=\"blue\"]Please type in the second filepath as instructed by the forum
staff then press enter: [/color]

*At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\ServicePackFiles\agvtun.*
[/list]

Press [color=\"red\"]Enter[/color] to continue with the fix.
*The fix will run then HijackThis will open, if it does not open automatically please open it manually.
*In HiJackThis, please place a check next to the following items and click FIX CHECKED:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\ServicePackFiles\nutvga.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)

O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe

O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [rundll32] C:\Documents and Settings\Aaron\rundll32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: msconfd.dll
O20 - Winlogon Notify: nutvga - C:\WINDOWS\ServicePackFiles\nutvga.dll

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\hmfosiw.exe

*After you have fixed these items, close Hijackthis.
*Press enter to exit the program then manually reboot your computer.

Back in Windows

Then, please run this online virus scan: [color=\"red\"]ActiveScan[/color][/url]
Once loaded, choose to Scan "Local Disks"
Once the scan is complete
Save a report of what was found and fixed to desktop

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.r
and the log from SmitRem, located here>>C:\Smitrem.txt

skategoodtimes · « **Reply #4 on:** November 01, 2005, 08:27:21 AM »

ok, thanks I'll do that when I get home from school today, and sorry for the impatientness.

skategoodtimes · « **Reply #5 on:** November 01, 2005, 06:05:50 PM »

it wont start up in safe mode right, i do it and when i log in to my user account or whatever it just stays as a black screen and at the corners it says safe mode and at the top it says something about that service pack.

skategoodtimes · « **Reply #6 on:** November 02, 2005, 10:23:31 AM »

sorry if im being impatient again but im bumping it so you dont forget about me.

skategoodtimes · « **Reply #7 on:** November 02, 2005, 06:33:41 PM »

ok I figured out how to get the safe mode working, I did everything and right now its doing the active scan, I'll post the scan report along with the rest of the stuff in a few minutes.

skategoodtimes · « **Reply #8 on:** November 02, 2005, 08:04:26 PM »

when I was fixing the problems with hijackthis in safe mode i got this error

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: msconfd.dll)
Error #5 - Invalid procedure call or argument

Please email me at [email protected], reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Here is the rest of the stuff though.

NEW HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 6:51:37 PM, on 11/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\hmfosiw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://skateperception.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://skateperception.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://skateperception.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysa.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysa.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\ServicePackFiles\nutvga.dll (file missing)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] C:\WINDOWS\System32\mstaskm.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MsSystem] c:\msdos.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125824763578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: msconfd.dll
O20 - Winlogon Notify: nutvga - C:\WINDOWS\ServicePackFiles\nutvga.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\hmfosiw.exe

