Author Topic: guestolo can u help please (Read 1176 times)

deighan2004 · « **on:** October 30, 2006, 08:12:13 PM »

Guestolo i was wondering if you can help me? Ive tried AVG Pro, Ad-Aware, Regisrty Mechanic and Spyware Remover both in safe mode and normal mode but cant get rid of some little yellow thing in bottom right of my computer which is always bringing up pop-ups for anti-viruses, porn sites etc. etc.
Also everytime i right click to paste something or every now and again roxio easy media creator tries to install?

Anyway would really really appreciate sum help, Thanks very much mate
Regards
Paddy

Logfile of HijackThis v1.99.1
Scan saved at 00:58:41, on 31/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\VideoCompressionCodec\pmsngr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\VideoCompressionCodec\pmmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\paddy\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7b4d79df-9ef0-429d-a0e9-d9b138c6a53b} - blank (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 32Red Poker - {437F7F6F-FFCC-47e1-8A4B-C992493CF6C3} - C:\Program Files\32RedMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39114087-D037-441A-86E4-FFAB57148C1B}: NameServer = 212.139.132.6 212.139.132.7
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #1 on:** October 30, 2006, 08:24:43 PM »

Did you pay for Spyware Terminator?
I don't like to recommend it, If you didn't pay for it can you uninstall it from add/remove programs please
I'll get you other free tools that do a better job
Reboot your computer

Come back here and post all the next following logs
1. Post a fresh hijackthis log

2. Download the latest version of [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

[color=\"#3366FF\"]Note[/color] : [color=\"#FF0000\"]process.exe[/color] [color=\"#3366FF\"]is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.[/color]

3. Download this file - Combofix.exe and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from combofix please

deighan2004 · « **Reply #2 on:** November 01, 2006, 07:49:32 AM »

[color=\"#ff0000\"]

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />
Thanks very much for getting back to me. I removed the spyware terminator

heres the logs you asked for

1:[/color]
Logfile of HijackThis v1.99.1
Scan saved at 12:31:19, on 01/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\VideoCompressionCodec\pmsngr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VideoCompressionCodec\pmmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\paddy\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7b4d79df-9ef0-429d-a0e9-d9b138c6a53b} - blank (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 32Red Poker - {437F7F6F-FFCC-47e1-8A4B-C992493CF6C3} - C:\Program Files\32RedMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[color=\"#ff00ff\"][color=\"#ff0000\"]2:[/color]
[/color]SmitFraudFix v2.117

Scan done at 12:36:53.57, 01/11/2006
Run from C:\Documents and Settings\paddy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» C:\

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» C:\WINDOWS

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» C:\WINDOWS\system

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» C:\WINDOWS\Web

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» C:\WINDOWS\system32

C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» C:\Documents and Settings\paddy

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» C:\Documents and Settings\paddy\Application Data

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» C:\DOCUME~1\paddy\FAVORI~1

C:\DOCUME~1\paddy\FAVORI~1\Antivirus Test Online.url FOUND !

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» C:\Program Files

C:\Program Files\VideoCompressionCodec\ FOUND !

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Corrupted keys

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="http://newsimg.bbc.co.uk/media/images/4103...le-getty416.jpg"
"SubscribedURL"="http://newsimg.bbc.co.uk/media/images/4103...le-getty416.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists"

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» pe386-msguard-lzx32

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Scanning wininet.dll infection

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» End

[color=\"#ff0000\"]3:[/color]
paddy - 06-11-01 12:22:24.46 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\paddy\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Inetget2
C:\Program Files\msmovies
C:\Program Files\network monitor
C:\Program Files\Common Files\{E86EFAA3-0AE9-1033-0721-03062403002c}

((((((((((((((((((((((((((((((( Files Created from 2006-10-01 to 2006-11-01 ))))))))))))))))))))))))))))))))))

