Mourning the loss of our friend, WhitPhil.
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
access audio black screen blue screen boot bsod connection crash dell desktop driver dvd email error excel excel 2003 firefox hard drive hardware hdmi hijackthis internet keyboard laptop malware monitor network networking outlook problem ram recovery router screen slow sound spyware tdlwsp.dll trojan upgrade vba video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Virus Help!!!! (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
 
Thread Tools
salwa_890228's Avatar
Member with 30 posts.
  
Join Date: May 2007
09-Jun-2007, 02:07 PM #1
Exclamation Virus Help!!!!
I was diagnosed with

- SpyBot@MXT trojan
- PSW.x-Vir trojan
- Spyworm.32

Tried my antivirus but still no prevail.

This is my Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 1:36:52, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Azrul\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {306F5457-7D91-AF4A-3EA2-83DEDA7461BE} - C:\WINDOWS\system32\appyc32.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvmuv.dll,startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [new32] qwe.exe
O4 - HKCU\..\Run: [sbin] ERTYDF.exe
O4 - HKCU\..\Run: [TRPT] SysEntry.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D800678B-E925-44D0-AEAD-F1BC6F87FE8E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D800678B-E925-44D0-AEAD-F1BC6F87FE8E} - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/090f...fc6e1d4_35.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6616C9B-B572-4799-A0C8-0D1136EEC693}: NameServer = 69.50.184.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{D25F020E-28BE-419F-BB72-5A34C6CDF6C4}: NameServer = 69.50.184.84 195.225.176.37
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: style2 - C:\WINDOWS\q440625_disk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: winbbc32 - winbbc32.dll (file missing)
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
Register for free to hide this ad!
MFDnNC's Avatar
Distinguished Member with 49,029 posts.
  
Join Date: Sep 2004
09-Jun-2007, 02:11 PM #2
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
====================

Download Superantispyware (SAS)

http://www.superantispyware.com/supe...freevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.
salwa_890228's Avatar
Member with 30 posts.
  
Join Date: May 2007
15-Jun-2007, 10:19 AM #3
Logfile of HijackThis v1.99.1
Scan saved at 22:11:11, on 6/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Azrul\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;local.,;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {306F5457-7D91-AF4A-3EA2-83DEDA7461BE} - C:\WINDOWS\system32\appyc32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [new32] qwe.exe
O4 - HKCU\..\Run: [sbin] ERTYDF.exe
O4 - HKCU\..\Run: [TRPT] SysEntry.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D800678B-E925-44D0-AEAD-F1BC6F87FE8E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D800678B-E925-44D0-AEAD-F1BC6F87FE8E} - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6616C9B-B572-4799-A0C8-0D1136EEC693}: NameServer = 69.50.184.84
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: winbbc32 - winbbc32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

SmitFraudFix v2.194

Scan done at 19:45:03,48, Jumaat 06/15/2007
Run from C:\Documents and Settings\Azrul\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
"{6AC3806F-8B39-4746-9C38-6B01CB7331FF}"="Memory monitor"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
"{fa4fbf53-c766-4622-8011-a87a805eebf0}"="deboner"

[HKEY_CLASSES_ROOT\CLSID\{fa4fbf53-c766-4622-8011-a87a805eebf0}\InProcServer32]
@="C:\WINDOWS\SYSTEM32\ANTZOZC.DLL"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{fa4fbf53-c766-4622-8011-a87a805eebf0}\InProcServer32]
@="C:\WINDOWS\SYSTEM32\ANTZOZC.DLL"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\d3??.dll Deleted
C:\WINDOWS\msdn32.dll Deleted
C:\WINDOWS\system32\winstyle2.dll Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\Program Files\Video ActiveX Access\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C6616C9B-B572-4799-A0C8-0D1136EEC693}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C6616C9B-B572-4799-A0C8-0D1136EEC693}: NameServer=69.50.184.84
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C6616C9B-B572-4799-A0C8-0D1136EEC693}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C6616C9B-B572-4799-A0C8-0D1136EEC693}: NameServer=69.50.184.84
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C6616C9B-B572-4799-A0C8-0D1136EEC693}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C6616C9B-B572-4799-A0C8-0D1136EEC693}: NameServer=69.50.184.84
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="cszzf.exe"