ACTIVE SCAN REPORT

Incident Status Location

Adware:adware/securityerror No disinfected C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Center.url
Adware:adware/gator No disinfected C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\GStartup.lnk
Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
Adware:Adware/CommAd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\423FE045-27B3-4FD7-BCFE-746203\5016609A-178E-4305-82AE-567D22
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4C5DF0F9-3E01-4700-84CA-210DE0\78A4A0F7-F51B-44B4-932A-F1406A
Spyware:Spyware/SafeSurf No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A6E6A86B-F2A6-47E2-8F90-E5F5AF\71B02B18-95F4-448C-9194-C5299D
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP693\A0272263.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP693\A0272297.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP694\A0273297.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP694\A0274297.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP696\A0274461.dll
Adware:Adware/KoolBar No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP697\A0274624.exe
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP697\A0274634.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP697\A0274644.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP698\A0274719.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP699\A0274755.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP699\A0274802.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP701\A0274907.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP702\A0275091.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP703\A0275135.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP706\A0275281.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP706\A0275295.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP706\A0275315.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP707\A0275338.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP707\A0275350.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP707\A0275370.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP707\A0275442.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP708\A0275540.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP708\A0275554.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP708\A0275596.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP709\A0275666.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP712\A0275805.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP712\A0275822.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP714\A0275929.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP715\A0275981.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP716\A0276032.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP719\A0276136.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP719\A0276191.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP721\A0276263.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP721\A0276344.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP723\A0276439.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP723\A0276490.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP724\A0276530.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP724\A0276557.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP724\A0276593.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP725\A0276657.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP725\A0276875.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0276901.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277899.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277918.dll
Virus:Trojan Horse Disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277928.ini
Adware:Adware/Tubby No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277934.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277945.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277981.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP728\A0278044.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278111.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278292.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278310.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278334.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP731\A0278369.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP731\A0278401.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP732\A0278478.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP735\A0278517.dll
Adware:Adware/SaveNow No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP779\A0287758.exe
Adware:Adware/SaveNow No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP780\A0287932.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP781\A0288010.tlb
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP781\A0289010.tlb
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP781\A0289021.tlb
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP781\A0289034.tlb
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP781\A0289045.tlb
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP781\A0289054.tlb
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP782\A0289079.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP782\A0289080.tlb
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0291768.dll
Virus:Trj/Ldpinch.JD Disinfected C:\WINDOWS\assest.dll
Adware:Adware/Aurora No disinfected C:\WINDOWS\jaaste.dll
Possible Virus. No disinfected C:\WINDOWS\load.exe
Virus:Trj/Downloader.BVH Disinfected C:\WINDOWS\loadk32.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\MTE3MTU6ODoxNg.exe
Adware:Adware/CommAd No disinfected C:\WINDOWS\QWFyb24A\asappsrv.dll
Dialer:Dialer.CAL No disinfected C:\WINDOWS\sasent.dll
Dialer:Dialer.CAL No disinfected C:\WINDOWS\sasetup.dll
Adware:adware/secure32 No disinfected C:\WINDOWS\secure32.html
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\msconfd.dll
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\SYSTEM32\nss9.dll
Virus:Trj/Agent.AJK Disinfected C:\WINDOWS\SYSTEM32\pmkhg.dll
Dialer:Dialer.TY No disinfected C:\WINDOWS\winmodem.exe

VUNDOFIX TXT FILE

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\ServicePackFiles\nutvga.dll

The second filepath entered was C:\WINDOWS\ServicePackFiles\agvtun

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 196 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe

Killing PID 268 'winlogon.exe'
Killing PID 268 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\ServicePackFiles\nutvga.dll Deleted sucessfully.
C:\WINDOWS\ServicePackFiles\agvtun Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

SMITREM

smitRem © log file
version 2.7

by noahdfear

The current date is: Wed 11/02/2005
The current time is: 16:41:08.96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key present!

Running LTDFix/PSGuard.com fix!

PSGuard.com key was successfully removed!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

PSGuard.com

~~~ Favorites ~~~

~~~ system32 folder ~~~

msvol.tlb
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
oleext.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

oleext.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

wininet.dll INFECTED!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Starting replacement procedure.

~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~

~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~

~~~~ Checking dllcache\wininet.dll for infection ~~~~

~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~

~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll present!

~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!

~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~

~~~~ C:\WINDOWS\system32\wininet.dll Clean!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> ~~~~

guestolo · « **Reply #9 on:** November 02, 2005, 09:58:27 PM »

Try this, XoftSpy is not my recommended spyware removal tool
Download and InstallAd-Aware SE Personal 1.06
In the event you have an older version of Ad-Aware, allow this version to remove the older version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet

Download and save too desktop the Standalone version of CWShredder

Next: Download and save to desktop
Stinger.exe from McAfee's
Don't run this yet

Print the rest of these instructions or save to notepad for reference

Close Down all Browsers, including this one

Access your add/remove programs and remove
Windows Overlay Components
Gator
KeenValue
P2PNetworking

Run CWShredder.exe and click the FIX button
Let it fix whatever it finds

Reboot in SAFE MODE

In safe mode, run STINGER.exe
and click the "Scan Now" button
Let this finish, it will scan your hard drive
When it's done

Run CWShredder.exe again

In safe mode
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

In the Event "Windows Overlay Components" was not found in Add/Remove programs
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Windows Overlay Components

