1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Popups (WinAntiVirus Virus?)

Discussion in 'Virus & Other Malware Removal' started by prestorock, Apr 21, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
    Hello, before i ask i would like to mention i cant understand in depth computer details so you may have to explain how to do something to me if its hard.

    I keep getting pop ups when i visit sites and even when im not even online. I have just reformatted my computer a month ago because of a virus with the same symptoms (WinAntiVirus, i didnt install it jsut kept getting popups) Even when i had never installed or downloaded anything it just popped up on my computer. Please help!

    Oh and i run Windows XP SP2 and Norton AntiVirus. Im also 13 but my father taught me alot about the computer and i apperantly am capable of doing more than my mother can (HA!). She also just bought the Norton subscription after i reformatted so i wouldnt get it again but it stil does.

    Another thing i hav enoticed is that my cookie settings keep going down to Accept all cookies. Even after i set it to Block all cookies.

    Please help! I do not wish to reformat again! (I can also get my dad to do the regestry things and others that could potentionaly destroy my computer.
     
  2. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
    I Did a HJT Log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 4:42:32 PM, on 4/21/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\eMachines Bay Reader\shwiconem.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\xloadnet\xloadnet.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\WINDOWS\system32\mshta.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\lthhcngc.dll
    O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINDOWS\system32\iiffcyy.dll
    O2 - BHO: (no name) - {4811C850-74CC-4965-BE90-423612B023EC} - C:\WINDOWS\system32\mljjj.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
    O15 - Trusted Zone: *.sxload.net (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176299638531
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176299629218
    O20 - Winlogon Notify: iiffcyy - C:\WINDOWS\SYSTEM32\iiffcyy.dll
    O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9630 bytes
     
  3. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
  4. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
  5. boporter

    boporter

    Joined:
    Apr 22, 2007
    Messages:
    7
    Sounds like it could be a Vundo.Trojan problem. Here are the instructions I received earlier today. Maybe it could help you as well.

    Please download VundoFix.exe to your desktop.
    Double-click VundoFix.exe to run it.
    Click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


    Download this tool to your desktop:
    http://www.uploads.ejvindh.net/rootchk.exe
    Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

    Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)


    If it is not Vundo, one of the other techs will have to look at your HJT log.
     
  6. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
    -------------------------------------------------------------------------
    Vundo Fix::

    VundoFix V6.3.20

    Checking Java version...

    Scan started at 7:08:46 PM 4/22/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\byxywut.dll
    C:\WINDOWS\system32\iiffcyy.dll
    C:\WINDOWS\system32\jjjlm.bak1
    C:\WINDOWS\system32\jjjlm.ini
    C:\WINDOWS\system32\jjjlm.ini2
    C:\WINDOWS\system32\jjjlm.tmp
    C:\WINDOWS\system32\ljjhged.dll
    C:\WINDOWS\system32\mljjj.dll
    C:\WINDOWS\system32\nnnligh.dll
    C:\WINDOWS\system32\tuvuvss.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\byxywut.dll
    C:\WINDOWS\system32\byxywut.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\iiffcyy.dll
    C:\WINDOWS\system32\iiffcyy.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\jjjlm.bak1
    C:\WINDOWS\system32\jjjlm.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\jjjlm.ini
    C:\WINDOWS\system32\jjjlm.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\jjjlm.ini2
    C:\WINDOWS\system32\jjjlm.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\jjjlm.tmp
    C:\WINDOWS\system32\jjjlm.tmp Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ljjhged.dll
    C:\WINDOWS\system32\ljjhged.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\mljjj.dll
    C:\WINDOWS\system32\mljjj.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\nnnligh.dll
    C:\WINDOWS\system32\nnnligh.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\tuvuvss.dll
    C:\WINDOWS\system32\tuvuvss.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.3.20

    Checking Java version...

