Jump to content

I got a problem with computer


Recommended Posts

hey,

i have a problem with my computer, when ever i open up Windows Live Messenger it will also open the windows messenger and will open a website and it puts 3 files onto my desktop called alfa.exe xinstall.exe and somthing else. heres log

 

Logfile of HijackThis v1.99.1

Scan saved at 3:41:37 PM, on 9/22/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLanCfgAG.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Logitech\G-series Software\LGDCore.exe

C:\Program Files\Logitech\G-series Software\LCDMon.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe

C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

C:\Program Files\Xfire\Xfire.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\Program Files\Winamp\Winamp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\YoYoCool2\Desktop\Xinstall.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "C:\DOCUME~1\YOYOCO~1\LOCALS~1\Temp\MsgPlusUninstall.exe" /Cleanup

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Shortcut to Enemy Territory Minimizer.lnk = C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab

O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.roseonlinegame.com/nProtec...Crypt/npkcx.cab

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...96401dafb6b5e1d

O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O20 - Winlogon Notify: win_systernn - C:\WINDOWS\

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin Wireless Pre-N Desktop Card (Belkin Wireless Pre-N Desktop Card Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Link to post
Share on other sites

Hi yoyocool2! Can you do the following please.

 

I don't see any indication of a Firewall in your HijackThis log. This may be because:

 

(1.) You are using Windows Firewall or a hardware Firewall.

(2.) You are using a Firewall of an unknown vendor.

(3.) You are using a Firewall, but it is disabled for unknown reasons

(4.) You don't use any firewall at all.

 

In the case you don't have a Firewall, please download one from the list below - They are Free!

 

Zone Alarm << I recommend this

Sunbelt Kerio PF

Outpost Firewall

 

=====

 

You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

 

Please download Ewido to your Desktop or to your usual Download Folder.

http://www.ewido.net/en/download/

  • Install Ewido by double clicking the installer.
  • Follow the prompts. Make sure that Launch Ewido is checked.
  • On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.

    Note: If the Update now option is grayed out, follow the steps below.

  • Click on Update on the toolbar.
  • Under Manual update, click on the Start Update button.
  • Wait until you see the Update succesfull message.
[*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.

Ewido manual updates.

Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

 

Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Once in Safe Mode:

 

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.

    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)

      Posted Image

  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
=====Reboot back into Normal Mode=====

 

I would like to see another log from HijackThis.

  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button. It will open a Notepad file.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.
=====

 

Can you post the following please:

 

1) Ewido log

2) Uninstall list

3) New HijackThis log

 

You may need several posts incase the logs get cut off

Link to post
Share on other sites

Yea i do alot of gaming and most of the time firewalls lag me so i dont really use them

 

Edwido Scan Log

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 7:05:37 AM 9/23/2006

 

+ Scan result:

 

 

 

C:\Program Files\Common Files\{F8A97CF4-0BB2-1033-0105-050410260001}\Update.exe -> Adware.Agent : Cleaned with backup (quarantined).

C:\Program Files\ToolBar888 -> Adware.Softomate : Cleaned with backup (quarantined).

C:\Program Files\ToolBar888\MyToolBar.dll -> Adware.Softomate : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Local Settings\Temporary Internet Files\Content.IE5\G63L6PPG\drsmartload_js[1].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Local Settings\Temporary Internet Files\Content.IE5\O7YD6PSV\Xinstall[1].exe -> Dropper.PurityScan.ag : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Local Settings\Temp\installer.exe -> Dropper.PurityScan.q : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Local Settings\Temporary Internet Files\Content.IE5\6M1VU04T\speedtest2[1].dll -> Not-A-Virus.Downloader.Win32.InsTool.a : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\speedtest2.dll -> Not-A-Virus.Downloader.Win32.InsTool.a : Cleaned with backup (quarantined).

C:\Program Files\Multi Theft Auto\MTAClient-NoCRC-DRuG-v3.exe -> Not-A-Virus.VirTool.Win32.Patcher.a : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Local Settings\Temporary Internet Files\Content.IE5\6M1VU04T\photo942[1].PIF -> Worm.Licat.c : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Local Settings\Temporary Internet Files\Content.IE5\OHOLIN0X\sprT[1].exe -> Worm.Licat.c : Cleaned with backup (quarantined).

 

 

::Report end

 

 

Uninstall_list Log

AC3Filter (remove only)

Ad-Aware SE Personal

Adobe Flash Player 9 ActiveX

Adobe Reader 7.0.7

Adobe Shockwave Player

America's Army

Anarchy Online Classic Edition

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Control Panel

ATI Display Driver

ATI HYDRAVISION

Audacity 1.2.4

AuditionSEA

Autofighter

AVG Free Edition

Belkin Wireless Pre-N Desktop Card

Belkin Wireless Utility

CircleSurround II Plugin for Windows Media Player (Trial)

Conquer 2.0

DivX

DivX Player

DivX Web Player

ewido anti-spyware 4.0

FEARCombat

FLV Player 1.3.3

G15_TeamSpeak (NSIS)

GameArena The Arena

GtkRadiant-1.3.8-ET

Hamachi 0.9.9.9

HijackThis 1.99.1

HyperCam 2

iScrobbler

iTunes

J2SE Runtime Environment 5.0 Update 6

KhalSetup

KnightOnline

LimeWire PRO 4.9.33

Logitech G-series Keyboard Software

Logitech SetPoint

Lord of the Rings Xfire Skin

MAIET Gunz

MapleStory

MapleStory

Messenger Plus! 3

Microsoft .NET Framework 1.1

Microsoft .NET Framework 2.0

Microsoft Visual C++ 2005 Redistributable

mIRC

nProtect KeyCrypt

PCPitstop Panda AntiVirus Scan (remove only)