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Find and delete the following files or folders if found
C:\WINDOWS\System32\svcinit.exe <-file
C:\WINDOWS\System32\mstaskm.exe <-file
C:\WINDOWS\SYSTEM32\msconfd.dll <-file
C:\WINDOWS\SYSTEM32\nss9.dll <-file
C:\WINDOWS\jaaste.dll <-file
C:\WINDOWS\load.exe <-file
C:\WINDOWS\MTE3MTU6ODoxNg.exe <-file
C:\WINDOWS\sasent.dll <-file
C:\WINDOWS\sasetup.dll <-file
C:\WINDOWS\secure32.html <-file
C:\WINDOWS\hmfosiw.exe <-file
C:\windows\rundll32.exe <-file, DON'T touch rundll32.exe in your System32 folder
C:\WINDOWS\iedll.exe <-file
c:\msdos.exe <-file
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Center.url <-file
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\GStartup.lnk <-file

C:\WINDOWS\QWFyb24A <-folder
C:\Program Files\Common Files\CMEII <-folder
C:\Program Files\Common Files\GMT <-folder
C:\Program Files\Common files\updater <-folder

Try and run Hijackthis again
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://skateperception.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://skateperception.com/

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\ServicePackFiles\nutvga.dll (file missing)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)

O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\WINDOWS\System32\mstaskm.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe

O4 - HKLM\..\Run: [MsSystem] c:\msdos.exe
O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe

O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: msconfd.dll
O20 - Winlogon Notify: nutvga - C:\WINDOWS\ServicePackFiles\nutvga.dll (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\hmfosiw.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

NOTE: If you have problems running Hijackthis again, try one more time but omit this entry
O20 - AppInit_DLLs: msconfd.dll

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode

Post back a fresh Hijackthis log

skategoodtimes · « **Reply #10 on:** November 03, 2005, 01:04:56 AM »

Heres my new log.

Logfile of HijackThis v1.99.1
Scan saved at 12:03:46 AM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://skateperception.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysa.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysa.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125824763578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: msconfd.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

guestolo · « **Reply #11 on:** November 03, 2005, 11:29:00 PM »

That looks better, but let's get you a little cleaner if we can

===Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, IF you get a warning "Database could not be found!". Click OK. We'll fix that next
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please Print this out or save these instructions to a Notepad file and save it to your Desktop

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link I supplied for a more detailed explanation

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Close down your browser window
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Double click on fix.reg and allow to merge to the registry

Restart back to Normal mode

Back in Windows
Post a fresh hijackthis log and the report from Ewidos

skategoodtimes · « **Reply #12 on:** November 04, 2005, 02:01:43 AM »

Logfile of HijackThis v1.99.1
Scan saved at 1:00:12 AM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://skateperception.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysa.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysa.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common

Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe"

startup
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer

A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat.../muweb_site.cab?

1125824763578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: msconfd.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc.

- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. -

C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network

Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         12:53:02 AM, 11/4/2005
+ Report-Checksum:      5093A8C2