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2007 at 09:21 PM

Application Version : 3.8.1002

Core Rules Database Version : 3251
Trace Rules Database Version: 1262

Scan type : Complete Scan
Total Scan Time : 01:19:43

Memory items scanned : 381
Memory threats detected : 0
Registry items scanned : 17949
Registry threats detected : 73
File items scanned : 65212
File threats detected : 195

Parasite.WareOut
HKLM\Software\Classes\CLSID\{19F3AE6A-0F56-1CED-25F5-051FEFF7FDAD}
HKCR\CLSID\{19F3AE6A-0F56-1CED-25F5-051FEFF7FDAD}
HKCR\CLSID\{19F3AE6A-0F56-1CED-25F5-051FEFF7FDAD}\InprocServer32
SHAITAN1678.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{24FBB034-B4B3-984A-F462-BAC7E66E3956}
HKLM\Software\Classes\CLSID\{A4838A56-770B-27B8-30FD-9B8732D6F5CE}
HKLM\Software\Classes\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}
HKLM\Software\Classes\CLSID\{BA5E08BD-E47C-5D05-ADCC-79F69B02D7DB}
HKLM\Software\Classes\CLSID\{D9E6A9B5-3F53-2528-E4D5-6A543FF55E1D}
HKCR\CLSID\{24FBB034-B4B3-984A-F462-BAC7E66E3956}
HKCR\CLSID\{24FBB034-B4B3-984A-F462-BAC7E66E3956}\Data
HKCR\CLSID\{A4838A56-770B-27B8-30FD-9B8732D6F5CE}
HKCR\CLSID\{A4838A56-770B-27B8-30FD-9B8732D6F5CE}\Data
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}\Data
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}\Data#Data0
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}\Data#Data2
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}\LocalServer32
HKCR\CLSID\{D9E6A9B5-3F53-2528-E4D5-6A543FF55E1D}
HKCR\CLSID\{D9E6A9B5-3F53-2528-E4D5-6A543FF55E1D}\Data
HKCR\CLSID\{BA5E08BD-E47C-5D05-ADCC-79F69B02D7DB}
HKCR\CLSID\{BA5E08BD-E47C-5D05-ADCC-79F69B02D7DB}\Data
C:\WINDOWS\SYSTEM32\MFCFQ.EXE

Parasite.CoolWebSearch Variant
HKLM\Software\Classes\CLSID\{E4C88E14-FD45-090A-3D96-32FA4B4D451F}
HKCR\CLSID\{E4C88E14-FD45-090A-3D96-32FA4B4D451F}
HKCR\CLSID\{E4C88E14-FD45-090A-3D96-32FA4B4D451F}\Data

Adware.Tracking Cookie
C:\Documents and Settings\Azrul\Cookies\azrul@adbrite[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.macromedia[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.fullreleases[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ads.revsci[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@kanoodle[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ad.depositfiles[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@mediafire[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@perf.overture[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@sexyshare[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@metacafe.122.2o7[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@sexuality.about[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@burstnet[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@harpo.122.2o7[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@divx.adbureau[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@efashionsolutions.122.2o7[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@e-2dj6wfmykmc5cho.stats.esomniture[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@revsci[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@bs.serving-sys[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@overture[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@adsrevenue[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.adultdvdhits[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@rotabanner100.utro[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@usenext[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@cm1265.tripod[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@atwola[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ads.hairboutique[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@list[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@publishers.clickbooth[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@adserver.adreactor[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.burstnet[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@tacoda[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@stat.onestat[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@tripod[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@tribalfusion[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@crackmanworld[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@indiads[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@adlegend[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@adinterax[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@easywarez[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@media.pc.ign[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@cs.sexcounter[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@web-stat[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@fortunecity[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ads.addesktop[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.advertising-department[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@imrworldwide[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@track.vivid[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@usenext[3].txt
C:\Documents and Settings\Azrul\Cookies\azrul@rotabanner.utro[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ads.pointroll[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@multiply.112.2o7[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@rambler[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@paycounter[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@yadro[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@anad.tacoda[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@tracker.wholinked[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@questionmarket[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@uk.sitestat[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ads.realtechnetwork[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@hotlog[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@realmedia[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ecnext.advertserve[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@webpower[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@serving-sys[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@reduxads.valuead[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@revenue[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@adultadworld[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ad1.clickhype[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@precisionclick[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@stats.privacyprotector[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@login.tracking101[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@clicksor[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@crutchfield.112.2o7[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.clickxchange[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@vip.clickzs[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ala-alakampung.tripod[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@partygaming.122.2o7[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@rotabanner234.utro[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.donwloadxclips[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.donwloadxclips[3].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.120.rbcmedia[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ad.globalinteractive[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.468.rbcmedia[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@engine.context.medialand[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@kim-kardashian-sex-tape[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@partypoker[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@specificclick[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@linkto.mediafire[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@tracker.myspacemaps[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@xiti[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@try.starware[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@234.media.lbn[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@3.adbrite[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@100.media.lbn[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@euros4click[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@4.adbrite[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ads.adbrite[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.100.rbcmedia[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@120.media.lbn[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ad.iconadserver[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ads.soft32[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@150.rbcmedia[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@rotabanner.rian[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@ad.zanox[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@rotabanner.izvestia[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@azjmp[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@150.media.lbn[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.googleadservices[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.duniasex[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@rotabanner468.utro[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@cz6.clickzs[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.tns-counter[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@a.websponsors[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.spylocked[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@citi.bridgetrack[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@partners.webmasterplan[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@468.media.lbn[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@www.234.rbcmedia[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@rotator.adjuggler[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@komtrack[2].txt
C:\Documents and Settings\Azrul\Cookies\azrul@focalex[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@stat.errclean[1].txt
C:\Documents and Settings\Azrul\Cookies\azrul@txt.medialand[1].txt

Adware.180solutions/ZangoSearch
HKCR\SAIX.InstallerCaller.1
HKCR\SAIX.InstallerCaller.1\CLSID

Trojan.SmartFinder
HKCR\CLSID\{55E45715-27B3-13CA-5DEF-A4B59535A970}
HKCR\CLSID\{55E45715-27B3-13CA-5DEF-A4B59535A970}\Data
HKCR\CLSID\{55E45715-27B3-13CA-5DEF-A4B59535A970}\LocalServer32
HKCR\CLSID\{D9B1A07C-B299-9C0B-2BFB-464B1C89B938}
HKCR\CLSID\{D9B1A07C-B299-9C0B-2BFB-464B1C89B938}\Data
HKCR\CLSID\{D9B1A07C-B299-9C0B-2BFB-464B1C89B938}\Data#Data0
HKCR\CLSID\{D9B1A07C-B299-9C0B-2BFB-464B1C89B938}\Data#Data2
HKCR\CLSID\{D9B1A07C-B299-9C0B-2BFB-464B1C89B938}\LocalServer32
HKCR\CLSID\{5C2CADF9-FD40-CA02-757E-8C7E5C5C1763}
HKCR\CLSID\{5C2CADF9-FD40-CA02-757E-8C7E5C5C1763}\Data
HKCR\CLSID\{5C2CADF9-FD40-CA02-757E-8C7E5C5C1763}\Data#Data0
HKCR\CLSID\{5C2CADF9-FD40-CA02-757E-8C7E5C5C1763}\Data#Data2
HKCR\CLSID\{5C2CADF9-FD40-CA02-757E-8C7E5C5C1763}\LocalServer32
HKCR\CLSID\{AC733B08-CF49-1E8C-1F30-A1C7FF53A035}
HKCR\CLSID\{AC733B08-CF49-1E8C-1F30-A1C7FF53A035}\Data
HKCR\CLSID\{AC733B08-CF49-1E8C-1F30-A1C7FF53A035}\Data#Data0
HKCR\CLSID\{AC733B08-CF49-1E8C-1F30-A1C7FF53A035}\Data#Data2
HKCR\CLSID\{AC733B08-CF49-1E8C-1F30-A1C7FF53A035}\LocalServer32

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Capabilities

Adware.MediaMotor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#.Owner
C:\WINDOWS\Downloaded Program Files\amm06.inf
C:\WINDOWS\System32\safe.tlb
C:\WINDOWS\mm06y.ini

Adware.IEPlugin
HKCR\Remove

Trojan.Media-Codec/V3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Secure Bar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Secure Bar#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Secure Bar#UninstallString

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\APITC.EXE
C:\WINDOWS\SYSTEM32\IECJ.EXE
C:\WINDOWS\SYSTEM32\SDKBC32.EXE
C:\WINDOWS\SYSTEM32\SYSPE.EXE
C:\WINDOWS\SYSTEM32\IEIB.EXE
C:\WINDOWS\SYSTEM32\ATLVO.EXE
C:\WINDOWS\SYSTEM32\NTDT32.EXE
C:\WINDOWS\SYSTEM32\CRNG32.EXE
C:\WINDOWS\SYSTEM32\MSGH.EXE
C:\WINDOWS\SYSTEM32\APPZX.EXE
C:\WINDOWS\SYSTEM32\ADDLQ32.EXE
C:\WINDOWS\SYSTEM32\MFCMF.EXE
C:\WINDOWS\SYSTEM32\D3QW.EXE
C:\WINDOWS\SYSTEM32\NTBS32.EXE
C:\WINDOWS\SYSTEM32\WINSJ.EXE
C:\WINDOWS\SYSTEM32\ATLNS.EXE
C:\WINDOWS\SYSTEM32\CRYZ32.EXE
C:\WINDOWS\SYSTEM32\MFCRZ.EXE
C:\WINDOWS\SYSTEM32\MSZA32.EXE
C:\WINDOWS\SYSTEM32\NETXO32.EXE
C:\WINDOWS\SYSTEM32\NTDQ32.EXE
C:\WINDOWS\SYSTEM32\APIJD32.EXE
C:\WINDOWS\SYSTEM32\CRJG32.EXE
C:\WINDOWS\SYSTEM32\SDKUU32.EXE
C:\WINDOWS\SYSTEM32\MFCUG.EXE
C:\WINDOWS\SYSTEM32\SDKKB32.EXE
C:\WINDOWS\SYSTEM32\D3LA32.EXE
C:\WINDOWS\SYSTEM32\ADDHV32.EXE
C:\WINDOWS\SYSTEM32\APPKL32.EXE
C:\WINDOWS\SYSTEM32\NETFN.EXE
C:\WINDOWS\SYSTEM32\APPRZ.EXE
C:\WINDOWS\SYSTEM32\ATLES.EXE
C:\WINDOWS\SYSTEM32\MFCNY32.EXE
C:\WINDOWS\SYSTEM32\MSMA32.EXE
C:\WINDOWS\SYSTEM32\ADDIP32.EXE
C:\WINDOWS\SYSTEM32\NETFG32.EXE
C:\WINDOWS\SYSTEM32\MSTH32.EXE
C:\WINDOWS\SYSTEM32\ADDBF32.EXE
C:\WINDOWS\SYSTEM32\WINYH32.EXE
C:\WINDOWS\SYSTEM32\WINNF.EXE
C:\WINDOWS\SYSTEM32\APPLJ32.EXE
C:\WINDOWS\SYSTEM32\IPWA32.EXE
C:\WINDOWS\SYSTEM32\IEHI32.EXE
C:\WINDOWS\SYSTEM32\WINSF.EXE
C:\WINDOWS\SYSTEM32\CRIT.EXE
C:\WINDOWS\SYSTEM32\CRLV.EXE
C:\WINDOWS\SYSTEM32\CRBC.EXE
C:\WINDOWS\SYSTEM32\D3VM.EXE
C:\WINDOWS\SYSTEM32\JAVAEQ32.EXE
C:\WINDOWS\SYSTEM32\NTRJ.EXE
C:\WINDOWS\SYSTEM32\SYSCG.EXE
C:\WINDOWS\SYSTEM32\IPEO.EXE
C:\WINDOWS\SYSTEM32\MFCAR.EXE
C:\WINDOWS\SYSTEM32\MFCDA32.EXE
C:\WINDOWS\SYSTEM32\IPAO32.EXE
C:\WINDOWS\SYSTEM32\CRYY32.EXE
C:\WINDOWS\SYSTEM32\MFCRW32.EXE

Trojan.MSEX
C:\WINDOWS\SYSTEM32\MSEX.EXE

Trojan.WinDK
C:\WINDOWS\SYSTEM32\WINDK.EXE

Trojan.AgentBi/Win
C:\WINDOWS\SYSTEM32\APIAJ32.EXE
C:\WINDOWS\APIAJ32.EXE

Trojan.SmitFraud Variant
C:\WINDOWS\SYSTEM32\MFCDG.EXE

Trojan.SdBot-MSLX/32
C:\WINDOWS\MSLX32.EXE

Trojan.CRSS32/Win
C:\WINDOWS\CRSS32.EXE

Uncategorized.UnknownOrigin
C:\WINDOWS\MSXO.EXE

Trojan.Downloader-Gen/Win
C:\WINDOWS\NTAR.EXE
MFDnNC's Avatar
Distinguished Member with 49,029 posts.
  
Join Date: Sep 2004
15-Jun-2007, 10:37 AM #4
You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: Class - {306F5457-7D91-AF4A-3EA2-83DEDA7461BE} - C:\WINDOWS\system32\appyc32.dll (file missing)

O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)


O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvmuv.dll,startup

O4 - HKCU\..\Run: [new32] qwe.exe

O4 - HKCU\..\Run: [sbin] ERTYDF.exe

O4 - HKCU\..\Run: [TRPT] SysEntry.exe

O20 - Winlogon Notify: style2 - C:\WINDOWS\q440625_disk.dll (file missing)

O20 - Winlogon Notify: winbbc32 - winbbc32.dll (file missing)

O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\qwe.exe
C:\WINDOWS\system32\drvmuv.dll
C:\WINDOWS\system32\ERTYDF.exe
C:\WINDOWS\system32\SysEntry.exe
C:\WINDOWS\iexplore.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
salwa_890228's Avatar
Member with 30 posts.
  
Join Date: May 2007
16-Jun-2007, 01:33 PM #5
Logfile of HijackThis v1.99.1
Scan saved at 1:32:17, on 6/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Azrul\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D25F020E-28BE-419F-BB72-5A34C6CDF6C4}: NameServer = 69.50.184.84 195.225.176.37
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: winbbc32 - winbbc32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
MFDnNC's Avatar
Distinguished Member with 49,029 posts.
  
Join Date: Sep 2004
16-Jun-2007, 01:42 PM #6
Missed this one - try it again

O20 - Winlogon Notify: winbbc32 - winbbc32.dll (file missing)


How are things ???????????

Turn off restore points, boot, turn them back on – here’s how

http://service1.symantec.com/SUPPORT...rc=sec_doc_nam
salwa_890228's Avatar
Member with 30 posts.
  
Join Date: May 2007
19-Jun-2007, 12:39 PM #7
Logfile of HijackThis v1.99.1
Scan saved at 0:39:18, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\Domino.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Azrul\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Canon IJ Status Monitor Canon iP1700.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D25F020E-28BE-419F-BB72-5A34C6CDF6C4}: NameServer = 69.50.184.84 195.225.176.37
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
salwa_890228's Avatar
Member with 30 posts.
  
Join Date: May 2007
19-Jun-2007, 12:40 PM #8
It's a bit faster but still slow....
MFDnNC's Avatar
Distinguished Member with 49,029 posts.
  
Join Date: Sep 2004
19-Jun-2007, 01:45 PM #9
Clean
If you feel its is fixed mark it solved via Thread Tools above
Closed Thread Bookmark and Share

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 11:01 PM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.