PMP Transcoding Tool 0.5.1.0 For Windows NT/2000/XP

PokerStars

QuickTime

RaGESCAPE Client

Realtek AC'97 Audio

Replay Converter 2.20

Riva FLV Encoder 2.0

SCAR CDE 2.03

Silkroad

Skype 2.5

Soldat 1.3.1

Sonique2

SpaceCowboy

Spybot - Search & Destroy 1.4

SpywareBlaster v3.5.1

SwiftSwitch

TeamSpeak 2 RC2

Total Video Converter 3.02

Update for Windows XP (KB898461)

Ventrilo Client

Winamp (remove only)

WindowBlinds

Windows Installer 3.1 (KB893803)

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Media Format Runtime

Windows Media Player 10

Windows XP Hotfix - KB842773

WinRAR archiver

WinZip

Wolfenstein - Enemy Territory

World of Warcraft

Xfire (remove only)

 

HJT Log

Logfile of HijackThis v1.99.1

Scan saved at 7:10:16 AM, on 9/23/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLanCfgAG.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Logitech\G-series Software\LGDCore.exe

C:\Program Files\Logitech\G-series Software\LCDMon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe

C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\notepad.exe

C:\HJT\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\YoYoCool2\Desktop\Xinstall.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Shortcut to Enemy Territory Minimizer.lnk = C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab

O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.roseonlinegame.com/nProtec...Crypt/npkcx.cab

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...96401dafb6b5e1d

O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O20 - Winlogon Notify: win_systernn - C:\WINDOWS\

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin Wireless Pre-N Desktop Card (Belkin Wireless Pre-N Desktop Card Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Link to post
Share on other sites

Hi again yoyocool2! You should get a Firewall for computer's protection, but I cannot force you. I recommend you get SP2 once we have finished because it has a built in Firewall, which is better than nothing at all.

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

 

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement."
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
    • J2SE Runtime Environment 5.0 Update 6
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
=====

 

Open HijackThis

- Click the Do a system scan only button

- Check the following entries (below)

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

 

O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\YoYoCool2\Desktop\Xinstall.exe

 

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.roseonlinegame.com/nProtec...Crypt/npkcx.cab

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...96401dafb6b5e1d

O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll

 

O20 - Winlogon Notify: win_systernn - C:\WINDOWS\

 

- Close ALL open windows (especially Internet Explorer!)

- Click Fix Checked

Close HiajckThis

 

=====

 

Find and Delete the following:

 

C:\Documents and Settings\YoYoCool2\Desktop\Xinstall.exe << this file

C:\Program Files\ToolBar888 << this folder

 

=====

 

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • A C:\vundofix.txt file will be created, please keep it safe as I'll need to see it soon.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

 

=====

 

Please do an online scan with Panda ActiveScan

 

- Once you are on the Panda site, click the Scan your PC button

- A new window will open...click the Check Now button

- Enter your Country

- Enter your State/Province

- Enter your e-mail address and click send

- Select either Home User or Company

- Click the big Scan Now button

- If it wants to install an ActiveX component allow it

- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

- When download is complete, click on Local Disks to start the scan

- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

 

Please post the following:

 

1) Contents of C:\vundofix.txt

2) Panda report

3) New HijackThis log

 

Also, let me know how things are please.

Link to post
Share on other sites

All has been good apart from when i was downloading a game my computer just restarted so i started download again and it restarted, here are results

 

There was no Results for vundofix

 

 

Incident Status Location

 

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][2].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][2].txt

Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\Cookies\[email protected][2].txt

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\Cookies\[email protected][1].txt

Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\mc-110-12-0000904.exe

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsc18.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsf24.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsg1F.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsg30.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsh6A.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsi3.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsj62.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsn14.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsp3.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsp34.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsq66.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsu38.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsu5E.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsy29.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsz5A.tmp\nsProcess.dll

Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\YoYoCool2\Local Settings\Temp\nsz6E.tmp\nsProcess.dll

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hp2669.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hp2B5.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hp339C.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hp4652.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hp56E.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hp97A5.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpA0C3.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpAC6C.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpACA0.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpB040.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpB224.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpBFC.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpC09B.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpE3FC.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpE6C0.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpE7C.tmp

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpF8A3.tmp

 

 

Hijackthis Log

Logfile of HijackThis v1.99.1

Scan saved at 5:23:54 PM, on 9/23/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLanCfgAG.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Logitech\G-series Software\LGDCore.exe

C:\Program Files\Logitech\G-series Software\LCDMon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe

C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Winamp\Winamp.exe

C:\WINDOWS\System32\divxsm.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\HJT\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Shortcut to Enemy Territory Minimizer.lnk = C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158980548178

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin Wireless Pre-N Desktop Card (Belkin Wireless Pre-N Desktop Card Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

Thanks for help

Link to post
Share on other sites

yoyocool2, there is still some work to do.

 

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

This program is for XP and Windows 2000 only!

 

Double-click ATF Cleaner.exe to open it.

 

Under Main select the following: Windows Temp

Current User Temp

All Users Temp

Cookies

Temporary Internet Files

Prefetch

Java Cache

*The other boxes are optional*

Then click the Empty Selected button.

 

Click Exit on the Main menu to close the program.

 

=====

 

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

 

IMPORTANT: Do NOT run any other options until you are asked to do so!

Link to post
Share on other sites

here is rapport

SmitFraudFix v2.98

 

Scan done at 18:16:54.26, Sat 09/23/2006

Run from C:\Documents and Settings\YoYoCool2\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\hp???.tmp FOUND !

C:\WINDOWS\system32\hp????.tmp FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\YoYoCool2\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\YOYOCO~1\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="wbsys.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Link to post
Share on other sites

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

 

Please update Ewido as we will scan with it again soon.

______________________________

 

Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

 

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

 

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

______________________________

 

Navigate to C:\Windows\Temp

Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

 

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp

Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

 

Clean out your Temporary Internet files. Proceed like this:

  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

 

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

______________________________

 

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.

    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)

      Posted Image

  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

______________________________

 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #3 - Delete Trusted zone by typing 3 and press Enter.

Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

 

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

______________________________

 

Re-scan with Panda Activescan, and save the log.

______________________________

 

Please post:

  • c:\rapport.txt
  • Ewido log
  • Panda Report
  • A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.
Link to post
Share on other sites

Ok Ive finnaly done all the scans here they are

 

Logfile of HijackThis v1.99.1

Scan saved at 2:15:09 PM, on 9/30/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLanCfgAG.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

C:\Program Files\Logitech\G-series Software\bak\LCDMon.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Xfire\Xfire.exe

C:\Program Files\Winamp\Winamp.exe

C:\WINDOWS\System32\divxsm.exe

C:\HJT\HijackThis.exe

 

O2 - BHO: (no name) - {5D74FB8B-BD57-4461-9A04-A7A3B4454E6D} - C:\WINDOWS\system32\autdev.dll

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

O4 - Startup: Shortcut to Enemy Territory Minimizer.lnk = C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

O4 - Startup: Shortcut to LCDMon.lnk = C:\Program Files\Logitech\G-series Software\bak\LCDMon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (file missing)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\YoYoCool2\Start Menu\Programs\IMVU\Run IMVU.lnk

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158980548178

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs:

O20 - Winlogon Notify: autdev - C:\WINDOWS\SYSTEM32\autdev.dll

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin Wireless Pre-N Desktop Card (Belkin Wireless Pre-N Desktop Card Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 11:25:34 AM 9/30/2006

 

+ Scan result:

 

 

 

C:\Documents and Settings\YoYoCool2\Local Settings\Temporary Internet Files\Content.IE5\WD634P2B\WinAntiVirusPro2006FreeInstall[1].cab/UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).

C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

 

 

::Report end

 

SmitFraudFix v2.98

 

Scan done at 21:24:27.06, Fri 09/29/2006

Run from C:\Documents and Settings\YoYoCool2\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\system32\hp???.tmp Deleted

C:\WINDOWS\system32\hp????.tmp Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

Incident Status Location

 

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][2].txt

Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][2].txt

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][2].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\YoYoCool2\Cookies\[email protected][1].txt

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\YoYoCool2\Desktop\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Link to post
Share on other sites

Hi yoyocool2...it looks like Smitfraud is gone, but Vundo has come back again.

  • Go here to Upload Malware
  • Fill out the infomation, and post the link to this thread.
  • In the File(s) To Submit: box 1. copy and paste the following:
    • C:\WINDOWS\SYSTEM32\autdev.dll
  • Click on Send File and close the page
Lets use VundoFix again, but slightly different than before.
  • Double-click VundoFix.exe to run it.
  • Right Click inside the listbox (white box) and click Add more file?
  • Copy & Paste the 2 entries below into the top 2 boxes
    • C:\WINDOWS\SYSTEM32\autdev.dll
    • C:\WINDOWS\system32\vedtua.*
  • Click Add Files and click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Link to post
Share on other sites

Hey

 

Logfile of HijackThis v1.99.1

Scan saved at 6:29:44 AM, on 10/1/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLanCfgAG.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Xfire\xfiremusic.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

C:\Program Files\Logitech\G-series Software\bak\LCDMon.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\HJT\HijackThis.exe

 

O2 - BHO: (no name) - {5D74FB8B-BD57-4461-9A04-A7A3B4454E6D} - C:\WINDOWS\system32\autdev.dll

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

O4 - Startup: Shortcut to Enemy Territory Minimizer.lnk = C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

O4 - Startup: Shortcut to LCDMon.lnk = C:\Program Files\Logitech\G-series Software\bak\LCDMon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (file missing)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\YoYoCool2\Start Menu\Programs\IMVU\Run IMVU.lnk

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158980548178

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs:

O20 - Winlogon Notify: autdev - C:\WINDOWS\SYSTEM32\autdev.dll

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin Wireless Pre-N Desktop Card (Belkin Wireless Pre-N Desktop Card Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

When i tried to add C:\WINDOWS\system32\vedtua.* it wouldnt add it to the list so heres the results for C:\WINDOWS\SYSTEM32\autdev.dll

VundoFix V6.1.5

 

Checking Java version...

 

Java version is 1.5.0.8

 

Scan started at 4:11:23 PM 9/23/2006

 

Listing files found while scanning....

 

No infected files were found.

Beginning removal...

 

Beginning removal...

 

Performing Repairs to the registry.

Done!

Link to post
Share on other sites

Lets try this:

 

Can you download ComboFix from here. Save it to your desktop BUT don't do anything with it! (Make sure it is saved to your Desktop)

 

Go to Start > Run > copy and paste "%userprofile%\desktop\combofix.exe" /v autdev

 

Click "OK" to exit, then reboot the system.

 

Once rebooted, post a new HijackThis log please. :)

Link to post
Share on other sites

hi

 

YoYoCool2 - 06-10-02 10:26:37.12 Service Pack 2

ComboFix 06.09.28 - Running from: "C:\Documents and Settings\YoYoCool2\desktop"

Command switches used :: /v autdev

 

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\autdev.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\winupdates

C:\Program Files\Common Files\{F8A97CF4-0BB2-1033-0105-050410260001}

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))

 

 

2006-09-24 06:38 127,208 --a------ C:\WINDOWS\system32\mucltui.dll

2006-09-23 23:13 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2006-09-23 22:32 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll

2006-09-23 22:32 129,536 --------- C:\WINDOWS\system32\xmlprov.dll

2006-09-23 22:31 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys

2006-09-23 22:31 9,216 --------- C:\WINDOWS\system32\proxycfg.exe

2006-09-23 22:31 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll

2006-09-23 22:31 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll

2006-09-23 22:31 81,408 --------- C:\WINDOWS\system32\wscsvc.dll

2006-09-23 22:31 8,192 --a------ C:\WINDOWS\system32\spdwnwxp.exe

2006-09-23 22:31 8,192 --------- C:\WINDOWS\system32\smbinst.exe

2006-09-23 22:31 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys

2006-09-23 22:31 75,776 --------- C:\WINDOWS\system32\strmfilt.dll

2006-09-23 22:31 73,832 --------- C:\WINDOWS\system32\slcoinst.dll

2006-09-23 22:31 73,796 --------- C:\WINDOWS\system32\slserv.exe

2006-09-23 22:31 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys

2006-09-23 22:31 6,016 --------- C:\WINDOWS\system32\drivers\smbali.sys

2006-09-23 22:31 59,648 --------- C:\WINDOWS\system32\drivers\rfcomm.sys

2006-09-23 22:31 526,848 --------- C:\WINDOWS\system32\p2psvc.dll

2006-09-23 22:31 49,152 --------- C:\WINDOWS\system32\powercfg.exe

2006-09-23 22:31 48,640 --------- C:\WINDOWS\system32\pnrpnsp.dll

2006-09-23 22:31 44,672 --------- C:\WINDOWS\system32\drivers\uagp35.sys

2006-09-23 22:31 44,032 --------- C:\WINDOWS\system32\twext.dll

2006-09-23 22:31 42,240 --------- C:\WINDOWS\system32\drivers\viaagp.sys

2006-09-23 22:31 41,088 --------- C:\WINDOWS\system32\drivers\sisagp.sys

2006-09-23 22:31 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys

2006-09-23 22:31 397,056 --------- C:\WINDOWS\system32\s3gnb.dll

2006-09-23 22:31 32,866 --------- C:\WINDOWS\system32\slrundll.exe

2006-09-23 22:31 32,866 --------- C:\WINDOWS\slrundll.exe

2006-09-23 22:31 312,320 --------- C:\WINDOWS\system32\p2pgraph.dll

2006-09-23 22:31 30,080 --------- C:\WINDOWS\system32\drivers\rndismpx.sys

2006-09-23 22:31 3,901 --------- C:\WINDOWS\system32\drivers\siint5.dll

2006-09-23 22:31 29,184 --------- C:\WINDOWS\system32\sdhcinst.dll

2006-09-23 22:31 286,792 --------- C:\WINDOWS\system32\slextspk.dll

2006-09-23 22:31 25,471 --------- C:\WINDOWS\system32\drivers\watv10nt.sys

2006-09-23 22:31 22,271 --------- C:\WINDOWS\system32\drivers\watv06nt.sys

2006-09-23 22:31 21,504 --------- C:\WINDOWS\system32\spupdwxp.exe

2006-09-23 22:31 188,508 --------- C:\WINDOWS\system32\slgen.dll

2006-09-23 22:31 17,408 --------- C:\WINDOWS\system32\winshfhc.dll

2006-09-23 22:31 166,912 --------- C:\WINDOWS\system32\drivers\s3gnbm.sys

2006-09-23 22:31 15,872 --------- C:\WINDOWS\system32\w3ssl.dll

2006-09-23 22:31 13,824 --------- C:\WINDOWS\system32\wscntfy.exe

2006-09-23 22:31 13,776 --------- C:\WINDOWS\system32\drivers\recagent.sys

2006-09-23 22:31 13,568 --------- C:\WINDOWS\system32\drivers\wacompen.sys

2006-09-23 22:31 13,240 --------- C:\WINDOWS\system32\drivers\slwdmsup.sys

2006-09-23 22:31 129,535 --------- C:\WINDOWS\system32\drivers\slnt7554.sys

2006-09-23 22:31 12,672 --------- C:\WINDOWS\system32\drivers\usb8023x.sys

2006-09-23 22:31 116,224 --------- C:\WINDOWS\system32\p2p.dll

2006-09-23 22:31 11,935 --------- C:\WINDOWS\system32\drivers\wadv11nt.sys

2006-09-23 22:31 11,871 --------- C:\WINDOWS\system32\drivers\wadv09nt.sys

2006-09-23 22:31 11,807 --------- C:\WINDOWS\system32\drivers\wadv07nt.sys

2006-09-23 22:31 11,776 --------- C:\WINDOWS\system32\spnpinst.exe

2006-09-23 22:31 11,325 --------- C:\WINDOWS\system32\drivers\vchnt5.dll

2006-09-23 22:31 11,295 --------- C:\WINDOWS\system32\drivers\wadv08nt.sys

2006-09-23 22:31 11,136 --------- C:\WINDOWS\system32\drivers\sffdisk.sys

2006-09-23 22:31 108,032 --------- C:\WINDOWS\system32\wshbth.dll

2006-09-23 22:31 10,240 --------- C:\WINDOWS\system32\drivers\sffp_sd.sys

2006-09-23 22:30 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll

2006-09-23 22:30 755,200 --------- C:\WINDOWS\system32\ir50_32.dll

2006-09-23 22:30 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll

2006-09-23 22:30 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll

2006-09-23 22:30 7,168 --------- C:\WINDOWS\system32\kbdukx.dll

2006-09-23 22:30 7,168 --------- C:\WINDOWS\system32\kbdno1.dll

2006-09-23 22:30 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll

2006-09-23 22:30 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll

2006-09-23 22:30 6,656 --------- C:\WINDOWS\system32\kbdinben.dll

2006-09-23 22:30 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll

2006-09-23 22:30 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll

2006-09-23 22:30 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll

2006-09-23 22:30 59,392 --------- C:\WINDOWS\system32\logman.exe

2006-09-23 22:30 5,632 --------- C:\WINDOWS\system32\kbdmaori.dll

2006-09-23 22:30 452,736 --------- C:\WINDOWS\system32\drivers\mtxparhm.sys

2006-09-23 22:30 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll

2006-09-23 22:30 384,512 --------- C:\WINDOWS\system32\mp4sdmod.dll

2006-09-23 22:30 36,096 --------- C:\WINDOWS\system32\drivers\intelppm.sys

2006-09-23 22:30 338,432 --------- C:\WINDOWS\system32\ir41_qcx.dll

2006-09-23 22:30 29,056 --------- C:\WINDOWS\system32\drivers\ip6fw.sys

2006-09-23 22:30 200,192 --------- C:\WINDOWS\system32\ir50_qc.dll

2006-09-23 22:30 183,808 --------- C:\WINDOWS\system32\ir50_qcx.dll

2006-09-23 22:30 180,360 --------- C:\WINDOWS\system32\drivers\ntmtlfax.sys

2006-09-23 22:30 15,488 --------- C:\WINDOWS\system32\drivers\mssmbios.sys

2006-09-23 22:30 126,686 --------- C:\WINDOWS\system32\drivers\mtlmnt5.sys

2006-09-23 22:30 120,320 --------- C:\WINDOWS\system32\ir41_qc.dll

2006-09-23 22:30 12,672 --------- C:\WINDOWS\system32\drivers\mutohpen.sys

2006-09-23 22:30 118,784 --------- C:\WINDOWS\system32\msdadiag.dll

2006-09-23 22:30 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys

2006-09-23 22:30 1,897,408 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys

2006-09-23 22:30 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll

2006-09-23 22:30 1,309,184 --------- C:\WINDOWS\system32\drivers\mtlstrm.sys

2006-09-23 22:29 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll

2006-09-23 22:29 81,920 --------- C:\WINDOWS\system32\ieencode.dll

2006-09-23 22:29 73,216 --------- C:\WINDOWS\system32\drivers\atintuxx.sys

2006-09-23 22:29 71,680 --------- C:\WINDOWS\system32\blastcln.exe

2006-09-23 22:29 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys

2006-09-23 22:29 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys

2006-09-23 22:29 63,488 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys

2006-09-23 22:29 60,416 --------- C:\WINDOWS\system32\fwcfg.dll

2006-09-23 22:29 57,856 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys

2006-09-23 22:29 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys

2006-09-23 22:29 52,224 --------- C:\WINDOWS\system32\drivers\atinraxx.sys

2006-09-23 22:29 50,688 --------- C:\WINDOWS\system32\btpanui.dll

2006-09-23 22:29 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys

2006-09-23 22:29 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys

2006-09-23 22:29 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys

2006-09-23 22:29 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys

2006-09-23 22:29 42,368 --------- C:\WINDOWS\system32\drivers\agp440.sys

2006-09-23 22:29 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll

2006-09-23 22:29 38,016 --------- C:\WINDOWS\system32\drivers\bthmodem.sys

2006-09-23 22:29 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll

2006-09-23 22:29 36,463 --------- C:\WINDOWS\system32\drivers\ati1tuxx.sys

2006-09-23 22:29 35,456 --------- C:\WINDOWS\system32\drivers\bthprint.sys

2006-09-23 22:29 34,735 --------- C:\WINDOWS\system32\drivers\ati1xsxx.sys

2006-09-23 22:29 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys

2006-09-23 22:29 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll

2006-09-23 22:29 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll

2006-09-23 22:29 31,744 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys

2006-09-23 22:29 30,671 --------- C:\WINDOWS\system32\drivers\ati1raxx.sys

2006-09-23 22:29 30,208 --------- C:\WINDOWS\system32\bthserv.dll

2006-09-23 22:29 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll

2006-09-23 22:29 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll

2006-09-23 22:29 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll

2006-09-23 22:29 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll

2006-09-23 22:29 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll

2006-09-23 22:29 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll

2006-09-23 22:29 29,455 --------- C:\WINDOWS\system32\drivers\ati1xbxx.sys

2006-09-23 22:29 28,672 --------- C:\WINDOWS\system32\drivers\atinsnxx.sys

2006-09-23 22:29 274,304 --------- C:\WINDOWS\system32\drivers\bthport.sys

2006-09-23 22:29 262,784 --------- C:\WINDOWS\system32\drivers\http.sys

2006-09-23 22:29 26,367 --------- C:\WINDOWS\system32\drivers\ati1snxx.sys

2006-09-23 22:29 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys

2006-09-23 22:29 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll

2006-09-23 22:29 24,576 --------- C:\WINDOWS\system32\httpapi.dll

2006-09-23 22:29 23,040 --a------ C:\WINDOWS\system32\fltmc.exe

2006-09-23 22:29 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys

2006-09-23 22:29 21,343 --------- C:\WINDOWS\system32\drivers\ati1ttxx.sys

2006-09-23 22:29 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll

2006-09-23 22:29 20,992 --------- C:\WINDOWS\system32\faxpatch.exe

2006-09-23 22:29 20,992 --------- C:\WINDOWS\system32\bthci.dll

2006-09-23 22:29 193,024 --------- C:\WINDOWS\system32\fsquirt.exe

2006-09-23 22:29 18,944 --------- C:\WINDOWS\system32\drivers\bthusb.sys

2006-09-23 22:29 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll

2006-09-23 22:29 17,024 --------- C:\WINDOWS\system32\drivers\bthenum.sys

2006-09-23 22:29 16,896 --a------ C:\WINDOWS\system32\fltlib.dll

2006-09-23 22:29 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll

2006-09-23 22:29 15,104 --------- C:\WINDOWS\system32\drivers\hidir.sys

2006-09-23 22:29 14,336 --------- C:\WINDOWS\system32\drivers\atinpdxx.sys

2006-09-23 22:29 14,336 --------- C:\WINDOWS\system32\auditusr.exe

2006-09-23 22:29 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll

2006-09-23 22:29 13,824 --------- C:\WINDOWS\system32\drivers\atinttxx.sys

2006-09-23 22:29 13,824 --------- C:\WINDOWS\system32\drivers\atinmdxx.sys

2006-09-23 22:29 13,824 --------- C:\WINDOWS\system32\cmsetacl.dll

2006-09-23 22:29 128,896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys

2006-09-23 22:29 12,047 --------- C:\WINDOWS\system32\drivers\ati1pdxx.sys

2006-09-23 22:29 11,615 --------- C:\WINDOWS\system32\drivers\ati1mdxx.sys

2006-09-23 22:29 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll

2006-09-23 22:29 104,960 --------- C:\WINDOWS\system32\drivers\atinrvxx.sys

2006-09-23 22:29 100,992 --------- C:\WINDOWS\system32\drivers\bthpan.sys

2006-09-23 22:29 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys

2006-09-23 21:57 614,912 --a------ C:\WINDOWS\system32\h323msp.dll

2006-09-23 21:57 39,936 --a------ C:\WINDOWS\system32\mf3216.dll

2006-09-23 21:57 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll

2006-09-23 21:57 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe

2006-09-23 21:29 1,082,368 --a------ C:\WINDOWS\system32\esent.dll

2006-09-23 18:16 53,248 --a------ C:\WINDOWS\system32\Process.exe

2006-09-23 18:16 40,960 --a------ C:\WINDOWS\system32\swsc.exe

2006-09-23 18:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2006-09-23 18:16 135,168 --a------ C:\WINDOWS\system32\swreg.exe

2006-09-21 22:28 778,656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys

2006-09-21 22:28 4,992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys

2006-09-21 22:28 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys

2006-09-21 22:28 27,904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys

2006-09-21 22:28 23,424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys

2006-09-17 21:17 2,048 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys

2006-09-16 20:03 737,280 --a------ C:\WINDOWS\iun6002.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-10-02 10:26 -------- d-------- C:\Program Files\Common Files

2006-10-02 08:25 -------- d-------- C:\Program Files\MSN Messenger

2006-10-01 22:36 125 --a------ C:\Documents and Settings\YoYoCool2\Application Data\iScrobbler.ini

2006-10-01 16:20 -------- d-------- C:\Program Files\Messenger Plus! Live

2006-10-01 10:42 -------- d-------- C:\Documents and Settings\YoYoCool2\Application Data\Xfire

2006-10-01 06:33 -------- d-------- C:\Documents and Settings\YoYoCool2\Application Data\teamspeak2

2006-09-30 13:53 -------- d---s---- C:\Program Files\Xfire

2006-09-30 13:50 -------- d-------- C:\Program Files\Winamp

2006-09-30 13:49 -------- d-------- C:\Program Files\Total Video Converter

2006-09-30 13:45 -------- d-------- C:\Program Files\Messenger

2006-09-30 13:36 -------- d-------- C:\Program Files\Internet Explorer

2006-09-30 13:26 -------- d-------- C:\Program Files\ewido anti-spyware 4.0

2006-09-29 23:06 -------- d-------- C:\Documents and Settings\YoYoCool2\Application Data\IMVU

2006-09-29 21:05 -------- d-------- C:\Documents and Settings\YoYoCool2\Application Data\Azureus

2006-09-29 20:37 -------- d-------- C:\Program Files\Azureus

2006-09-29 20:24 -------- d-------- C:\Program Files\IMVU

2006-09-29 18:59 -------- d-------- C:\Program Files\BitTorrent

2006-09-29 18:59 -------- d-------- C:\Documents and Settings\YoYoCool2\Application Data\BitTorrent

2006-09-28 19:16 -------- d-------- C:\Program Files\Xfire Plus

2006-09-28 08:01 -------- d-------- C:\Program Files\QuickTime

2006-09-25 17:19 -------- d-------- C:\Program Files\Wolfenstein - Enemy Territory

2006-09-24 08:17 -------- d-------- C:\Program Files\Outlook Express

2006-09-24 08:17 -------- d-------- C:\Program Files\Common Files\System

2006-09-24 06:39 -------- d---s---- C:\Documents and Settings\YoYoCool2\Application Data\Microsoft

2006-09-23 23:11 -------- d-------- C:\Program Files\Windows Media Player

2006-09-23 23:11 -------- d-------- C:\Program Files\Movie Maker

2006-09-23 23:08 -------- d-------- C:\Program Files\Windows NT

2006-09-23 23:08 -------- d-------- C:\Program Files\NetMeeting

2006-09-23 22:27 -------- d-------- C:\Documents and Settings\YoYoCool2\Application Data\Skype

2006-09-23 16:08 -------- d-------- C:\Program Files\Java

2006-09-23 16:07 -------- d-------- C:\Program Files\Common Files\Java

2006-09-23 13:38 -------- d-------- C:\Program Files\Wizet

2006-09-23 12:30 -------- d--h----- C:\Program Files\InstallShield Installation Information

2006-09-23 11:10 -------- d-------- C:\Program Files\etproaussie

2006-09-21 22:28 -------- d-------- C:\Documents and Settings\YoYoCool2\Application Data\AVG7

2006-09-21 20:40 -------- d-------- C:\Program Files\Cheat Engine

2006-09-21 20:39 -------- d-------- C:\Program Files\Replay Converter

2006-09-18 17:16 -------- d-------- C:\Program Files\PokerStars

2006-09-16 20:19 -------- d-------- C:\Program Files\Riva

2006-09-16 20:19 -------- d-------- C:\Program Files\Common Files\SWF Studio

2006-09-16 19:41 -------- d-------- C:\Program Files\FLVPlayer

2006-09-16 11:51 -------- d-------- C:\Program Files\Common Files\NSV

2006-09-09 13:22 120323 --a------ C:\Documents and Settings\YoYoCool2\Application Data\Cosmos Prefs

2006-09-07 07:56 -------- d-------- C:\Program Files\Funcom

2006-09-05 22:32 -------- d-------- C:\Program Files\GtkRadiant-ET-1.3

2006-09-04 22:32 -------- d-------- C:\Program Files\mIRC

2006-09-04 21:40 -------- d-------- C:\Program Files\PCPitstop

2006-09-02 15:52 -------- d-------- C:\Program Files\Silkroad

2006-09-01 15:39 -------- d-------- C:\Program Files\SCAR 2.03

2006-09-01 15:39 -------- d-------- C:\Program Files\Fagex.net Autofighter

2006-09-01 14:47 -------- d-------- C:\Program Files\KnightOnline

2006-08-31 16:18 10345 --a------ C:\WINDOWS\system32\drivers\hamachi.sys

2006-08-31 16:18 -------- d-------- C:\Program Files\Hamachi

2006-08-30 18:35 -------- d-------- C:\Documents and Settings\YoYoCool2\Application Data\Hamachi

2006-08-26 14:28 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2006-08-26 14:15 -------- d-------- C:\Program Files\Sierra

2006-08-26 13:44 -------- d-------- C:\Program Files\Multi Theft Auto

2006-08-26 13:43 -------- d-------- C:\Program Files\KalOnlineEng

2006-08-26 13:42 -------- d-------- C:\Program Files\Teamspeak2_RC2

2006-08-26 13:38 -------- d-------- C:\Program Files\Yahoo!

2006-08-26 13:38 -------- d-------- C:\Program Files\PokerStars.NET

2006-08-26 13:38 -------- d-------- C:\Program Files\IGN

2006-08-26 12:33 -------- d-------- C:\Program Files\WowPatches

2006-08-25 17:10 -------- d-------- C:\Program Files\SwiftSwitch

2006-08-21 18:46 -------- d-------- C:\Program Files\Audacity

2006-08-21 15:48 -------- d-------- C:\Documents and Settings\YoYoCool2\Application Data\Help

2006-08-19 12:12 -------- d-------- C:\Program Files\HyCam2

2006-08-16 21:15 61 --a------ C:\WINDOWS\system32\SYSVCPDRV.SYS

2006-08-16 21:13 -------- d-------- C:\Program Files\Blaze Audio

2006-08-16 16:23 -------- d-------- C:\Documents and Settings\YoYoCool2\Application Data\Ventrilo

2006-08-16 16:03 -------- d-------- C:\Program Files\Skype

2006-08-13 15:49 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard

2006-08-10 17:42 -------- d-------- C:\Program Files\GameArena

2006-08-09 15:50 -------- d-------- C:\Program Files\AuditionSEA

2006-08-04 08:42 73216 --a------ C:\WINDOWS\ST6UNST.EXE

2006-08-02 16:39 -------- d-------- C:\Program Files\Schmads Inc

2006-08-02 14:47 -------- d-------- C:\Program Files\Last.fm Player

2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll

2006-07-27 21:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll

2006-07-21 16:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"

@=""

"Xfire Music"="\"C:\\Program Files\\Xfire\\xfiremusic.exe\""

"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\

65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

"wextract_cleanup0"="rundll32.exe C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\DOCUME~1\\YOYOCO~1\\LOCALS~1\\Temp\\IXP000.TMP\\\""

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000000

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

@=""

"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

@=""

"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "

"item"="Adobe Reader Speed Launch"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]

"backup"="C:\\WINDOWS\\pss\\ATI CATALYST System Tray.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\ATITEC~1\\ATI.ACE\\CLI.exe SystemTray"

"item"="ATI CATALYST System Tray"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ShortKeys Lite.lnk]

"backup"="C:\\WINDOWS\\pss\\ShortKeys Lite.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\SHORTK~1\\shklite.exe "

"item"="ShortKeys Lite"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AGRSMMSG]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="AGRSMMSG"

"hkey"="HKLM"

"command"="AGRSMMSG.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATICCC]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="cli"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIPTA]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="atiptaxx"

"hkey"="HKLM"

"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AVG7_CC]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="avgcc"

"hkey"="HKLM"

"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BitTorrent]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="bittorrent"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HydraVisionDesktopManager]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="HydraDM"

"hkey"="HKLM"

"command"="C:\\Program Files\\ATI Technologies\\ATI HYDRAVISION\\HydraDM.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="iTunesHelper"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MessengerPlus3]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MsgPlus"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msmsgs"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnmsgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msnmsgr"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Skype]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Skype"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SoniqueQuickStart]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="sqstart"

"hkey"="HKCU"

"command"="C:\\Program Files\\Sonique\\sqstart.exe -nostick"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SoundMan]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="SOUNDMAN"

"hkey"="HKLM"

"command"="SOUNDMAN.EXE"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="jusched"

"hkey"="HKLM"

"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\winupdates]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="winupdates"

"hkey"="HKLM"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\win_systernn]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="win_systernn"

"hkey"="HKLM"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Xfire Music]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="xfiremusic"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Xfire\\xfiremusic.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\XFP: Multi-IM]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MultiIM"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Xfire Plus\\Multi-IM\\MultiIM.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]

"Messenger"=dword:00000002

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders

securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20060923-161022-441

O20 - Winlogon Notify: win_systernn - C:\WINDOWS\

backup-20060923-161022-925

O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll

backup-20060923-161022-788

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...96401dafb6b5e1d

backup-20060923-161022-294

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.roseonlinegame.com/nProtec...Crypt/npkcx.cab

backup-20060923-161022-119

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

backup-20060923-161022-899

O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\YoYoCool2\Desktop\Xinstall.exe

backup-20060413-101455-333

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

backup-20060413-101455-418

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

 

Completion time: Mon 10/02/2006 10:28:39.93

ComboFix.txt

 

 

HJT

 

Logfile of HijackThis v1.99.1

Scan saved at 10:30:11 AM, on 10/2/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLanCfgAG.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Xfire\xfiremusic.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

C:\Program Files\Logitech\G-series Software\bak\LCDMon.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\svchost.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.au/

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Shortcut to Enemy Territory Minimizer.lnk = C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

O4 - Startup: Shortcut to LCDMon.lnk = C:\Program Files\Logitech\G-series Software\bak\LCDMon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (file missing)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\YoYoCool2\Start Menu\Programs\IMVU\Run IMVU.lnk

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158980548178

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs:

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin Wireless Pre-N Desktop Card (Belkin Wireless Pre-N Desktop Card Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 6:26:41 AM, on 10/3/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Utility\WLanCfgAG.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Xfire\xfiremusic.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

C:\Program Files\Logitech\G-series Software\bak\LCDMon.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Xfire\Xfire.exe

C:\HJT\HJT.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.au/

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Shortcut to Enemy Territory Minimizer.lnk = C:\Documents and Settings\YoYoCool2\My Documents\Enemy Territory Minimizer.exe

O4 - Startup: Shortcut to LCDMon.lnk = C:\Program Files\Logitech\G-series Software\bak\LCDMon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (file missing)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\YoYoCool2\Start Menu\Programs\IMVU\Run IMVU.lnk

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158980548178

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs:

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin Wireless Pre-N Desktop Card (Belkin Wireless Pre-N Desktop Card Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Utility\WLService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Link to post
Share on other sites

Hi,

 

Sorry for the delay. Lets continue...

 

Open Notepad!

Copy and Paste everything from the Quote box into Notepad:

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\winupdates]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\win_systernn]

Go to File > Save As

Save File name as Fix.reg

Change Save as Type to All Files and save the file to your desktop.

 

Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK

________________________________________

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

 

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement."
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
    • J2SE Runtime Environment 5.0 Update 6
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
________________________________________

Your log is clean - Good Job! :)

 

You can delete SmitfraudFix, VundoFix, ComboFix and the fix.reg file as they are not needed anymore.

 

If you don't have anymore problems, then here are some measures you can take to stay more secure online:

 

Secure your Internet Explorer by going here and following the instructions there.

 

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera.

 

Use a firewall to help prevent your PC(s) from being usurped by undesireables. If you don't have a Firewall, then choose one from the list here

 

Install an Anti-Virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. If you don't have an Anti-Virus program, choose one from the list here

 

Install and keep updated, Ad-Aware SE and Spybot Search & Destroy.

Run them both on a regular basis, following the manufacturer's recommendations.

 

Install and keep updated, SpywareBlaster and SpywareGuard

 

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

 

Clear your Temp folders.

Go to Start > Control Panel > Internet Options.

Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Next, click the Delete Cookies... button and press OK

 

Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked

  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin
and then press "OK" to remove:

 

Go to Start > Find/Search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

 

Empty/delete the entire contents from within the following folders:

C:\Windows\temp

C:\temp <-- if you have one.

Note: Empty the contents but do not delete the folder(s).

 

Clear out temp files from the following location. Change "username" to whatever you have on your computer.

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

 

Empty the Recycle Bin!

 

Hide system files

It is very important that system files and folders are hidden again, so that they DO NOT get deleted by mistake. To hide system files and folders, do the following for your operating system...

 

Windows XP

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading, uncheck Do not show hidden files and folders

* Check the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

 

For XP users.

It's a good idea to Flush your System Restore points after ridding yourself of malware: You can clean this by doing the following:

  • Click Start | Help and Support | Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close the Help and Support Center box.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.

 

===============

 

If you have any more problems, post back. Otherwise, respond once more so we may archive this thread. :)

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...