2006-10-24 09:50 77,824 --a------ C:\WINDOWS\system32\driverif.dll
2006-10-24 09:50 75,776 --a------ C:\WINDOWS\zllsputility.exe
2006-10-24 09:50 733,236 --a------ C:\WINDOWS\system32\vete.dll
2006-10-24 09:50 541,733 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-10-24 09:50 21,605 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2006-10-24 09:50 15,668 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2006-10-24 09:50 12,288 --a------ C:\WINDOWS\system32\vetntmsg.dll
2006-10-24 09:50 108,453 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2006-10-24 09:42 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-13 10:01 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-10-01 22:23 706,048 --a------ C:\WINDOWS\system32\libmcl-3.1.1.dll
2006-10-01 22:23 3,423,744 --a------ C:\WINDOWS\system32\libfilefmt-1.1.0.dll
2006-10-01 22:23 20,480 --a------ C:\WINDOWS\system32\libavi-dd-1.2.0.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-01 12:23 -------- d-------- C:\Program Files\Common Files
2006-11-01 11:19 -------- d-------- C:\Documents and Settings\paddy\Application Data\AVG7
2006-10-30 14:29 -------- d-------- C:\Program Files\32RedMPP
2006-10-30 14:08 -------- d-------- C:\Documents and Settings\paddy\Application Data\Microgaming
2006-10-29 23:11 -------- d-------- C:\Program Files\Roxio Easy Media Creator 7.5 ENG Trial
2006-10-29 21:11 -------- d-------- C:\Program Files\Spyware Terminator
2006-10-29 16:17 -------- d-------- C:\Program Files\eMule
2006-10-29 14:31 -------- d-------- C:\Program Files\QuickTime
2006-10-25 10:17 -------- d-------- C:\Program Files\VideoCompressionCodec
2006-10-24 09:58 -------- d-------- C:\Documents and Settings\paddy\Application Data\MailFrontier
2006-10-24 09:50 -------- d-------- C:\Program Files\Zone Labs
2006-10-24 09:42 -------- d-------- C:\Program Files\Internet Explorer
2006-10-22 14:48 -------- d-------- C:\Program Files\Registry Mechanic
2006-10-22 14:45 -------- d-------- C:\Program Files\Common Files\Download Manager
2006-10-18 17:35 -------- d-------- C:\Program Files\Boilsoft AVI Converter
2006-10-18 17:15 -------- d-------- C:\Program Files\Common Files\AVSMedia
2006-10-18 17:14 -------- d-------- C:\Program Files\AVSMedia
2006-10-18 17:14 -------- d-------- C:\Program Files\Allok AVI MPEG Converter
2006-10-18 13:16 -------- d-------- C:\Program Files\Nero
2006-10-18 13:16 -------- d-------- C:\Program Files\Common Files\Ahead
2006-10-18 08:26 -------- d-------- C:\Program Files\Ahead
2006-10-15 15:18 -------- d-------- C:\Documents and Settings\paddy\Application Data\Free Download Manager
2006-10-14 19:58 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-13 17:31 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-10-13 10:00 816288 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-09 12:52 -------- d-------- C:\Documents and Settings\paddy\Application Data\uTorrent
2006-10-09 00:11 -------- d-------- C:\Documents and Settings\paddy\Application Data\Sun
2006-10-06 23:37 -------- d-------- C:\Program Files\Java
2006-10-02 21:12 -------- d-------- C:\Program Files\Paddy Power Poker
2006-09-25 15:01 -------- d-------- C:\Documents and Settings\paddy\Application Data\deighan1
2006-09-25 13:00 -------- d-------- C:\Program Files\MSN Messenger
2006-09-23 10:39 -------- d-------- C:\Documents and Settings\paddy\Application Data\Rocky2t6
2006-09-20 00:12 2368 --a------ C:\WINDOWS\system32\SVKP.sys
