CapAyam Posted January 26, 2006 Report Share Posted January 26, 2006 Logfile of HijackThis v1.99.1Scan saved at 12:18:52 AM, on 1/27/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\Nhksrv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\System32\CTsvcCDA.EXEC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\system32\mssearchnet.exeC:\WINDOWS\system32\nvctrl.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\WINDOWS\DELLMMKB.EXEC:\WINDOWS\system32\devldr32.exeC:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exeC:\PROGRA~1\A4Tech\Mouse\Amoumain.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\ahead\InCD\InCD.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Netropa\OSD.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\Program Files\Nikon\NkView6\NkvMon.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Effan\My Documents\My File\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dllO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpED3E.tmpO3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dllO3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dllO4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exeO4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXEO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exeO4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTMLO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...com/qt505/us/win/QuickTimeInstaller.exeO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...lient/muweb_site.cab?1125170363015O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dllO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cabO16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cabO16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/.../yiebio4024.cabO16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://www.35mb.com/downloadapplet.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{3243101D-0D98-40D0-83A9-D55D18F3BFB9}: NameServer = 202.188.0.133,202.188.1.5O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXEO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeI always get spyware warning everytime I use ie. This problem start when i install vcodec. Can anyone help me to solve this problem. Link to post Share on other sites
jwbirdsong Posted January 26, 2006 Report Share Posted January 26, 2006 First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fixPlease temporarily disable MSAS by doing the following:It may interfere with the fix. Open Microsoft AntiSpyware. Click on Options -> Settings. In the left pane, click on Real-time Protection. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended). Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended). After you uncheck these, click on the Save button and close Microsoft AntiSpyware. Restart your computer. Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpywareMake sure the settings are changed back when we are done.Download smitRem.exe ©noahdfear and save the file to your desktop.Double click on the file to extract it to it's own folder on the desktop.You may have previously ran some of the following programs, please run through the fix and run all programs listed, in order, and make sure to update all Please download Ewido Anti-Malware, it is a free version of the program. Install ewido security suite When installing the program, under "Additonal Options" uncheck... Install background guard Install scan via context menu[*] Launch ewido, there should now be an icon on your desktop, double-click it.[*] The program will now open to the main screen.[*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.[*] You will need to update ewido to the latest definition files: On the left hand side of the main screen click update. Then click on Start Update.[*] The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display "Update successful")[*] Close Ewido Security SuiteIf you are having problems with the updater, you can use this link to manually update ewido.Ewido manual updatesNext, please reboot your computer in SafeMode by doing the following:Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, press F8.Instead of Windows loading as normal, a menu should appearSelect the first option, to run Windows in Safe Mode.Now scan with HJT and place a checkmark next to the following items O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <<--- Leave IF set by you.O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://www.35mb.com/downloadapplet.cabClose all other windows and browsers and click FIX CHECKEDClose HiJackThis.Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.Wait for the tool to complete and disk cleanup to finish.The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.Run Ewido:Click on scanner Click on Complete System Scan, the scan will now begin. While the scan is in progress you will be prompted to clean files, click OK. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report. Click Save Report. Now save the report .txt file to your desktop. Close Ewido Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.Reboot back into Windows and scan your system with Ad-aware:Ad-aware SE - Download - Home PageIf you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".Once the definitions have been updated:Reconfigure Ad-Aware for Full Scan as per the following instructions:Launch the program, and click on the Gear at the top of the start screen.Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)"Automatically save logfile"Automatically quarantine objects prior to removal"Safe Mode (always request confirmation)Prompt to update outdated confirmation) - Change to 7 days.[*]Click the "Scanning" button (On the left side).[*]Under Drives & Folders, select "Scan within Archives"[*]Click "Click here to select Drives + folders" and select your installed hard drives.[*]Under Memory & Registry, select all options.[*]Click the "Advanced" button (On the left hand side).[*]Under "Shell Integration", select "Move deleted files to Recycle Bin".