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4}\Control\\CI -> Spyware.BetterInternet : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{CF021F40-3E14-23A5-CBA2-7173706D1316} -> Spyware.MakeMeSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{CF021F3F-3E14-23A5-CBA2-7173706D1316} -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{CF021F3F-3E14-23A5-CBA2-7173706D1316}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{D6188A7D-376C-4970-91AD-675BFCF3762E}\TypeLib\\ -> Spyware.BetterInternet : Cleaned with backup
   HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
   HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
   HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
   HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
   HKLM\SOFTWARE\Classes\RunMSC.Loader\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
   HKLM\SOFTWARE\Classes\RunMSC.Loader.1\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
   HKLM\SOFTWARE\Classes\SPM1316.SPM1316 -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\SPM1316.SPM1316\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\SPM1316.SPM1316.1 -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\SPM1316.SPM1316.1\CLSID\\ -> Spyware.MakeMeSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{8EA362BD-39CB-40F5-9226-73CD40999095} -> Spyware.BetterInternet : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{CF021F32-3E14-23A5-CBA2-7173706D1316} -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/version.txt\\.Owner -> Spyware.iSearch : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/version.txt\\{1C78AB3F-A857-482E-80C0-3A1E5238A565} -> Spyware.iSearch : Cleaned with backup
   HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup
   HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
   HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup
   HKU\S-1-5-21-527237240-879983540-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CF021F40-3E14-23A5-CBA2-7173706D1316} -> Spyware.MakeMeSearch : Cleaned with backup
   HKU\S-1-5-21-527237240-879983540-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1C78AB3F-A857-482E-80C0-3A1E5238A565} -> Spyware.iSearch : Cleaned with backup
   HKU\S-1-5-21-527237240-879983540-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0519A9C9-064A-4CBC-BC47-D0EACD581477} -> Spyware.Icoo : Cleaned with backup
   HKU\S-1-5-21-527237240-879983540-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-527237240-879983540-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{465A59EC-20E5-4FCA-A38A-E5EC3C480218} -> Spyware.Icoo : Cleaned with backup
   HKU\S-1-5-21-527237240-879983540-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CF021F40-3E14-23A5-CBA2-7173706D1316} -> Spyware.MakeMeSearch : Cleaned with backup
   HKU\S-1-5-21-527237240-879983540-839522115-1003\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup
   HKU\S-1-5-21-527237240-879983540-839522115-1003\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
   [268] C:\WINDOWS\system32\msconfd.dll -> Spyware.Hijacker.Generic : Cleaned with backup
   [312] C:\WINDOWS\system32\msconfd.dll -> Spyware.Hijacker.Generic : Error during cleaning
   [324] C:\WINDOWS\system32\msconfd.dll -> Spyware.Hijacker.Generic : Error during cleaning
   [476] C:\WINDOWS\system32\msconfd.dll -> Spyware.Hijacker.Generic : Error during cleaning
   [540] C:\WINDOWS\system32\msconfd.dll -> Spyware.Hijacker.Generic : Error during cleaning
   [588] C:\WINDOWS\system32\msconfd.dll -> Spyware.Hijacker.Generic : Error during cleaning
   [792] C:\WINDOWS\system32\msconfd.dll -> Spyware.Hijacker.Generic : Error during cleaning
   [1060] C:\WINDOWS\system32\msconfd.dll -> Spyware.Hijacker.Generic : Error during cleaning
   :mozilla.6:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.7:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.8:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.17:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.18:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.19:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.91:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
   :mozilla.92:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.93:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.94:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.95:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.96:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.98:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.99:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.100:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.102:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.103:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.104:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.105:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.106:C:\Documents and Settings\Aaron\Application Data\Phoenix\Profiles\default\agpc3ldc.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\423FE045-27B3-4FD7-BCFE-746203\5016609A-178E-4305-82AE-567D22 -> Adware.CommAd : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\4C5DF0F9-3E01-4700-84CA-210DE0\78A4A0F7-F51B-44B4-932A-F1406A -> Trojan.Agent.fc : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\A6E6A86B-F2A6-47E2-8F90-E5F5AF\71B02B18-95F4-448C-9194-C5299D -> Spyware.SafeSurfing : Cleaned with backup
   C:\quarantine\A0281826.exe.Vir -> Adware.BetterInternet : Error during cleaning
   C:\quarantine\thin-137-3-x-x.exe.Vir -> Adware.BetterInternet : Error during cleaning
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP694\A0273297.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP694\A0274297.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP696\A0274461.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP697\A0274624.exe -> TrojanDropper.VB.fv : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP697\A0274634.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP697\A0274644.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP698\A0274719.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP699\A0274755.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP699\A0274802.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP701\A0274907.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP702\A0275091.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP703\A0275135.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP706\A0275281.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP706\A0275295.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP706\A0275315.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP707\A0275338.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP707\A0275350.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP707\A0275370.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP707\A0275442.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP708\A0275540.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP708\A0275554.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP708\A0275596.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP709\A0275666.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP712\A0275805.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP712\A0275822.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP714\A0275929.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP715\A0275981.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP716\A0276032.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP719\A0276136.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP719\A0276191.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP721\A0276263.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP721\A0276344.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP723\A0276439.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP723\A0276490.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP724\A0276530.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP724\A0276557.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP724\A0276593.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP725\A0276657.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP725\A0276875.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0276901.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277899.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277918.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277927.ini -> TrojanSpy.Tofger.ini : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277934.dll -> TrojanDownloader.Agent.ga : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277945.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP726\A0277981.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP728\A0278044.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278111.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278254.dll -> Spyware.WildTangent : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278264.dll -> Spyware.WildTangent : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278274.dll -> Spyware.WildTangent : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278277.dll -> Spyware.WildTangent : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278292.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278310.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP730\A0278334.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP731\A0278369.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP731\A0278401.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP732\A0278478.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP735\A0278517.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP781\A0288024.dll -> TrojanDownloader.Agent.yb : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP782\A0289079.exe -> Trojan.Small.ge : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP782\A0289151.dll -> TrojanDownloader.Agent.yb : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP783\A0289225.dll -> Spyware.Wheaterbug : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP786\A0290579.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0291759.exe -> TrojanDownloader.Zlob.ap : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0291761.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0291768.dll -> Spyware.Virtumonde : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0292815.dll -> Dialer.Generic : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0292816.exe -> TrojanDownloader.Harnig.a : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0292817.dll -> TrojanDownloader.ConHook.k : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0292873.dll -> Spyware.HotSearchBar : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0292874.dll -> Trojan.Agent.fc : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0292876.exe -> Spyware.ISearch : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0292877.dll -> Dialer.Generic : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0292878.dll -> Dialer.Generic : Cleaned with backup
   C:\System Volume Information\_restore{862561A0-41E5-4A97-BCEF-AED6DCD8E1F0}\RP787\A0292881.dll -> Spyware.CommAd : Cleaned with backup
   C:\WINDOWS\SYSTEM32\msconfd.dll -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\SYSTEM32\netlanm.dll -> Spyware.SafeSurfing : Cleaned with backup