2006-09-19 23:37 -------- d-------- C:\Documents and Settings\paddy\Application Data\Vso
2006-09-19 01:11 -------- d-------- C:\Documents and Settings\paddy\Application Data\Nero
2006-09-18 10:32 34 --a------ C:\Documents and Settings\paddy\Application Data\pcouffin.log
2006-09-18 10:31 81920 --a------ C:\Documents and Settings\paddy\Application Data\ezpinst.exe
2006-09-18 10:31 7176 --a------ C:\Documents and Settings\paddy\Application Data\pcouffin.cat
2006-09-18 10:31 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2006-09-18 10:31 47360 --a------ C:\Documents and Settings\paddy\Application Data\pcouffin.sys
2006-09-18 10:31 1144 --a------ C:\Documents and Settings\paddy\Application Data\pcouffin.inf
2006-09-18 10:31 -------- d-------- C:\Program Files\vso
2006-09-16 19:45 -------- d-------- C:\Program Files\Cucusoft
2006-09-16 17:43 -------- d-------- C:\Documents and Settings\paddy\Application Data\deighan
2006-09-15 11:01 -------- d-------- C:\Documents and Settings\paddy\Application Data\Roxio
2006-09-13 05:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 19:04 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-12 19:02 -------- d-------- C:\Documents and Settings\paddy\Application Data\Samsung
2006-09-12 17:58 -------- d-------- C:\Program Files\Samsung
2006-09-12 17:58 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-12 16:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-09-11 23:27 -------- d-------- C:\Program Files\WinRAR
2006-09-11 22:22 -------- d-------- C:\Documents and Settings\paddy\Application Data\.ABC
2006-09-08 17:26 4222516 --a------ C:\ABC-win32-v3.1.exe
2006-09-08 15:47 -------- d-------- C:\Program Files\MP3 Rocket
2006-09-08 15:47 -------- d-------- C:\Program Files\Common Files\Scanner
2006-09-06 11:15 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-06 01:25 -------- d-------- C:\Program Files\MP3 Player Utilities 1.51
2006-09-06 00:43 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-09-06 00:42 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-05 23:06 -------- d-------- C:\Program Files\CleanUp!
2006-09-05 20:31 448593 --ahs---- C:\WINDOWS\system32\yycdd.bak1
2006-09-04 21:00 -------- d-------- C:\Documents and Settings\paddy\Application Data\Seven Zip
2006-09-01 15:41 -------- d-------- C:\Documents and Settings\paddy\Application Data\Ahead
2006-08-25 15:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 12:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 09:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 11:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SpywareTerminator"="\"C:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"RegistryMechanic"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /QS"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="http://newsimg.bbc.co.uk/media/images/4103...le-getty416.jpg"
"SubscribedURL"="http://newsimg.bbc.co.uk/media/images/4103...le-getty416.jpg"
"FriendlyName"=""
"Flags"=dword:00001001
"Position"=hex:2c,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,9a,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,d2,03,00,00,6d,01,00,00,a0,01,00,00,2c,01,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,ae,06,41,c0,b4,74,a8,6f,7a,01,68,de,ae,06,20,6d,\
ae,06,08,09,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"pmsngr.exe"="C:\\Program Files\\VideoCompressionCodec\\pmsngr.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-01 12:23:50.64
C:\ComboFix.txt ... 06-11-01 12:23

Thats all the logs hope you can help
Thanks guestolo

guestolo · « **Reply #3 on:** November 01, 2006, 08:16:51 PM »

Sorry for the delay, can I have you do the following please
You can go ahead and delete this leftover folder
C:\Program Files\Spyware Terminator
I see you have AVG AntiVirus installed, can I also have you install it's sister program

Download>>Install [color=\"#000099\"]AVG Anti-Spyware 7.5[/color] from Ewido networks

Load AVG-antispyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Close it afterwards, as we will need it later

Download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.
We'll need it later

We should update your version of Sun Java to plug up security holes that malware can exploit
==Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement[/i]".
The page will refresh.
Click on the link to download Windows Offline Installation Multi-language

Save the file to your Desktop.
Don't install it yet

Access your Add/remove programs via Control Panel
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
eg..J2SE Runtime Environment 5.0 Update 6
It should have the following icon next to it:

Select it and click Remove on any found

VundoFix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

Then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Once in safe mode
* Clean your Cache and Cookies in IE:

Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window

Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
[/list]* Clean other Temporary files + Recycle bin

Go to start > run and type:

cleanmgr and click ok.

Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

==Open the SmitfraudFix folder you extracted to desktop earlier

Double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default it is saved at C:\rapport.txt
If a reboot was required, reboot normally, then back to safe mode
If no reboot was required, remain in safe mode

AVG-AntiSpyware Scan

Load AVG-Antispyware and Select the "Scanner" tab
Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected
Click back to the "Scan" tab and then click on Complete System Scan.
Let this scan complete, let it run uninterrupted
AVG will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
An AVG icon will be placed in your system tray next to your clock, can you right on it and uncheck both

"Resident Shield" and "Start with Windows"
[/list]Reboot the computer back to Normal windows

Back in Windows
Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")

Go ahead and install the latest version of Sun java from the installer on your desktop
After installation you can delete the installer

Can you post back the following please

1. Post a fresh hijackthis log
2. Post the whole report from AVG-Antispyware
3. The report from Smitfraudfix>>C:\Rapport.txt
4. The report from Vundofix>>C:\Vundofix.txt

deighan2004 · « **Reply #4 on:** November 03, 2006, 12:48:09 PM »

Thanks very much for getting back to me

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

vundofix didnt find anything but everything else seems to have went well, havent had a pop up since i can out of safe mode!!!

cheerz mate

Logfile of HijackThis v1.99.1
Scan saved at 17:42:58, on 03/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\32RedMPP\MPPoker.exe
C:\Documents and Settings\paddy\Desktop\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: 32Red Poker - {437F7F6F-FFCC-47e1-8A4B-C992493CF6C3} - C:\Program Files\32RedMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39114087-D037-441A-86E4-FFAB57148C1B}: NameServer = 212.139.132.6 212.139.132.7
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:24:38 03/11/2006

+ Scan result:

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : No action taken.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : No action taken.
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : No action taken.
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : No action taken.
C:\WINDOWS\system32\rk.bin -> Adware.RK : No action taken.
C:\Program Files\Common Files\mrok\mrokd\vocabulary -> Downloader.TSUpdate.j : No action taken.
C:\Documents and Settings\paddy\Cookies\paddy@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.

::Report end

SmitFraudFix v2.117

Scan done at 13:40:48.60, 03/11/2006
Run from C:\Documents and Settings\paddy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists"

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Killing process

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Generic Renos Fix

GenericRenosFix by S!Ri

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Deleting infected files

C:\WINDOWS\system32\a.exe Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\DOCUME~1\paddy\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\VideoCompressionCodec\ Deleted

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Deleting Temp Files

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» Registry Cleaning

Registry Cleaning done.

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» End

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 13:20:44 03/11/2006

Listing files found while scanning....

No infected files were found.

ONCE AGAIN U HAVE SAVED THE DAY IT SEEMS!!!!!!!!!!!!!!!!!!!!!!!!

HAPPY DAYZ!!!!!!!!!!!!!!!1

guestolo · « **Reply #5 on:** November 04, 2006, 12:56:55 AM »

Can you run another scan with AVG-Antispyware please

You didn't follow complete instructions, make sure to check for updates ahead of time
Notice the part about change recommendation action to Quarantine

Load AVG-Antispyware and do a manual update
Select the "Scanner" tab
Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected
Click back to the "Scan" tab and then click on Complete System Scan.
Let this scan complete, let it run uninterrupted
AVG will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Reboot the computer