[*]Under "Log-file detail", select all options.[*]Click on the "Defaults" button on the left.[*]Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.[*]Click the "Tweak" button (Again, on the left hand side).[*]Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:"Unload recognized processes during scanning.""Obtain command line of scanned processes""Scan registry for all users instead of current user only"[*]Under "Cleaning Engine", select the following:"Automatically try to unregister objects prior to deletion.""During removal, unload explorer and IE if necessary""Let Windows remove files in use at next reboot.""Delete quarantined objects after restoring"[*]Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"[*]Click on "Proceed" to save these Preferences.[*]Click on the "Scan Now" button on the left.[*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".Close all programs except ad-aware.Click on "Next" in the bottom right corner to start the scan.Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish. Then run this online virus scan: ActiveScan Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button- Enter your Country- Enter your State/Province- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)- Select either Home User or Company Click the big Scan Now buttonIf/when you get a notice that Panda wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on Local Disks to start the scanWhen the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.Post the contents of the Panda scan report a new HijackThis Log smitfiles.txt Ewido Log in a reply to this thread. Link to post Share on other sites
jwbirdsong Posted January 26, 2006 Report Share Posted January 26, 2006 (edited) Also when you go to post your replies and have Notepad open..click Format>click wordwrap once to toggle the setting. Edited January 26, 2006 by jwbirdsong Link to post Share on other sites
CapAyam Posted January 28, 2006 Author Report Share Posted January 28, 2006 (edited) Hi. First of all i would like to thank you for helping. Here is what you asking for.1-Panda scan reportI leave the pc when i scan, but when i came back it had reboot automaticaly. So i try start scanning again but i always got this same mssg again an again.. An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are: Not allowing the application's ActiveX control to be downloaded. Problems with the Internet connection. The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... and my pc still got 1.8gb free space.2-New HijackThis LogLogfile of HijackThis v1.99.1Scan saved at 12:40:59 AM, on 1/29/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\Nhksrv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\System32\CTsvcCDA.EXEC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\WINDOWS\DELLMMKB.EXEC:\PROGRA~1\A4Tech\Mouse\Amoumain.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\ahead\InCD\InCD.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\devldr32.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\Program Files\Nikon\NkView6\NkvMon.exeC:\Program Files\Netropa\OSD.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Effan\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dllO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpD5DE.tmp (file missing)O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dllO3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dllO4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exeO4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXEO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exeO4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTMLO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exeO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125170363015O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dllO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cabO16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cabO16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/.../yiebio4024.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{3243101D-0D98-40D0-83A9-D55D18F3BFB9}: NameServer = 202.188.0.133,202.188.1.5O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXEO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe3-smitfiles.txt smitRem © log file version 2.8 by noahdfearMicrosoft Windows XP [Version 5.1.2600]The current date is: Sat 01/28/2006 The current time is: 20:09:22.14Running fromC:\Documents and Settings\Effan\Desktop\smitRem~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD keyShudderLTD key not present! checking for PSGuard.com keyPSGuard.com key not present! checking for WinHound.com keyWinHound.com key not present!spyaxe uninstaller NOT presentWinhound uninstaller NOT presentSpywareStrike uninstaller NOT present Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~Online Security Guide.urlSecurity Troubleshooting.url ~~~ Favorites ~~~Antivirus Test Online.url ~~~ system32 folder ~~~1024 dirmsvol.tlbld****.tmpmssearchnet.exencompat.tlbnvctrl.exehp***.tmp ~~~ Icons in System32 ~~~ts.icoot.ico ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 1416 'explorer.exe'Killing PID 1416 'explorer.exe'Starting registry repairsRegistry repairs complete~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SharedTask Export after registry fixREGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader""{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Deleting files Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~nvctrl.exe ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! ~~~ Upon reboot ~~~wininet.old present!oleadm.dll not present!oleext.dll not present! ~~~ Upon completion ~~~wininet.old not present!oleadm.dll not present!oleext.dll not present!~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~4-Ewido Log--------------------------------------------------------- ewido anti-malware - Scan report--------------------------------------------------------- + Created on: 10:21:53 PM, 1/28/2006 + Report-Checksum: C8D1B676 + Scan result::mozilla.6:C:\Documents and Settings\Effan\Application Data\Phoenix\Profiles\default\58qeh3xi.