    Scan started at 11:31:41 PM 4/22/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\iiffcyy.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\iiffcyy.dll
    C:\WINDOWS\system32\iiffcyy.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    -------------------------------------------------------------------------
    HJT Log ::

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 11:50:46 PM, on 4/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\eMachines Bay Reader\shwiconem.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\xloadnet\xloadnet.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\lthhcngc.dll (file missing)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {A6E778A3-2364-423D-9100-4AB1E0AB6F43} - C:\WINDOWS\system32\mljjj.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
    O15 - Trusted Zone: *.sxload.net (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176299638531
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176299629218
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9611 bytes
    -------------------------------------------------------------
    ********************************* ROOTCHK-(23-04-07)-LOG, by ejvindh
    Sun 04/22/2007 23:52:07.48

    The rootkits that are detected by this tool were not found.

    ********************************* ROOTCHK-LOG-end


    catchme 0.3.657 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-04-22 23:52:08
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0
     
  7. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
    That may have fixed it havnt gotten a single popup yet! thanks man you saved my compueter
     
  8. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    You still may be infected.

    Download Combofix and save it to your desktop.
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Note: It is important that it is saved directly to your desktop

    Close any open browsers.

    Double click on combofix.exe & follow the prompts.
    When finished, it shall produce a log for you.

    Post the ComboFix.txt in your next reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


    Also, please post a fresh Hijackthis log. Thanks.
     
  9. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
    Combo Fix Log
    "Owner" - 07-04-23 7:48:52 Service Pack 2
    ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Owner\Desktop\"


    (((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\jkkjj.dll
    C:\WINDOWS\system32\ssqrq.dll
    C:\WINDOWS\system32\sstts.dll
    C:\WINDOWS\system32\jjkkj.ini
    C:\WINDOWS\system32\qrqss.ini
    C:\WINDOWS\system32\sttss.ini


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
    C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
    C:\WINDOWS\updater.exe
    C:\Program Files\xloadnet\xloadnet.exe
    C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk
    C:\Program Files\xloadnet


    ((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))


    2007-04-22 23:14 37,376 --a------ C:\WINDOWS\system32\hpz3l3xu.dll
    2007-04-22 23:12 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
    2007-04-22 23:12 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
    2007-04-22 23:12 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
    2007-04-22 23:12 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
    2007-04-22 23:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
    2007-04-22 23:12 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
    2007-04-22 19:11 77,824 --a------ C:\WINDOWS\system32\hpzids01.dll
    2007-04-22 19:11 51,120 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
    2007-04-22 19:11 372,736 --a------ C:\WINDOWS\system32\hpzidi01.dll
    2007-04-22 19:11 274,432 --a------ C:\WINDOWS\system32\HPZc3212.dll
    2007-04-22 19:11 21,744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
    2007-04-22 19:11 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
    2007-04-22 19:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\HP
    2007-04-22 19:08 <DIR> d-------- C:\VundoFix Backups
    2007-04-22 19:05 <DIR> d-------- C:\Program Files\Hp
    2007-04-22 19:04 <DIR> d-------- C:\temp\FixEngine
    2007-04-22 19:04 <DIR> d-------- C:\temp
    2007-04-19 17:56 1,370,138 ---hs---- C:\WINDOWS\system32\jjkmp.bak2
    2007-04-18 19:49 1,393,216 ---hs---- C:\WINDOWS\system32\jjkmp.ini2
    2007-04-18 19:04 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WholeSecurity
    2007-04-18 18:05 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-04-18 17:56 1,371,077 ---hs---- C:\WINDOWS\system32\jjkmp.bak1
    2007-04-18 17:55 281,172 --ahs---- C:\WINDOWS\system32\pmkjj.dll.vir
    2007-04-18 17:46 26,694 --a------ C:\WINDOWS\system32\ljjkkjg.dll.vir
    2007-04-16 20:44 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
    2007-04-15 23:15 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Anvil Studio
    2007-04-15 23:14 29,696 --a------ C:\WINDOWS\system32\asutl8.dll
    2007-04-15 23:11 <DIR> d-------- C:\Program Files\Triangle II
    2007-04-15 14:44 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
    2007-04-15 14:41 <DIR> d-------- C:\WINDOWS\SHELLNEW
    2007-04-15 14:40 <DIR> dr-h----- C:\MSOCache
    2007-04-15 14:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
    2007-04-15 02:48 <DIR> d--h----- C:\WINDOWS\PIF
    2007-04-15 02:16 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2007-04-15 02:16 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-04-15 02:16 <DIR> d-------- C:\Program Files\Symantec
    2007-04-15 02:16 <DIR> d-------- C:\Program Files\Norton AntiVirus
    2007-04-15 02:15 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
    2007-04-15 01:40 <DIR> d-------- C:\Program Files\MSXML 4.0
    2007-04-15 01:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
    2007-04-14 11:46 <DIR> d-------- C:\WINDOWS\Prefetch
    2007-04-14 08:21 <DIR> d-------- C:\WINDOWS\provisioning
    2007-04-14 08:21 <DIR> d-------- C:\WINDOWS\peernet
    2007-04-14 08:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2007-04-14 08:16 <DIR> d-------- C:\WINDOWS\EHome
    2007-04-13 09:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\espionServerData
    2007-04-13 06:12 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Opera
    2007-04-13 05:32 4,569 --------- C:\WINDOWS\system32\secupd.dat
    2007-04-13 05:32 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
    2007-04-13 02:03 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2007-04-12 05:43 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
    2007-04-12 05:38 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
    2007-04-11 09:06 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
    2007-04-11 09:06 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
    2007-04-11 09:06 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
    2007-04-11 09:06 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2007-04-11 09:06 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
    2007-04-11 09:06 <DIR> d--h----- C:\WINDOWS\$hf_mig$
    2007-04-11 09:06 <DIR> d-------- C:\WINDOWS\system32\PreInstall
    2007-04-11 09:06 <DIR> d-------- C:\WINDOWS\system32\bits