Come back here and post the fresh report from AVG please

deighan2004 · « **Reply #6 on:** November 08, 2006, 07:12:54 AM »

i will post back asap

deighan2004 · « **Reply #7 on:** November 08, 2006, 06:00:19 PM »

[font=\"Courier New\"]
[font=\"Courier New\"][/font]Guestolo this is the avg log i cant get onto this website from my computer in the house somethings blocking me from getting on it, the website just says error

Code: [Select]

Quote

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:55:58 08/11/2006

+ Scan result:

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : No action taken.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : No action taken.
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : No action taken.
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : No action taken.
C:\WINDOWS\system32\rk.bin -> Adware.RK : No action taken.
C:\Program Files\Common Files\mrok\mrokd\vocabulary -> Downloader.TSUpdate.j : No action taken.
C:\Documents and Settings\paddy\Local Settings\Temporary Internet Files\Content.IE5\HRRLFTJW\popup[1].htm -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\paddy\Local Settings\Temporary Internet Files\Content.IE5\O92VW5U7\popup[1].htm -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\paddy\Cookies\paddy@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\paddy\Cookies\paddy@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\paddy\Cookies\paddy@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\paddy\Cookies\paddy@yadro[1].txt -> TrackingCookie.Yadro : No action taken.
C:\Documents and Settings\paddy\Cookies\[/font][font=\"Courier New\"][email protected][/font][font=\"Courier New\"][2].txt -> TrackingCookie.Yieldmanager : No action taken.

::Report end [/font]

guestolo · « **Reply #8 on:** November 08, 2006, 08:25:15 PM »

I don't think your getting it

Notice the following in bold
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : No action taken.

Your No action taken means your not following the instructions I posted when running AVG-Antispyware
and everything found by AVG has No action taken

Notice what I said here

# Select the "Scanner" tab
# Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected

Your Missing a step
So your not letting AVG quarantine any items

Do you want to try again?
Or we can manually try and fix these

deighan2004 · « **Reply #9 on:** November 09, 2006, 08:00:41 AM »

I DEFINATELY changed the reccommended settings to quarantine. im also about 99% sure that i clicked apply all actions!!!

Ill try it again and post log back

cheers

deighan2004 · « **Reply #10 on:** November 09, 2006, 08:02:49 AM »

p.s. when i try to download updates avg just says hat no updates are available ill go t my computer at home and give it another go and post back fresh avg log

deighan2004 · « **Reply #11 on:** November 09, 2006, 01:50:33 PM »

[font=\"Courier New\"]
[font=\"Courier New\"][/font]This is the most recent report i done. The previous report was saved BEFORE i deleted the viruses forgot to save it after i 'applied all actions' sorry about that.

Also roxio easy media creator keeps trying to install on my computer. anyway heres the report
[font=\"Courier New\"][/font]
[font=\"Courier New\"][/font]

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:43:21 09/11/2006

+ Scan result:

C:\Documents and Settings\paddy\Cookies\paddy@com[1].txt -> TrackingCookie.Com : Cleaned.

::Report end[/font]

guestolo · « **Reply #12 on:** November 09, 2006, 08:58:32 PM »

REMOVED

guestolo · « **Reply #13 on:** November 09, 2006, 09:09:55 PM »

Can you post me 2 other logs
Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

+Run combofix one more time and post the fresh log it produces

deighan2004 · « **Reply #14 on:** November 10, 2006, 03:39:21 PM »

Here

Heres the 2logs, cheerz guestolo

[font=\"Courier New\"]ÂµTorrent
32Red Poker
Ad-Aware SE Personal
Adobe Reader 7.0.5
Allok AVI MPEG Converter 2.0.2
AVG Anti-Spyware 7.5
AVG Anti-Virus 7.1
AVS Video Tools 5.3
Boilosft AVI to VCD SVCD DVD Converter 3.61
CleanUp!
Command & Conquer Tiberian Sun
ConvertXtoDVD 2.1.0
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
Dell ResourceCD
DivX
DivX Player
eMule
Football Manager 2005
HijackThis 1.99.1
Intel® PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 9
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Magic DVD Creator Trial Version (English) 7.9.0.3
Microsoft Office Professional Edition 2003
MP3 Player Utilities 1.51
MSXML 4.0 SP2 (KB925672)
NVIDIA Windows 2000/XP Display Drivers
Pacific Poker
Paddy Power Poker
QuickSnooker
Registry Mechanic 5.2
Roxio Easy Media Creator 7.5 Trial
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem ^^
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Samsung Samples Installer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Sony Ericsson PC Suite
SoundMAX
SpeedTouch USB Software
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Westwood Shared Internet Components
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
ZoneAlarm Security Suite

paddy - 06-11-10 18:43:20.40 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\paddy\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-10 to 2006-11-10 ))))))))))))))))))))))))))))))))))