::Report End

guestolo · « **Reply #13 on:** November 05, 2005, 12:47:39 AM »

Can you try this again

Run another scan with Hijackthis and put a tick next to this entry

O20 - AppInit_DLLs: msconfd.dll

Then close all open windows and click FIX CHECKED

Run CWShredder.exe and run the FIX

Reboot your computer and post a fresh hijackthis log

skategoodtimes · « **Reply #14 on:** November 05, 2005, 10:21:36 AM »

I still get this message everytime I try to fix it.

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: msconfd.dll)
Error #5 - Invalid procedure call or argument

Please email me at [email protected], reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

skategoodtimes · « **Reply #15 on:** November 05, 2005, 10:23:31 AM »

Logfile of HijackThis v1.99.1
Scan saved at 9:23:12 AM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://skateperception.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysa.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysa.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125824763578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

guestolo · « **Reply #16 on:** November 05, 2005, 12:36:40 PM »

That did it though

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Some final cleanup, you still have bad guys in your System restore folder

If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2

Let me know how things are running

skategoodtimes · « **Reply #17 on:** November 06, 2005, 09:02:55 PM »

Everything's working perfectly thank you so much for helping me out.

guestolo · « **Reply #18 on:** November 06, 2005, 11:27:36 PM »

I totally forgot about one file
Can you do the following please, I wasn't sure if it was bad or not

Can you run the below file thru
Jotti's Online Malware scan
Give this site time to load if busy

Use the browse button and navigate to the file on your hard drive
Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please

C:\WINDOWS\winmodem.exe <-this file

skategoodtimes · « **Reply #19 on:** November 07, 2005, 12:43:11 AM »

File:      winmodem.exe
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5    918ddfd8bc911a72967aa0d78642fe43
Packers detected:
UPX
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

News:

Author Topic: my hijackthis log please help me (Read 1359 times)

Guest