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backupC:\Documents and Settings\Effan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-7fb5dbb4-1c32dafb.class -> Trojan.Java.ClassLoader.f : Cleaned with backupC:\Documents and Settings\Effan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-645f4c2c-5de80dcc.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backupC:\Documents and Settings\Effan\Cookies\effan@com[2].txt -> Spyware.Cookie.Com : Cleaned with backupC:\Documents and Settings\Effan\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backupC:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Euroclick : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backupC:\Documents and Settings\Hani\Cookies\hani@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Adorigin : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Euniverseads : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Hyperbanner : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Hyperbanner : Cleaned with backupC:\Documents and Settings\Hani\Cookies\hani@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backupC:\Documents and Settings\Hani\Cookies\hani@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backupC:\Documents and Settings\Hani\Cookies\hani@com[1].txt -> Spyware.Cookie.Com : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backupC:\Documents and Settings\Hani\Cookies\hani@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backupC:\Documents and Settings\Hani\Cookies\hani@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backupC:\Documents and Settings\Hani\Cookies\[email protected][1].txt -> Spyware.Cookie.Adbrite : Cleaned with backupC:\Documents and Settings\Hani\Cookies\hani@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backupC:\Documents and Settings\Mama\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backupC:\Documents and Settings\Mama\Cookies\mama@com[2].txt -> Spyware.Cookie.Com : Cleaned with backupC:\Program Files\Microsoft AntiSpyware\Quarantine\4E7B1117-85BB-4C05-85C4-E16DD1\90108ECA-EC37-4EDE-B864-0F88A2 -> Not-A-Virus.Hoax.Win32.Renos.at : Cleaned with backupC:\Program Files\Microsoft AntiSpyware\Quarantine\AC248ACA-63AB-4E74-BD18-44A07A\8F5E0E50-79D7-44E0-9286-9D2F05 -> Not-A-Virus.Hoax.Win32.Renos.at : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall4_34.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall4_80.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall5_20.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall5_40.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall5_48.exe -> Adware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall5_64.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall6_10.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall6_22.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall6_30.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/WINDOWS/NDNuninstall6_90.exe -> Adware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/Program Files/newdotnet/uninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/Program Files/newdotnet/newdotnet6_90.dll -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/Program Files/newdotnet/uninstall5_40.exe -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/Program Files/newdotnet/uninstall6_90.exe -> Adware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\20051030151807.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted -> Spyware.NewDotNet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp\ME2.DLL_tobedeleted -> Spyware.Downloadware : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp\bdedownloader.dll -> Spyware.Altnet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp\bdefdi.dll -> Spyware.Altnet : Cleaned with backupC:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp\dman25.dll -> Adware.BrilliantDigital : Cleaned with backupC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP386\A0121365.exe -> Adware.NewDotNet : Cleaned with backupC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP386\A0121369.exe -> Adware.NewDotNet : Cleaned with backupC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP417\A0127003.dll -> Not-A-Virus.Hoax.Win32.Renos.at : Cleaned with backupC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP423\A0127230.exe -> Downloader.Zlob.fa : Cleaned with backupC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP424\A0127271.exe -> Downloader.Zlob.fa : Cleaned with backupC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP424\snapshot\MFEX-1.DAT -> Downloader.Zlob.fa : Cleaned with backupC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127425.dll -> Not-A-Virus.Hoax.Win32.Renos.v : Cleaned with backupC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127430.exe -> Downloader.Zlob.fa : Cleaned with backupC:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backupC:\WINDOWS\SYSTEM32\nvctrl.exe -> Hijacker.SpyAxe : Cleaned with backup::Report End Edited January 28, 2006 by elfie Link to post Share on other sites
jwbirdsong Posted January 28, 2006 Report Share Posted January 28, 2006 Looking really good!!First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fixNext, please enable viewing of hidden files as follows:1) Go to My Computer, and click on the "Tools" menu2) Click "Folder options"3) Select the "View" tab4) Make sure "Show hidden files and folders" is selected5) Make sure "Hide extensions for known file types" is unchecked6) Make sure "Hide protected operating system files (recommended)" is uncheckedPlease run HijackThis and click "Scan." Place checks next to the following entries:O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpD5DE.tmp (file missing)O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cabYou may also optionally check the following entries for removal:All of the following are UN-needed to run at startup. They can be ran as needed; saving system resources for better uses.O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEClose all browser and other windows except for HijackThis, and click "Fix Checked". Restart your computer and try the Online scan HERE instead...Click on the Online scan button NOT the File scanner..agree to privacy statment and accept the Active X download..Once scan is complete save a log and post a new HijackThis and the Online scan resultsADDED..Also update your Java..go to Control Panel>click on the Java applet>Click Update tab and then Update button...Once the new version is installed and rebooted..Open ADD/Remove in Control Panel and uninstall ALL Java that is NOT version JRE 5 update 6 Link to post Share on other sites
CapAyam Posted January 29, 2006 Author Report Share Posted January 29, 2006 Hi jwbirdsong.Here are my new...1) HijackThisLogfile of HijackThis v1.99.1Scan saved at 4:19:06 AM, on 1/30/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\Nhksrv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\System32\CTsvcCDA.EXEC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\WINDOWS\DELLMMKB.EXEC:\PROGRA~1\A4Tech\Mouse\Amoumain.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ahead\InCD\InCD.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\Program Files\Nikon\NkView6\NkvMon.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\devldr32.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Netropa\OSD.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\Effan\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dllO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dllO3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dllO4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exeO4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXEO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exeO4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTMLO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exeO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125170363015O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dllO16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cabO16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/.../yiebio4024.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{3243101D-0D98-40D0-83A9-D55D18F3BFB9}: NameServer = 202.188.0.133,202.188.1.5O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXEO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe2) Online scan results------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Monday, January 30, 2006 04:15:58 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 29/01/2006 Kaspersky Anti-Virus database records: 163175-------------------------------------------------------------------------------Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: trueScan Target - My Computer: A:\ C:\ D:\Scan Statistics: Total number of scanned objects: 87172 Number of viruses found: 4 Number of infected objects: 17 Number of suspicious objects: 0 Duration of the scan process: 5191 secInfected Object Name - Virus NameC:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp Infected: Trojan-Downloader.Win32.Zlob.ezC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP416\A0126888.tlb Infected: Trojan-Downloader.Win32.Zlob.ezC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP416\A0126984.tlb Infected: Trojan-Downloader.Win32.Zlob.ezC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP416\A0126987.exe/data0007 Infected: Trojan.Win32.ZapchastC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP416\A0126987.exe Infected: Trojan.Win32.ZapchastC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP417\A0127014.tlb Infected: Trojan-Downloader.Win32.Zlob.fdC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP423\A0127222.tlb Infected: Trojan-Downloader.Win32.Zlob.fdC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP424\A0127293.exe Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127329.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127346.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127360.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127372.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127382.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127394.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127409.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127420.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127449.exe Infected: Trojan-Downloader.Win32.Zlob.fjScan process completed. Link to post Share on other sites
CapAyam Posted January 29, 2006 Author Report Share Posted January 29, 2006 Ok java updated. Link to post Share on other sites
jwbirdsong Posted January 30, 2006 Report Share Posted January 30, 2006 (edited) Log is looking great..You should manually clear out the quarantine folder here ---> C:\Program Files\Yahoo!\YPSR\Quarantine\Couple of quick questions though.O1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comThe above indicates you have 5 duplicate lines in your hosts file..did YOU put them there...FWIW that is the correct IP for MS so the enries are OK I just wonder why there are 5.Other thing that may be of concern is O17 - HKLM\System\CCS\Services\Tcpip\..\{3243101D-0D98-40D0-83A9-D55D18F3BFB9}: NameServer = 202.188.0.133,202.188.1.5Seems to be a DNS server in Maylasia..are you there also?? If you aer unfamaliar with your hosts file it is located in C:>WINNT>SYSTEM32>DRIVERS>ETC .A GREAT Hosts file reader/editor/manager is available from HEREGreat info on hosts available at BleepingComputer Edited January 30, 2006 by jwbirdsong Link to post Share on other sites
CapAyam Posted January 30, 2006 Author Report Share Posted January 30, 2006 You should manually clear out the quarantine folder here ---> C:\Program Files\Yahoo!\YPSR\Quarantine\-OK I HAD CLEAR ALL THE FILE.Couple of quick questions though.O1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comO1 - Hosts: 207.68.172.246 msn.comThe above indicates you have 5 duplicate lines in your hosts file..did YOU put them there...FWIW that is the correct IP for MS so the enries are OK I just wonder why there are 5.-NO. SO WHAT SHOULD I DO.Other thing that may be of concern is O17 - HKLM\System\CCS\Services\Tcpip\..\{3243101D-0D98-40D0-83A9-D55D18F3BFB9}: NameServer = 202.188.0.133,202.188.1.5Seems to be a DNS server in Maylasia..are you there also?? -YESIf you aer unfamaliar with your hosts file it is located in C:>WINNT>SYSTEM32>DRIVERS>ETC .A GREAT Hosts file reader/editor/manager is available from HEREGreat info on hosts available at BleepingComputer-I'M A BIT DUMB WHEN COME TO COMPUTER. IF YOU DON'T MIND CAN YOU GUIDE ME STEP BY STEP ON WHAT TO DO NEXT. SORRY FOR ALL THE HASSLE THAT I GAVE TO YOU. Link to post Share on other sites
jwbirdsong Posted February 2, 2006 Report Share Posted February 2, 2006 (edited) Download Hoster from here: http://www.funkytoad.com/download/hoster.zipUnzip some where permant Help with unzipping files is HERE Run the programPress 'Restore Original Hosts' and press 'OK'Exit Program.Run the KASPERSKY ON-LINE one more time and post results along w/ a FINAL HijackThis log Edited February 2, 2006 by jwbirdsong Link to post Share on other sites
CapAyam Posted February 2, 2006 Author Report Share Posted February 2, 2006 ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Friday, February 03, 2006 03:45:59 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 2/02/2006 Kaspersky Anti-Virus database records: 163813-------------------------------------------------------------------------------Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: trueScan Target - My Computer: A:\ C:\ D:\Scan Statistics: Total number of scanned objects: 88131 Number of viruses found: 4 Number of infected objects: 16 Number of suspicious objects: 0 Duration of the scan process: 5782 secInfected Object Name - Virus NameC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP416\A0126888.tlb Infected: Trojan-Downloader.Win32.Zlob.ezC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP416\A0126984.tlb Infected: Trojan-Downloader.Win32.Zlob.ezC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP416\A0126987.exe/data0007 Infected: Trojan.Win32.ZapchastC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP416\A0126987.exe Infected: Trojan.Win32.ZapchastC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP417\A0127014.tlb Infected: Trojan-Downloader.Win32.Zlob.fdC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP423\A0127222.tlb Infected: Trojan-Downloader.Win32.Zlob.fdC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP424\A0127293.exe Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127329.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127346.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127360.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127372.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127382.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127394.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127409.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127420.tlb Infected: Trojan-Downloader.Win32.Zlob.fjC:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP426\A0127449.exe Infected: Trojan-Downloader.Win32.Zlob.fjScan process completed.Logfile of HijackThis v1.99.1Scan saved at 3:46:51 AM, on 2/3/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Nhksrv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\System32\CTsvcCDA.EXEC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\WINDOWS\DELLMMKB.EXEC:\PROGRA~1\A4Tech\Mouse\Amoumain.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Netropa\OSD.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ahead\InCD\InCD.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\Program Files\Nikon\NkView6\NkvMon.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\BitComet\BitComet.exeC:\Documents and Settings\Effan\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dllO3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dllO4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exeO4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXEO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exeO4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTMLO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exeO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125170363015O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dllO16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cabO16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/.../yiebio4024.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{3243101D-0D98-40D0-83A9-D55D18F3BFB9}: NameServer = 202.188.0.133,202.188.1.5O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXEO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exeO23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe Link to post Share on other sites
jwbirdsong Posted February 4, 2006 Report Share Posted February 4, 2006 Congratulations, your log is clean. First, let's clean your restore points and set a new one:Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK.2. Restart your computer.3. Turn ON System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check Turn off System Restore.Click Apply, and then click OK.System Restore will now be active again.To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.More info and download is available at link in my signatureMake SURE to read How Did I Get Infected in the First Place?? Link to post Share on other sites
CapAyam Posted February 5, 2006 Author Report Share Posted February 5, 2006 Hi jwbirdsong,Your support is greatly appreciated.Thank you again Link to post Share on other sites
jwbirdsong Posted February 5, 2006 Report Share Posted February 5, 2006 It's why were here! Link to post Share on other sites
jwbirdsong Posted February 5, 2006 Report Share Posted February 5, 2006 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts