There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
audio bios blue screen boot bsod computer connection crash dcom dell driver drivers email error excel firefox freeze google hard drive hardware hijackthis internet keyboard laptop logon logs off macro malware microsoft motherboard network problem ram recovery redirect router screen slow software sound trojan usb userinit.exe virus vista wifi windows windows 7 windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Pop-ups and System Slowdown (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
Page 1 of 2 1 2
 
Thread Tools
Bluerain80's Avatar
Junior Member with 9 posts.
  
Join Date: Feb 2007
17-Feb-2007, 08:53 PM #1
Pop-ups and System Slowdown
Hello, I'm trying to clean up an old PC that I haven't used in a while. So far, I've been experiencing some major slowdowns and crashes, with the occasional pop-ups when browsing. I have used both Ad-Aware and Spybot S&D to limited effect, and I need some help for the next step. My HJT log is pasted below, thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 5:54:29 PM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\wnames\wnames.exe
C:\WINDOWS\Config\svhost32.exe
C:\WINDOWS\inf\rundll32.exe
C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\addins\rundll32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\m?iexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\YJH\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {3635A2BB-3754-F700-FD51-49D259A38209} - nmdllw.dll (file missing)
F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\explorer.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: digitalnames - {763A1949-7F02-4965-AB8E-57CBFFB1BE1C} - C:\Program Files\wnames\wnamesc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B575293D-9FA1-9553-DDF8-E7ABAF7750B1} - C:\WINDOWS\system32\vdyzoa.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [wnames] C:\Program Files\wnames\wnames.exe
O4 - HKLM\..\Run: [fzg] C:\WINDOWS\Config\svhost32.exe
O4 - HKLM\..\Run: [Rhg] C:\WINDOWS\inf\rundll32.exe
O4 - HKLM\..\Run: [gndze.exe] C:\WINDOWS\system32\gndze.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [MONITER] WTFCTF.exe
O4 - HKLM\..\Run: [StartCpl] MONITER.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKLM\..\Run: [Rr2] C:\WINDOWS\addins\rundll32.exe
O4 - HKLM\..\Run: [bljnf.exe] C:\WINDOWS\system32\bljnf.exe
O4 - HKLM\..\Run: [RKrx] C:\WINDOWS\down\rundll32.exe
O4 - HKLM\..\Run: [dmosd.exe] C:\WINDOWS\system32\dmosd.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [JAguAr] zxc.exe
O4 - HKCU\..\Run: [cnftips] sysconf16.exe
O4 - HKCU\..\Run: [DTOURS] uio.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nm...MStarter23.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/Image...ageUpload2.cab
O16 - DPF: {124250DD-E2CC-4B5B-AE7E-C9AC8A11DF43} (StreamNote2 Control) - http://cyber.jungchul.com/data17/Exp...treamNote2.cab
O16 - DPF: {1D046A46-955A-4FBC-800E-67F123047B2B} (Sso001 Control) - http://www.ibegin.co.kr/setstart/setstart/sso001i.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://app.ipop.co.kr/gogsweb/gogsweb.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/So...30/SBStart.CAB
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,2,0
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041008.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC307D1-9687-4C59-AE40-4A9AE11D0A80}: NameServer = 85.255.113.198,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{28896D43-BFE9-4C73-91BE-480AC2335DE8}: NameServer = 85.255.113.198,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDD79CD-2C14-49E7-9AF7-E76DA8646F71}: NameServer = 85.255.113.198,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1383552-8B57-4185-89C9-E9055441C9AD}: NameServer = 85.255.113.198,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC307D1-9687-4C59-AE40-4A9AE11D0A80}: NameServer = 85.255.113.198,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ahnlab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Register for free to hide this ad!
JSntgRvr's Avatar
Moderator with 15,334 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
17-Feb-2007, 10:57 PM #2
Hi, Bluerain80

Welcome to TSG.

Please read this post completely. It may make it easier for you if you print, or copy and paste this post to a new text document for reference later.

This will likely be a few steps process in removing the malware that has infected the system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Please create a Restore point:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "Before VirusScan", then click Create.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  1. Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  2. Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  3. Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  4. Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  5. Make sure that at least the first two check boxes are ticked
  6. Press OK
  7. Press YES to create the folder.
Registry Modifications

Download the enclosed file. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Regfix.reg . Don't do anything with it yet. We will run it shortly.

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.

Please download FixWareout from Here or Here.

Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.
  1. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
  2. The fix will begin; follow the prompts.
  3. If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
  4. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
  5. Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.
Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

R3 - URLSearchHook: (no name) - {3635A2BB-3754-F700-FD51-49D259A38209} - nmdllw.dll (file missing)
F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\explorer.exe
O2 - BHO: digitalnames - {763A1949-7F02-4965-AB8E-57CBFFB1BE1C} - C:\Program Files\wnames\wnamesc.dll
O2 - BHO: (no name) - {B575293D-9FA1-9553-DDF8-E7ABAF7750B1} - C:\WINDOWS\system32\vdyzoa.dll
O4 - HKLM\..\Run: [wnames] C:\Program Files\wnames\wnames.exe
O4 - HKLM\..\Run: [fzg] C:\WINDOWS\Config\svhost32.exe
O4 - HKLM\..\Run: [Rhg] C:\WINDOWS\inf\rundll32.exe
O4 - HKLM\..\Run: [gndze.exe] C:\WINDOWS\system32\gndze.exe
O4 - HKLM\..\Run: [MONITER] WTFCTF.exe
O4 - HKLM\..\Run: [StartCpl] MONITER.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKLM\..\Run: [Rr2] C:\WINDOWS\addins\rundll32.exe
O4 - HKLM\..\Run: [bljnf.exe] C:\WINDOWS\system32\bljnf.exe
O4 - HKLM\..\Run: [RKrx] C:\WINDOWS\down\rundll32.exe
O4 - HKLM\..\Run: [dmosd.exe] C:\WINDOWS\system32\dmosd.exe
O4 - HKCU\..\Run: [JAguAr] zxc.exe
O4 - HKCU\..\Run: [cnftips] sysconf16.exe
O4 - HKCU\..\Run: [DTOURS] uio.exe
O4 - Global Startup: winlgn.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC307D1-9687-4C59-AE40-4A9AE11D0A80}: NameServer = 85.255.113.198,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{28896D43-BFE9-4C73-91BE-480AC2335DE8}: NameServer = 85.255.113.198,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDD79CD-2C14-49E7-9AF7-E76DA8646F71}: NameServer = 85.255.113.198,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1383552-8B57-4185-89C9-E9055441C9AD}: NameServer = 85.255.113.198,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC307D1-9687-4C59-AE40-4A9AE11D0A80}: NameServer = 85.255.113.198,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138


Click FIX CHECKED. Close HijackThis.

Double click on the Regfix.reg file and select Yes when prompted to merge it into the registry.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\rundl132.exe
    C:\WINDOWS\system32\explorer.exe
    C:\Program Files\wnames
    C:\WINDOWS\system32\vdyzoa.dll
    C:\WINDOWS\Config\svhost32.exe
    C:\WINDOWS\inf\rundll32.exe
    C:\WINDOWS\system32\gndze.exe
    C:\WINDOWS\system32\WTFCTF.exe
    C:\WINDOWS\system32\MONITER.exe
    C:\WINDOWS\system32\yaemu.exe
    C:\WINDOWS\addins\rundll32.exe
    C:\WINDOWS\system32\bljnf.exe
    C:\WINDOWS\down\rundll32.exe
    C:\WINDOWS\system32\dmosd.exe
    C:\WINDOWS\system32\zxc.exe
    C:\WINDOWS\system32\sysconf16.exe
    C:\WINDOWS\system32\uio.exe
    C:\WINDOWS\system32\winlgn.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
    • If able, copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on a note pad document. Save it on the desktop and post its contents in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  1. Enter your Control Panel and double-click on Network Connections
  2. Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL, or AOL Connection.
  3. Left click on Properties
  4. Double-Click on the Internet Protocol (TCP/IP) item
  5. Select the radio dial that says Obtain DNS Servers Automatically
  6. Press OK twice to get out of the properties screen
  7. Restart the computer
Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

ipconfig /flushdns (The space between g and / is needed)
Exit

Restart the computer.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log.
__________________
If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions.
Last edited by JSntgRvr : 17-Feb-2007 11:05 PM.
Bluerain80's Avatar
Junior Member with 9 posts.
  
Join Date: Feb 2007
18-Feb-2007, 01:16 AM #3
Thanks, I appreciate your help

I followed all of your steps, but it looks like I hit a little snag. The report created by Erunt looks like the following.

뻣뻣?End report 뻣뻣?

That's all that's in the text file, and I'm guessing it's a lot less than what's usually on there. Judging by those strange characters, I'm wondering if some of my non-English Windows settings could be affecting the generated result.

In the meantime, here's my newest HJT log and the text report from regfix.exe

-------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:15:14 PM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\m?iexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\YJH\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nm...MStarter23.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/Image...ageUpload2.cab
O16 - DPF: {124250DD-E2CC-4B5B-AE7E-C9AC8A11DF43} (StreamNote2 Control) - http://cyber.jungchul.com/data17/Exp...treamNote2.cab
O16 - DPF: {1D046A46-955A-4FBC-800E-67F123047B2B} (Sso001 Control) - http://www.ibegin.co.kr/setstart/setstart/sso001i.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://app.ipop.co.kr/gogsweb/gogsweb.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/So...30/SBStart.CAB
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,2,0
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041008.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ahnlab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

-------------------------------------------------------------------------

C:\WINDOWS\rundl132.exe moved successfully.
C:\WINDOWS\system32\explorer.exe moved successfully.
C:\Program Files\wnames moved successfully.
File/Folder C:\WINDOWS\system32\vdyzoa.dll not found.
C:\WINDOWS\Config\svhost32.exe moved successfully.
C:\WINDOWS\inf\rundll32.exe moved successfully.
File/Folder C:\WINDOWS\system32\gndze.exe not found.
File/Folder C:\WINDOWS\system32\WTFCTF.exe not found.
File/Folder C:\WINDOWS\system32\MONITER.exe not found.
File/Folder C:\WINDOWS\system32\yaemu.exe not found.
C:\WINDOWS\addins\rundll32.exe moved successfully.
File/Folder C:\WINDOWS\system32\bljnf.exe not found.
File/Folder C:\WINDOWS\down\rundll32.exe not found.
File/Folder C:\WINDOWS\system32\dmosd.exe not found.
File/Folder C:\WINDOWS\system32\zxc.exe not found.
File/Folder C:\WINDOWS\system32\sysconf16.exe not found.
File/Folder C:\WINDOWS\system32\uio.exe not found.
File/Folder C:\WINDOWS\system32\winlgn.exe not found.

Created on 02/17/2007 21:59:00
JSntgRvr's Avatar
Moderator with 15,334 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
18-Feb-2007, 12:05 PM #4
Hi, Name.

It is looking much better.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab


Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Perform the following steps in safe mode:
  1. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  5. If you have any infections you will prompted, then select "Apply all actions"
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  8. Close AVG Anti-Spyware .
Restart back into Windows normally now.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post a fresh Hijackthis log along with the AVG Anti-spyware and ActiveScan reports.
__________________
If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions.
Bluerain80's Avatar
Junior Member with 9 posts.
  
Join Date: Feb 2007
18-Feb-2007, 11:09 PM #5
Hello again. Here are the AVG and ActiveScan reports as well as the latest HJT log.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:44:08 PM 2/18/2007

+ Scan result:



C:\WINDOWS\system32\dgtupdate.exe -> Adware.DigitalNames : Cleaned with backup (quarantined).
C:\WINDOWS\system32\machdsdk.dll -> Adware.DigitalNames : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winhtml.dll -> Adware.DigitalNames : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xprtect.exe -> Adware.DigitalNames : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP735\A0145420.exe -> Adware.KillAndClean : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\Documents and Settings\YJH\Application Data\ruas.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mѕiexec.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145396.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145391.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145392.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145393.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145214.exe -> Adware.WinFetcher : Cleaned with backup (quarantined).
C:\Documents and Settings\YJH\Local Settings\Temp\~420736.tmp -> Adware.Wintol : Cleaned with backup (quarantined).
C:\Documents and Settings\YJH\Local Settings\Temp\~432597.tmp -> Adware.Wintol : Cleaned with backup (quarantined).
C:\Documents and Settings\YJH\Local Settings\Temp\~436728.tmp -> Adware.Wintol : Cleaned with backup (quarantined).
C:\Documents and Settings\YJH\Local Settings\Temp\~482901.tmp -> Adware.Wintol : Cleaned with backup (quarantined).
C:\Documents and Settings\YJH\Local Settings\Temp\~489630.tmp -> Adware.Wintol : Cleaned with backup (quarantined).
C:\Documents and Settings\YJH\Local Settings\Temp\~583163.tmp -> Adware.Wintol : Cleaned with backup (quarantined).
C:\Documents and Settings\YJH\Local Settings\Temp\~587152.tmp -> Adware.Wintol : Cleaned with backup (quarantined).
C:\Documents and Settings\YJH\Local Settings\Temp\~837846.tmp -> Adware.Wintol : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\~144168.tmp -> Adware.Wintol : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\~83188.tmp -> Adware.Wintol : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145200.dll:fvrru -> Downloader.Agent.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145201.dll:fvrru -> Downloader.Agent.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145202.dll:fvrru -> Downloader.Agent.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145203.dll:fvrru -> Downloader.Agent.an : Cleaned with backup (quarantined).
C:\WINDOWS\6Sy.exe -> Downloader.Agent.awz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145206.exe:azjcx -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145207.exe:azjcx -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145208.exe:azjcx -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145209.exe:azjcx -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145210.exe:azjcx -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145211.exe:azjcx -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145204.exe:kznhw -> Downloader.Agent.cd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145205.INI:jiaxa -> Downloader.Agent.cd : Cleaned with backup (quarantined).
C:\WINDOWS\tstlb.hta -> Downloader.Psyme.av : Cleaned with backup (quarantined).
C:\WINDOWS\tabletoc.loggbhv -> Downloader.WinShow.ak : Cleaned with backup (quarantined).
C:\WINDOWS\twunk_16(2).exe:htfca -> Downloader.WinShow.ak : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP730\A0137055.dll -> Dropper.Lineage.agc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP732\A0140659.dll -> Dropper.Lineage.agc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP732\A0141659.dll -> Dropper.Lineage.agc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP732\A0141673.dll -> Dropper.Lineage.agc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP735\A0145425.dll -> Dropper.Lineage.agc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dllf.dll -> Dropper.Lineage.agc : Cleaned with backup (quarantined).
C:\Documents and Settings\YJH\Desktop\backups\backup-20070217-215454-642-winlgn.exe -> Trojan.Bizten : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP735\A0145432.exe -> Trojan.Bizten : Cleaned with backup (quarantined).
C:\WINDOWS\pss\winlgn.exeCommon Startup -> Trojan.Bizten : Cleaned with backup (quarantined).
C:\WINDOWS\1Sy.exe -> Trojan.Delf.jw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP730\A0137057.dll -> Trojan.Hangame.bm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP732\A0140660.dll -> Trojan.Hangame.bm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP732\A0141660.dll -> Trojan.Hangame.bm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP732\A0141675.dll -> Trojan.Hangame.bm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP735\A0145426.dll -> Trojan.Hangame.bm : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hhdll.dll -> Trojan.Hangame.bm : Cleaned with backup (quarantined).
C:\WINDOWS\3Sy.exe -> Trojan.Hangame.cl : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\addins\rundll32.exe -> Trojan.Hangame.cl : Cleaned with backup (quarantined).
C:\WINDOWS\2Sy.exe -> Trojan.Hangame.cn : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\inf\rundll32.exe -> Trojan.Hangame.cn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Krxdll.dll -> Trojan.Lineage.ach : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\1Sy.exe -> Trojan.Lineage.agc : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\2Sy.exe -> Trojan.Lineage.agj : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\d2_.exe -> Trojan.Lineage.agp : Cleaned with backup (quarantined).
C:\WINDOWS\0Sy.exe -> Trojan.Lineage.agp : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\explorer.exe -> Trojan.Lineage.agp : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\5-8_xp-2k_dd_ccc_wdm_enu_25203\Driver\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\5-8_xp-2k_dd_ccc_wdm_enu_25203\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\5-8_xp-2k_dd_ccc_wdm_enu_25203\WDM_ALL\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\wxp-w2k-catalyst-8-071-041026a-018719c\CPanel\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\wxp-w2k-catalyst-8-071-041026a-018719c\Driver\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\wxp-w2k-catalyst-8-071-041026a-018719c\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\wxp-w2k-catalyst-8-071-041026a-018719c\WDM\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\wxp-w2k-ccc-8-062-040929a-018115c\CPanel\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\wxp-w2k-ccc-8-062-040929a-018115c\Driver\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\wxp-w2k-ccc-8-062-040929a-018115c\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\wxp-w2k-ccc-8-062-040929a-018115c\WDM\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\Pm2\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\Program Files\Bethesda Softworks\Morrowind\CSUninstall\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\Program Files\HP\Digital Imaging\{18E0918E-1060-48f3-925C-56C82E88551B}\setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\driver\WINXP\SETUP.EXE -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\driver\vga\controlpanel\ControlPanel614105113\ControlPanel\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\driver\vga\driver\ati803_Win2KXP\Win2KXP\CPanel\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\driver\vga\driver\ati803_Win2KXP\Win2KXP\Driver\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\driver\vga\driver\ati803_Win2KXP\Win2KXP\Setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\driver\vga\driver\ati803_Win2KXP\Win2KXP\WDM\setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\driver\vga\gamwface203\GameFace203\GameFace\setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\driver\vga\smartdoc\SmartDoc452\SmartDoc\setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\driver\vga\videosec\VideoSec3007\VideoSec3007\setup.exe -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\viDll.dll -> Trojan.Lineage.agx : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\Config\svhost32.exe -> Trojan.Lineage.aji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP735\A0145421.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145398.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP730\A0137120.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP732\A0140662.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP732\A0141662.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP732\A0141707.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP735\A0145417.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145397.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\5-8_xp-2k_dd_ccc_wdm_enu_25203\ACE\setup.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\ATI\SUPPORT\wxp-w2k-ccc-8-062-040929a-018115c\ACE\setup.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\Program Files\NATEON\BIN\NATEON.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\Program Files\Nexon\Common\Patcher.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\Program Files\Real\RealPlayer\Setup\setup.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\Program Files\Real\RealPlayer\realplay.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\Program Files\WinRAR\WinRAR.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64FCA2A6-3513-4806-84BD-9F028CDAD2BA}\RP733\A0145395.dll -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\Temp\HP All-in-One Series Web Release\Setup.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\Temp\HP_WebRelease\Setup.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\WINDOWS\Dll.dll -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\WINDOWS\Logo1_.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\rundl132.exe -> Worm.Viking.y : Cleaned with backup (quarantined).
C:\driver\vga\webcam\Webcam\Setup.exe -> Worm.Viking.y : Cleaned with backup (quarantined).


::Report end

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Incident Status Location

Adware:adware/digitalnames Not disinfected c:\windows\system32\drivers\xprtect.sys
Adware:adware/superspider Not disinfected c:\q.exe
Adware:adware/startpage.jy Not disinfected C:\Documents and Settings\YJH\Favorites\FREE HIDDEN CAMS WORLD.url
Adware:adware/cws Not disinfected C:\Documents and Settings\YJH\Favorites\GET THIS 4 FREE.url
Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A142 6AC5-8CE5-4A00-B71E-011D35709AC6}
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\YJH\Cookies\yjh@doubleclick[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\YJH\Desktop\backups\backup-20070217-215454-627.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\YJH\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Virus:Trj/Lineage.BIA Disinfected C:\WINDOWS\4Sy.exe
Virus:Trj/Lineage.AXG Disinfected C:\WINDOWS\system32\dab1.dll
Virus:Trj/Lineage.AYB Disinfected C:\WINDOWS\system32\r2dll.dll
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\__delete_on_reboot__~_1_4_4_1_6_8_._t_m_p_
Adware:Adware/WinTools

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:09:13 PM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\YJH\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nm...MStarter23.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/Image...ageUpload2.cab
O16 - DPF: {124250DD-E2CC-4B5B-AE7E-C9AC8A11DF43} (StreamNote2 Control) - http://cyber.jungchul.com/data17/Exp...treamNote2.cab
O16 - DPF: {1D046A46-955A-4FBC-800E-67F123047B2B} (Sso001 Control) - http://www.ibegin.co.kr/setstart/setstart/sso001i.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://app.ipop.co.kr/gogsweb/gogsweb.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/So...30/SBStart.CAB
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,2,0
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041008.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ahnlab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
JSntgRvr's Avatar
Moderator with 15,334 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
19-Feb-2007, 11:12 AM #6
Hi, Bluerain80
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\windows\system32\drivers\xprtect.sys
    c:\q.exe
    C:\Documents and Settings\YJH\Favorites\FREE HIDDEN CAMS WORLD.url
    C:\Documents and Settings\YJH\Favorites\GET THIS 4 FREE.url
    C:\Documents and Settings\YJH\Desktop\backups\backup-20070217-215454-627.dll
    C:\WINDOWS\Temp\__delete_on_reboot__~_1_4_4_1_6_8_._t_m_p_


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
    • If able, copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on a note pad document. Save it on the desktop and post its contents in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
  • Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.
__________________
If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions.
Bluerain80's Avatar
Junior Member with 9 posts.
  
Join Date: Feb 2007
19-Feb-2007, 04:44 PM #7
I have run into an error while running FindAWF

When I press any key to start the scan process, I get an error message that reads

C:\Documents and Settings\YJH\Local Settings\Temporary Internet Files\Content.IE5\CDAZOX6V\FindAWF[1].exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

Also, I have noticed lately that several DOS windows are popping up at the start of windows with a similar error message for each one.
JSntgRvr's Avatar
Moderator with 15,334 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
19-Feb-2007, 07:16 PM #8
Hi, Bluerain80

Click Here to download XP_FIX.EXE. Save it on your desktop. Double click on the XP_FIX.EXE file and follow the prompts. That should resolve the missing AUTOEXEC.NT file.

Follow the nstructions above to Run FindAWF.exe again. This time, please save the file on your desktop.
__________________
If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions.
Bluerain80's Avatar
Junior Member with 9 posts.
  
Join Date: Feb 2007
19-Feb-2007, 08:29 PM #9
Here's my AWF Report

Find AWF report by noahdfear ?006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

On another note, I was unable to 'move' c:\windows\system32\drivers\xprtect.sys
using OTMoveIt, all the others were moved successfully.
JSntgRvr's Avatar
Moderator with 15,334 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
19-Feb-2007, 08:39 PM #10
Hi, Bluerain80

Please download the enclosed foler and extract its contents to the desktop. It is a batch file. Once extracted, please double click on the Logit.bat file and post the contents of the document it will produce.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log.
Bluerain80's Avatar
Junior Member with 9 posts.
  
Join Date: Feb 2007
19-Feb-2007, 08:46 PM #11
C:\WINDOWS\rundl132.exe moved successfully.
C:\WINDOWS\system32\explorer.exe moved successfully.
C:\Program Files\wnames moved successfully.
File/Folder C:\WINDOWS\system32\vdyzoa.dll not found.
C:\WINDOWS\Config\svhost32.exe moved successfully.
C:\WINDOWS\inf\rundll32.exe moved successfully.
File/Folder C:\WINDOWS\system32\gndze.exe not found.
File/Folder C:\WINDOWS\system32\WTFCTF.exe not found.
File/Folder C:\WINDOWS\system32\MONITER.exe not found.
File/Folder C:\WINDOWS\system32\yaemu.exe not found.
C:\WINDOWS\addins\rundll32.exe moved successfully.
File/Folder C:\WINDOWS\system32\bljnf.exe not found.
File/Folder C:\WINDOWS\down\rundll32.exe not found.
File/Folder C:\WINDOWS\system32\dmosd.exe not found.
File/Folder C:\WINDOWS\system32\zxc.exe not found.
File/Folder C:\WINDOWS\system32\sysconf16.exe not found.
File/Folder C:\WINDOWS\system32\uio.exe not found.
File/Folder C:\WINDOWS\system32\winlgn.exe not found.

Created on 02/17/2007 21:59:00
File move failed. c:\windows\system32\drivers\xprtect.sys scheduled to be moved on reboot.
c:\q.exe moved successfully.
C:\Documents and Settings\YJH\Favorites\FREE HIDDEN CAMS WORLD.url moved successfully.
C:\Documents and Settings\YJH\Favorites\GET THIS 4 FREE.url moved successfully.
C:\Documents and Settings\YJH\Desktop\backups\backup-20070217-215454-627.dll unregistered successfully.
C:\Documents and Settings\YJH\Desktop\backups\backup-20070217-215454-627.dll moved successfully.
C:\WINDOWS\Temp\__delete_on_reboot__~_1_4_4_1_6_8_._t_m_p_ moved successfully.

Created on 02/19/2007 13:09:35
File move failed. c:\windows\system32\drivers\xprtect.sys scheduled to be moved on reboot.

Created on 02/19/2007 17:27:16
Volume in drive C has no label.
Volume Serial Number is C88E-9EF8

Directory of C:\Windows\System32

09/02/2004 08:08 AM 749 cdplayer.exe.manifest
02/17/2007 12:37 PM <DIR> dllcache
09/02/2004 08:08 AM 488 logonui.exe.manifest
09/02/2004 08:08 AM 749 ncpa.cpl.manifest
09/02/2004 08:08 AM 749 nwc.cpl.manifest
09/02/2004 08:08 AM 749 sapi.cpl.manifest
09/02/2004 08:08 AM 488 WindowsLogon.manifest
09/02/2004 08:08 AM 749 wuaucpl.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 36,907,687,936 bytes free
xprtect.sys Exist in the Drivers folder
JSntgRvr's Avatar
Moderator with 15,334 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
19-Feb-2007, 08:50 PM #12
Hi, Bluerain80

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:
Files to delete
c:\windows\system32\drivers\xprtect.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log .
__________________
If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions.
Bluerain80's Avatar
Junior Member with 9 posts.
  
Join Date: Feb 2007
19-Feb-2007, 09:08 PM #13
Hmmm. I have gotten an error message telling me that it is not a valid script. I have rebooted and tried again, the whole text first as instructed, and the individual lines also, but nothing seems to work.
JSntgRvr's Avatar
Moderator with 15,334 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
19-Feb-2007, 09:15 PM #14
Hi, Bluerain80

Try the following script.

Quote:
Files to delete:
c:\windows\system32\drivers\xprtect.sys
Bluerain80's Avatar
Junior Member with 9 posts.
  
Join Date: Feb 2007
19-Feb-2007, 09:35 PM #15
Thanks, it worked.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\huadtfyp

*******************

Script file located at: \??\C:\Documents and Settings\lpiyfdng.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\system32\drivers\xprtect.sys deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

...and my newest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 6:35:18 PM, on 2/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\kernels88.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\YJH\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {124CA449-6D75-57E5-327C-0AA2BFCDE6B3} - C:\WINDOWS\system32\husnsib.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels88.exe
O4 - HKLM\..\Run: [ezorscg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ezorscg.dll,wewnkae
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels88.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9f} - (no file) (HKCU)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nm...MStarter23.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/Image...ageUpload2.cab
O16 - DPF: {124250DD-E2CC-4B5B-AE7E-C9AC8A11DF43} (StreamNote2 Control) - http://cyber.jungchul.com/data17/Exp...treamNote2.cab
O16 - DPF: {1D046A46-955A-4FBC-800E-67F123047B2B} (Sso001 Control) - http://www.ibegin.co.kr/setstart/setstart/sso001i.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://app.ipop.co.kr/gogsweb/gogsweb.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/So...30/SBStart.CAB
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,2,0
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041008.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ahnlab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Closed Thread Bookmark and Share   techguy.org/544992
Page 1 of 2 1 2

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 07:25 AM.
Copyright © 1996 - 2010 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2010, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.