    2007-04-11 08:55 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
    2007-04-11 08:55 41,240 --a------ C:\WINDOWS\system32\wups.dll
    2007-04-11 08:55 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
    2007-04-11 08:55 18,200 --a------ C:\WINDOWS\system32\wups2.dll
    2007-04-11 08:55 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
    2007-04-11 08:55 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
    2007-04-11 08:53 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
    2007-04-11 08:53 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
    2007-04-11 08:38 <DIR> d-------- C:\Program Files\Google
    2007-04-11 08:38 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
    2007-04-11 08:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
    2007-04-11 04:49 1,682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
    2007-04-11 04:49 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Corel
    2007-04-11 04:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
    2007-04-11 04:48 <DIR> d-------- C:\Program Files\Corel
    2007-04-11 04:48 <DIR> d-------- C:\Program Files\Common Files\Corel
    2007-04-11 04:34 <DIR> d-------- C:\WINDOWS\Adobe Illustrator CS
    2007-04-11 03:48 85,376 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
    2007-04-11 03:48 57,344 --a------ C:\WINDOWS\system32\dpwsockx.dll
    2007-04-11 03:48 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
    2007-04-11 03:48 50,688 --a------ C:\WINDOWS\system32\wstdecod.dll
    2007-04-11 03:48 48,640 --a------ C:\WINDOWS\system32\drivers\stream.sys
    2007-04-11 03:48 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
    2007-04-11 03:48 385,024 --a------ C:\WINDOWS\system32\qdvd.dll
    2007-04-11 03:48 367,616 --a------ C:\WINDOWS\system32\dsound.dll
    2007-04-11 03:48 363,520 --a------ C:\WINDOWS\system32\psisdecd.dll
    2007-04-11 03:48 279,040 --a------ C:\WINDOWS\system32\qdv.dll
    2007-04-11 03:48 266,240 --a------ C:\WINDOWS\system32\ddraw.dll
    2007-04-11 03:48 229,888 --a------ C:\WINDOWS\system32\dplayx.dll
    2007-04-11 03:48 2,113,536 --a------ C:\WINDOWS\system32\dxdiagn.dll
    2007-04-11 03:48 19,328 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
    2007-04-11 03:48 181,248 --a------ C:\WINDOWS\system32\dmime.dll
    2007-04-11 03:48 17,408 --a------ C:\WINDOWS\system32\msyuv.dll
    2007-04-11 03:48 17,024 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
    2007-04-11 03:48 15,360 --a------ C:\WINDOWS\system32\drivers\streamip.sys
    2007-04-11 03:48 15,360 --a------ C:\WINDOWS\system32\drivers\mpe.sys
    2007-04-11 03:48 11,776 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
    2007-04-11 03:48 11,136 --a------ C:\WINDOWS\system32\drivers\slip.sys
    2007-04-11 03:48 104,448 --a------ C:\WINDOWS\system32\dmusic.dll
    2007-04-11 03:48 10,880 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
    2007-04-11 03:48 1,689,088 --a------ C:\WINDOWS\system32\d3d9.dll
    2007-04-11 03:48 1,428,480 --a------ C:\WINDOWS\system32\msvidctl.dll
    2007-04-11 03:48 1,298,432 --a------ C:\WINDOWS\system32\dxdiag.exe
    2007-04-11 03:48 1,179,648 --a------ C:\WINDOWS\system32\d3d8.dll
    2007-04-11 03:46 20,640 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
    2007-04-11 03:46 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
    2007-04-11 03:46 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
    2007-04-10 19:18 777,728 --a------ C:\WINDOWS\system32\SSLSVC.DLL
    2007-04-10 19:18 72,192 --a------ C:\WINDOWS\unlite3.exe
    2007-04-10 19:18 69,632 --a------ C:\WINDOWS\system32\xmltok.dll
    2007-04-10 19:18 69,632 --a------ C:\WINDOWS\system32\CFSDebug.dll
    2007-04-10 19:18 69,632 --a------ C:\WINDOWS\system32\CFRegExp.dll
    2007-04-10 19:18 69,632 --a------ C:\WINDOWS\system32\CFFtp.dll
    2007-04-10 19:18 506,368 --a------ C:\WINDOWS\system32\ftppro32.dll
    2007-04-10 19:18 487,424 --a------ C:\WINDOWS\system32\cfvalidator.dll
    2007-04-10 19:18 446,464 --a------ C:\WINDOWS\system32\cfssvradmin.dll
    2007-04-10 19:18 40,960 --a------ C:\WINDOWS\system32\cfmsg.dll
    2007-04-10 19:18 36,864 --a------ C:\WINDOWS\system32\xmlparse.dll