2006-11-09 01:46 719,872 --a------ C:\WINDOWS\system32\devil.dll
2006-11-09 01:46 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2006-11-03 12:58 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-01 12:36 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-01 12:36 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-01 12:36 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-01 12:36 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-24 09:50 77,824 --a------ C:\WINDOWS\system32\driverif.dll
2006-10-24 09:50 75,776 --a------ C:\WINDOWS\zllsputility.exe
2006-10-24 09:50 733,236 --a------ C:\WINDOWS\system32\vete.dll
2006-10-24 09:50 541,733 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-10-24 09:50 21,605 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2006-10-24 09:50 15,668 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2006-10-24 09:50 12,288 --a------ C:\WINDOWS\system32\vetntmsg.dll
2006-10-24 09:50 108,453 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2006-10-24 09:42 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-13 10:01 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-10 18:45 -------- d-------- C:\Documents and Settings\paddy\Application Data\uTorrent
2006-11-10 18:30 -------- d-------- C:\Program Files\32RedMPP
2006-11-10 18:27 -------- d-------- C:\Documents and Settings\paddy\Application Data\Microgaming
2006-11-10 18:08 -------- d-------- C:\Program Files\Magic DVD Creator
2006-11-10 12:05 -------- d-------- C:\Program Files\Common Files\Ahead
2006-11-10 11:34 -------- d-------- C:\Documents and Settings\paddy\Application Data\AVG7
2006-11-09 19:43 -------- d-------- C:\Program Files\PacificPoker
2006-11-09 16:06 -------- d-------- C:\Program Files\Registry Mechanic
2006-11-09 13:38 -------- d-------- C:\Program Files\eMule
2006-11-09 01:46 47360 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2006-11-09 01:34 -------- d-------- C:\Program Files\Common Files\MagicDVDRipper
2006-11-09 01:34 -------- d-------- C:\Program Files\Common Files
2006-11-09 00:08 -------- d-------- C:\Program Files\MSN Messenger
2006-11-08 16:04 -------- d-------- C:\Program Files\Ahead
2006-11-05 15:03 -------- d-------- C:\Program Files\uTorrent
2006-11-03 17:34 -------- d-------- C:\Program Files\Java
2006-11-03 17:33 -------- d-------- C:\Program Files\Common Files\Java
2006-11-03 12:58 -------- d-------- C:\Program Files\Grisoft
2006-11-03 12:51 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-29 23:11 -------- d-------- C:\Program Files\Roxio Easy Media Creator 7.5 ENG Trial
2006-10-29 14:31 -------- d-------- C:\Program Files\QuickTime
2006-10-24 09:58 -------- d-------- C:\Documents and Settings\paddy\Application Data\MailFrontier
2006-10-24 09:50 -------- d-------- C:\Program Files\Zone Labs
2006-10-24 09:42 -------- d-------- C:\Program Files\Internet Explorer
2006-10-22 14:45 -------- d-------- C:\Program Files\Common Files\Download Manager
2006-10-18 17:35 -------- d-------- C:\Program Files\Boilsoft AVI Converter
2006-10-18 17:15 -------- d-------- C:\Program Files\Common Files\AVSMedia
2006-10-18 17:14 -------- d-------- C:\Program Files\AVSMedia
2006-10-18 17:14 -------- d-------- C:\Program Files\Allok AVI MPEG Converter
2006-10-18 13:16 -------- d-------- C:\Program Files\Nero
2006-10-15 15:18 -------- d-------- C:\Documents and Settings\paddy\Application Data\Free Download Manager
2006-10-14 19:58 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-13 17:31 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-10-09 00:11 -------- d-------- C:\Documents and Settings\paddy\Application Data\Sun
2006-10-02 21:12 -------- d-------- C:\Program Files\Paddy Power Poker
2006-09-25 15:01 -------- d-------- C:\Documents and Settings\paddy\Application Data\deighan1
2006-09-23 10:39 -------- d-------- C:\Documents and Settings\paddy\Application Data\Rocky2t6
2006-09-20 00:12 2368 --a------ C:\WINDOWS\system32\SVKP.sys
2006-09-19 23:37 -------- d-------- C:\Documents and Settings\paddy\Application Data\Vso
2006-09-19 01:11 -------- d-------- C:\Documents and Settings\paddy\Application Data\Nero
2006-09-18 10:32 34 --a------ C:\Documents and Settings\paddy\Application Data\pcouffin.log
2006-09-18 10:31 81920 --a------ C:\Documents and Settings\paddy\Application Data\ezpinst.exe
2006-09-18 10:31 7176 --a------ C:\Documents and Settings\paddy\Application Data\pcouffin.cat
2006-09-18 10:31 47360 --a------ C:\Documents and Settings\paddy\Application Data\pcouffin.sys
2006-09-18 10:31 1144 --a------ C:\Documents and Settings\paddy\Application Data\pcouffin.inf
2006-09-18 10:31 -------- d-------- C:\Program Files\vso
2006-09-16 19:45 -------- d-------- C:\Program Files\Cucusoft
2006-09-16 17:43 -------- d-------- C:\Documents and Settings\paddy\Application Data\deighan
2006-09-15 11:01 -------- d-------- C:\Documents and Settings\paddy\Application Data\Roxio
2006-09-13 05:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 19:04 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-12 19:02 -------- d-------- C:\Documents and Settings\paddy\Application Data\Samsung
2006-09-12 17:58 -------- d-------- C:\Program Files\Samsung
2006-09-12 17:58 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-12 16:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-09-11 23:27 -------- d-------- C:\Program Files\WinRAR
2006-09-11 22:22 -------- d-------- C:\Documents and Settings\paddy\Application Data\.ABC
2006-09-08 17:26 4222516 --a------ C:\ABC-win32-v3.1.exe
2006-09-05 20:31 448593 --ahs---- C:\WINDOWS\system32\yycdd.bak1
2006-08-25 15:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 12:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 09:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 11:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"RegistryMechanic"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /QS"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NWEReboot"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the \'Scheduled Tasks\' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-10 18:46:19.00
C:\ComboFix.txt ... 06-11-10 18:46
C:\ComboFix2.txt ... 06-11-01 12:23[/font]

guestolo · « **Reply #15 on:** November 11, 2006, 03:37:47 PM »

Can you Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete this file
C:\WINDOWS\system32\yycdd.bak1 <file

Quote

Also roxio easy media creator keeps trying to install on my computer. anyway heres the report

In your add/remove list
You appear to have
Roxio Easy Media Creator 7.5 Trial installed?

Is that what keeps trying to install, have you tried uninstalling it from add/remove programs?
Do you want it installed
It's only the trial version

We can use the Windows Cleanup utility to probably stop from reinstalling
Let me know the above please

deighan2004 · « **Reply #16 on:** November 12, 2006, 12:11:27 PM »

[font=\"Courier New\"]I deleted this file,
C:\WINDOWS\system32\yycdd.bak1 <file

Ive tried removing roxio from add/remove programs but it just says,
''could not open the Certificate Reading DLL''
then,
''there was a problem authenticating your version. Please make sure your system is set to the current date''

I dont think I can use roxio free version to burn dvd's so could we just remove it then please. Also when i right click my mouse to delete stuff from desktop or move to another folder roxio tries to install itself on my computer thats what i meant by it keeps trying to install itself.

i also cant remove 'Paddy Power Poker' for some reason even though it's not actually installed on my computer.

Cheerz guestolo [/font]

guestolo · « **Reply #17 on:** November 12, 2006, 01:27:40 PM »

Can you do the following for me please
Download>>Save and install Windows Installer Cleanup Utility

After installation
Go to START>>Programs
Run Windows Install Cleanup Utility
Let me know what you see in the list referring to
ROXIO

Also, I doubt if you may find it, but see if Paddy Poker shows also
If it doesn't show
Can you open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Highlight 'Paddy Power Poker'
On the right hand side
Copy>>paste back here the whole entry beside Uninstall Command

deighan2004 · « **Reply #18 on:** November 13, 2006, 06:44:46 AM »

[font=\"Courier New\"]Windows installer just said this beside roxio,
''(All Users) Roxio Easy Media Creator 7.5 Trial (7.5.0.47)''
Should I remove this?

This is the paddy power in hijack this
C:\PROGRA~1\PADDYP~1\UNWISE.EXE C:\PROGRA~1\PADDYP~1\INSTALL.LOG

This is the roxio in hijack this
MsiExec.exe /I{BF39E1F8-2AFB-451F-BD19-AB9616B3BF74}

Wasnt sure if you wanted this again but heres the whole uninstall list, cheerz guestolo
ÂµTorrent
32Red Poker
Ad-Aware SE Personal
Adobe Reader 7.0.5
Allok AVI MPEG Converter 2.0.2
AVG Anti-Spyware 7.5
AVG Anti-Virus 7.1
AVS Video Tools 5.3
Boilosft AVI to VCD SVCD DVD Converter 3.61
CleanUp!
Command & Conquer Tiberian Sun
ConvertXtoDVD 2.1.0
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
Dell ResourceCD
DivX
DivX Player
eMule
Football Manager 2005
HijackThis 1.99.1
Intel® PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 9
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Magic DVD Creator Trial Version (English) 7.9.0.3
Microsoft Office Professional Edition 2003
MP3 Player Utilities 1.51
MSXML 4.0 SP2 (KB925672)
NVIDIA Windows 2000/XP Display Drivers
Pacific Poker
Paddy Power Poker
QuickSnooker
Registry Mechanic 5.2
Roxio Easy Media Creator 7.5 Trial
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem ^^
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Samsung Samples Installer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Sony Ericsson PC Suite
SoundMAX
SpeedTouch USB Software
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Westwood Shared Internet Components
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
ZoneAlarm Security Suite [/font]

guestolo · « **Reply #19 on:** November 13, 2006, 02:01:01 PM »

Does anything happen when you go to START>>RUN
Copy>>paste the following in the open field

C:\PROGRA~1\PADDYP~1\UNWISE.EXE C:\PROGRA~1\PADDYP~1\INSTALL.LOG

Don't click OK yet
Instead, close all browser windows, including this one, then click OK

Does the program uninstall?
If not, we'll try manual method

Regardless of the above
Run Windows Install Cleanup utility again
Highlight ONLY
(All Users) Roxio Easy Media Creator 7.5 Trial (7.5.0.47)

Then click REMOVE

Reboot your computer
You should be able to remove the following folders
C:\Program Files\Roxio Easy Media Creator 7.5 ENG Trial
C:\Documents and Settings\paddy\Application Data\Roxio

Let me know if PaddyPoker uninstalled

News:

Author Topic: guestolo can u help please (Read 1176 times)