    2007-04-10 19:18 270,336 --a------ C:\WINDOWS\system32\CfShellFtpRds.dll
    2007-04-10 19:18 143,360 --a------ C:\WINDOWS\system32\CFFileProxy.dll
    2007-04-10 19:18 110,592 --a------ C:\WINDOWS\system32\CfRds.dll
    2007-04-10 19:18 1,507,328 --a------ C:\WINDOWS\system32\cfmlvalidator.dll
    2007-04-10 19:18 <DIR> d--h----- C:\DOCUME~1\Owner\InstallAnywhere
    2007-04-10 19:18 <DIR> d-------- C:\Program Files\Common Files\Vbox
    2007-04-10 19:17 28,672 --a------ C:\WINDOWS\system32\xml_datagrove.dll
    2007-04-10 19:17 114,688 --a------ C:\WINDOWS\system32\lang_cfml.dll
    2007-04-10 10:55 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
    2007-04-10 10:47 <DIR> d--h-c--- C:\WINDOWS\$MSI30UninstallMSI30-KB884016$
    2007-04-10 01:17 8,138 --------- C:\WINDOWS\system32\drivers\PenClass.sys
    2007-04-10 01:17 753,664 --------- C:\WINDOWS\system32\Tablet.exe
    2007-04-10 01:17 12,789 --a------ C:\WINDOWS\system32\tablet.dat
    2007-04-10 01:17 102,400 --------- C:\WINDOWS\system32\Wintab32.dll
    2007-04-10 01:17 <DIR> d-------- C:\WINDOWS\system32\WTablet
    2007-04-10 01:17 <DIR> d-------- C:\Program Files\Tablet
    2007-04-10 01:11 <DIR> d-------- C:\DOCUME~1\Owner\Bluetooth Software
    2007-04-10 01:10 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
    2007-04-10 01:05 <DIR> d-------- C:\Program Files\WIDCOMM
    2007-04-10 01:04 77,824 -ra------ C:\WINDOWS\system32\btw_ci.dll
    2007-04-10 01:03 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
    2007-04-10 00:59 294,912 -ra------ C:\WINDOWS\system32\atiiiexx.dll
    2007-04-10 00:59 135,168 -ra------ C:\WINDOWS\system32\ATIDEMGR.dll
    2007-04-10 00:55 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
    2007-04-10 00:55 <DIR> d-------- C:\Program Files\Program Shortcuts
    2007-04-10 00:55 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Symantec
    2007-04-10 00:55 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\CyberLink
    2007-04-10 00:53 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2007-04-10 00:53 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
    2007-04-10 00:53 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2007-04-10 00:53 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-04-15 14:43 -------- d-------- C:\Program Files\microsoft works
    2007-04-15 05:00 -------- d--h----- C:\Program Files\installshield installation information
    2007-04-15 01:41 -------- d-------- C:\Program Files\messenger
    2007-04-14 08:21 -------- d-------- C:\Program Files\movie maker
    2007-04-14 08:19 -------- d-------- C:\Program Files\windows nt
    2007-04-11 08:55 -------- d--h----- C:\Program Files\windowsupdate
    2007-04-11 04:33 -------- d-------- C:\Program Files\Common Files\installshield
    2007-03-17 08:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
    2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
    2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
    2007-03-08 10:36 577536 --a------ C:\WINDOWS\system32\user32.dll
    2007-03-08 10:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
    2007-03-08 10:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
    2007-03-08 08:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
    2007-02-05 15:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    {1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\lthhcngc.dll [x]
    {A6E778A3-2364-423D-9100-4AB1E0AB6F43} C:\WINDOWS\system32\mljjj.dll [x]
    {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "CHotkey"="zHotkey.exe"
    "ShowWnd"="ShowWnd.exe"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"
    "mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
    "SunKistEM"="C:\\Program Files\\eMachines Bay Reader\\shwiconem.exe"
    @=""
    "SoundMan"="SOUNDMAN.EXE"
    "AlcWzrd"="ALCWZRD.EXE"
    "Alcmtr"="ALCMTR.EXE"
    "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Elements 5.0\\apdproxy.exe\""
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
    "Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages REG_MULTI_SZ msv1_0\0\0
    Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages REG_MULTI_SZ scecli\0\0


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\ISP signup reminder 1.job
    C:\WINDOWS\tasks\ISP signup reminder 3.job
    C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job

    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-04-23 07:52:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    ********************************************************************

    Completion time: 07-04-23 7:52:49
    C:\ComboFix-quarantined-files.txt ... 07-04-23 07:52

    HJT Log

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 7:59:45 AM, on 4/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\eMachines Bay Reader\shwiconem.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\lthhcngc.dll (file missing)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {A6E778A3-2364-423D-9100-4AB1E0AB6F43} - C:\WINDOWS\system32\mljjj.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176299638531
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176299629218
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9604 bytes

    And i am still infected, although that helped. I forgot to turn my computer off so popups came voernight. Usually its abot 14 a night, only 3 this night
     
  10. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger&#146;s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

    ================================

    Run HijackThis, and press "Do a System Scan Only".
    1. When the scan is complete place a check mark next to the following entries:

    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\lthhcngc.dll (file missing)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {A6E778A3-2364-423D-9100-4AB1E0AB6F43} - C:\WINDOWS\system32\mljjj.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...


    ================================

    Panda Activescan
    http://www.pandasoftware.com/products/activescan.htm
    1. Once you are on the Panda site click the Scan your PC button
    2. A new window will open...click the Check Now button
    3. Enter your Country
    4. Enter your State/Province
    5. Enter your e-mail address and click send
    6. Select either Home User or Company
    7. Click the big Scan Now button
    8. If it wants to install an ActiveX component allow it
    9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    10. When download is complete, click on Local Disks to start the scan
    11. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
     
  11. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
    Avenger
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\mwmncsks

    *******************

    Script file located at: \??\C:\Program Files\mjuekeao.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\WINDOWS\system32\ljjkkjg.dll.vir deleted successfully.
    File C:\WINDOWS\system32\pmkjj.dll.vir deleted successfully.
    File C:\WINDOWS\system32\jjkmp.bak1 deleted successfully.
    File C:\WINDOWS\system32\jjkmp.ini2 deleted successfully.
    File C:\WINDOWS\system32\jjkmp.bak2 deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
    HJT Log
    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 4:06:28 PM, on 4/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\eMachines Bay Reader\shwiconem.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\lthhcngc.dll (file missing)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {A6E778A3-2364-423D-9100-4AB1E0AB6F43} - C:\WINDOWS\system32\mljjj.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176299638531
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176299629218
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9536 bytes
    Wasnt sure if i was supposed to do the rest at the same time or one at a time so just in case i did them one at a time (the ones seperated by the ====)
     
  12. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
    Im scanning with the panda thing now, im wondering, am i supposed to show you the report if anything malicious is found?
    It hasnt finished yet but im just wondering. And anyway, the whole time i was at school NO popups popped up (after i did the combo scan and all that) so thats a good sign, and norton hasnt popped up saying it blocked any trojan called WinFixer or something like that.

    :) :) :) Thank you! My mom thanks you too lol.

    I hop i truely am not infected anymore. ill psot if anything malicious was found.
     
  13. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
    Ahh,lots of stuff mostly cookies but i cleaned all my cookies out.
    And i deleted that Quazzle thing Wahtever it was, i dont reallty know. And it picked up ComboFix as an Adware or something


    Incident Status Location

    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\version.jar-4d048a14-53b03e40.zip[Dvnny.class]
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\version.jar-4d048a14-53b03e40.zip[Dex.class]
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\version.jar-4d048a14-53b03e40.zip[Dix.class]
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\version.jar-4d048a14-53b03e40.zip[Dux.class]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/66.246.209 Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected]adrevolver[1].txt
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[ComboFixT\nircmd.cfexe]
    Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
    Adware:Adware/Borlander Not disinfected C:\QooBox\Quarantine\C\WINDOWS\updater.exe.vir
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
     
  14. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Run HijackThis, and press "Do a System Scan Only".
    1. When the scan is complete place a check mark next to the following entries:

    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\lthhcngc.dll (file missing)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {A6E778A3-2364-423D-9100-4AB1E0AB6F43} - C:\WINDOWS\system32\mljjj.dll (file missing)

    2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...


    This will take care of all the cookies Panda found

    Please download ATF Cleaner by Atribune.

    This program is for XP and Windows 2000 only


    • Save it to your desktop

      Double-click ATF-Cleaner.exe to run the program.

      Under Main choose: Select All

      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.


    =============================

    Please upload the following file/s for a Anti-Malware developer here
    http://www.bleepingcomputer.com/submit-malware.php?channel=4
    Upload these file/s

    C:\avenger/backup.zip

    Under comment, write Vundo files.


    =============================

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 1.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.
     
  15. prestorock

    prestorock Thread Starter

    Joined:
    Apr 21, 2007
    Messages:
    15
    I havnt had popups since my last post :D :D :D OMG im happy, thank you! Ill refer you guys to any of my friends that have viruses, and their parents too! Thank you!:D
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/565037

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice