1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: cannot remove ?ti2evxx.exe

Discussion in 'Virus & Other Malware Removal' started by freakkk, Jun 30, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. freakkk

    freakkk Thread Starter

    Joined:
    May 28, 2007
    Messages:
    60
    hi i scan my computer everyday and everyday whan i scan ?ti2evxx.exe comes up and it sais deleted.it is in C:\windows\??crosoft\?ti2evxx.exe could some one tell me how to remove it?
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Sounds like a virus

    * Click here to download HJTsetup.exe.
    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. SmashD

    SmashD

    Joined:
    Apr 14, 2005
    Messages:
    68
    I remember fixing computer with that problem, this is a virus.
    keep posting ppl will help you to fix this :)
     
  4. freakkk

    freakkk Thread Starter

    Joined:
    May 28, 2007
    Messages:
    60
    Logfile of HijackThis v1.99.1
    Scan saved at 6:29:27 PM, on 7/2/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Documents and Settings\freakkk\Desktop\Ms VideoGrabber\{app}\Ms VideoGrabber.exe
    C:\Documents and Settings\freakkk\Desktop\Ms VideoGrabber\{app}\Clip.exe
    C:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
    C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\flashget.exe
    C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\freakkk\Desktop\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
    O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
    O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - (no file)
    O2 - BHO: (no name) - {D468E8DC-AD5E-488E-8377-5A68E294A93D} - (no file)
    O2 - BHO: (no name) - {E509111A-A1AB-DD29-DF07-89ADDB947494} - (no file)
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
    O4 - HKCU\..\Run: [Arnu] "C:\PROGRA~1\COMMON~1\MBOLS~1\winlogon.exe" -vt yazb
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O8 - Extra context menu item: &Download All with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_all.htm
    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Download with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_link.htm
    O8 - Extra context menu item: &Save Video As... - res://C:\Program Files\videodetect\videodetect.dll/201
    O9 - Extra button: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
    O9 - Extra 'Tools' menuitem: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O20 - Winlogon Notify: pmnll - C:\WINDOWS\System32\pmnll.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O20 - Winlogon Notify: winqre32 - winqre32.dll (file missing)
    O20 - Winlogon Notify: xxywxww - xxywxww.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    I think a ppl is already helping. ;)
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    SmashD,

    Please refer to the rules concerning malware removal.

    http://www.techguy.org/rules.html

    Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield [​IMG] next to their name and authorized malware removal trainees have a blue shield next to their [​IMG] next to their names. Anyone wishing to participate in a training program should contact a Moderator for more information.

    Please refrain from replying to security related matters on this forum until you have presented evidence to one of the moderators or admins here that proves you to be qualified to do so. If you are not yet qualified and interested in being trained, we will be glad to help you get enrolled at one of the free online training facilities. Just PM me or one of the other moderators that work Security and we'll point you in the right direction.

    Thanks in advance for your cooperation. :)
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Oooof, what a mess.

    Download the Trial version of Superantispyware Pro (SAS):
    http://www.superantispyware.com/superantispyware.html?rid=3132


    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new Hijack This log.
     
  8. freakkk

    freakkk Thread Starter

    Joined:
    May 28, 2007
    Messages:
    60
    Logfile of HijackThis v1.99.1
    Scan saved at 1:45:00 AM, on 7/4/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\freakkk\Desktop\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
    O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {D468E8DC-AD5E-488E-8377-5A68E294A93D} - (no file)
    O2 - BHO: (no name) - {E509111A-A1AB-DD29-DF07-89ADDB947494} - (no file)
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
    O4 - HKCU\..\Run: [Arnu] "C:\PROGRA~1\COMMON~1\MBOLS~1\winlogon.exe" -vt yazb
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O8 - Extra context menu item: &Download All with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_all.htm
    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Download with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_link.htm
    O8 - Extra context menu item: &Save Video As... - res://C:\Program Files\videodetect\videodetect.dll/201
    O9 - Extra button: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
    O9 - Extra 'Tools' menuitem: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: pmnll - C:\WINDOWS\System32\pmnll.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O20 - Winlogon Notify: winqre32 - winqre32.dll (file missing)
    O20 - Winlogon Notify: xxywxww - xxywxww.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    --------------------------------------------------------------------------------------------------------
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/04/2007 at 01:38 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3265
    Trace Rules Database Version: 1276

    Scan type : Complete Scan
    Total Scan Time : 01:00:04

    Memory items scanned : 311
    Memory threats detected : 0
    Registry items scanned : 4469
    Registry threats detected : 21
    File items scanned : 69703
    File threats detected : 90

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
    HKLM\Software\Classes\CLSID\{8A61098D-612B-4EF2-943D-64E920684061}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A61098D-612B-4EF2-943D-64E920684061}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{8A61098D-612B-4EF2-943D-64E920684061}
    HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}
    HKCR\CLSID\{8A61098D-612B-4EF2-943D-64E920684061}
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP15\A0006021.NFO
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP17\A0006851.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP17\A0006860.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP17\A0007150.EXE

    Adware.Tracking Cookie
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][3].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
    C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt

    Trojan.Unknown Origin
    HKLM\SOFTWARE\Microsoft\MSSMGR
    HKLM\SOFTWARE\Microsoft\MSSMGR#Data
    HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
    HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
    HKLM\SOFTWARE\Microsoft\MSSMGR#PID
    HKLM\SOFTWARE\Microsoft\MSSMGR#Rid
    HKLM\SOFTWARE\Microsoft\MSSMGR#LID
    HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
    HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
    HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP28\A0015114.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP28\A0015115.EXE
    C:\WINDOWS\SYSTEM32\WNSAPII32.EXE

    BearShare File Sharing Client
    C:\DOCUMENTS AND SETTINGS\FREAKKK\DESKTOP\STUFF\TEDDYBEAR\BEARSHARE_PRO_V5[1].2.5.3-DIGERATI\CRACK\BEARSHARE.EXE
    C:\DOCUMENTS AND SETTINGS\FREAKKK\DESKTOP\STUFF\TEDDYBEAR\BEARSHARE_PRO_V5[1].2.5.3-DIGERATI\SETUP\BSPROINSTALL\MAINDIR\BEARSHARE.EXE

    Adware.ClickSpring/Resident
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP13\A0005113.DLL

    Trojan.Downloader-Gen/HitItQuitIt
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP13\A0005117.DLL

    Adware.Vundo Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP18\A0007693.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP4\A0000060.DLL

    Adware.ClickSpring
    C:\WINDOWS\CROSOF~1\TI2EVX~1.EXE
     
  9. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Run ActiveScan online virus scan:
    http://www.pandasoftware.com/products/activescan.htm

    Once you are on the Panda site click the Scan your PC button.
    A new window will open...click the Check Now button.
    Enter your Country.
    Enter your State/Province.
    Enter your e-mail address and click send.
    Select either Home User or Company.
    Click the big Scan Now button.
    If it wants to install an ActiveX component allow it.
    It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    When download is complete, click on My Computer to start the scan.
    When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post the contents of the ActiveScan report.
     
  10. freakkk

    freakkk Thread Starter

    Joined:
    May 28, 2007
    Messages:
    60
    Incident

    Status Location









    Spyware:Cookie/Casalemedia

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.casalemedia

    .com/]


    Spyware:Cookie/FastClick

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.fastclick.n

    et/]


    Spyware:Cookie/YieldManager

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[ad.yieldmana

    ger.com/]


    Spyware:Cookie/QuestionMarket

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.questionmar

    ket.com/]


    Spyware:Cookie/Atlas DMT

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.atdmt.com/]




    Spyware:Cookie/SexList

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.sexlist.com

    /]


    Spyware:Cookie/Inet-Traffic

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.inet-traffi

    c.com/]


    Spyware:Cookie/adultfriendfinder

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.adultfriend

    finder.com/]


    Spyware:Cookie/Tribalfusion

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.tribalfusio

    n.com/]


    Spyware:Cookie/SpyLog

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.spylog.com/

    ]


    Spyware:Cookie/HotLog

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.hotlog.ru/]




    Spyware:Cookie/Yadro

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.yadro.ru/]




    Spyware:Cookie/2o7

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.2o7.net/]




    Spyware:Cookie/Reliablestats

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[stats1.relia

    blestats.com/]


    Spyware:Cookie/Winantivirus

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.winantiviru

    s.com/]


    Spyware:Cookie/Reliablestats

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[stats1.relia

    blestats.com/]


    Spyware:Cookie/Winantivirus

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.winantiviru

    s.com/]


    Spyware:Cookie/DriveCleaner

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[drivecleaner

    .com/.freeware/]


    Spyware:Cookie/DriveCleaner

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.drivecleane

    r.com/]


    Spyware:Cookie/DriveCleaner

    Not disinfected C:\Documents and

    Settings\freakkk\Application

    Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[drivecleaner

    .com/]


    Spyware:Cookie/YieldManager

    Not disinfected C:\Documents and

    Settings\freakkk\Cookies\[email protected][2].txt






    Spyware:Cookie/Cgi-bin

    Not disinfected C:\Documents and

    Settings\freakkk\Cookies\[email protected][1].txt






    Spyware:Cookie/FastClick

    Not disinfected C:\Documents and

    Settings\freakkk\Cookies\[email protected][1].txt






    Adware:Adware/PurityScan

    Not disinfected C:\Documents and

    Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

    7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

    eygen.READ.NFO-CRD.exe][install.exe][OiUninstaller.exe][UE.exe]


    Adware:Adware/OuterInfo

    Not disinfected C:\Documents and

    Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

    7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

    eygen.READ.NFO-CRD.exe][install.exe][OinFP.exe]


    Adware:Adware/OuterInfo

    Not disinfected C:\Documents and

    Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

    7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

    eygen.READ.NFO-CRD.exe][install.exe][²ÖÇ\OinADInst.exe][Outerinfo.dll]


    Adware:Adware/PurityScan

    Not disinfected C:\Documents and

    Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

    7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

    eygen.READ.NFO-CRD.exe][install.exe][²ÖÇ\OinADInst.exe][²ÜÇ\KillNDrv.dl

    l]
    Adware:Adware/OuterInfo

    Not disinfected C:\Documents and

    Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

    7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

    eygen.READ.NFO-CRD.exe][install.exe][²ÖÇ\OinADInst.exe][Outerinfo.exe]


    Adware:Adware/PurityScan

    Not disinfected C:\Documents and

    Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

    7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

    eygen.READ.NFO-CRD.exe][install.exe][²ÜÇ\KillNDrv.dll]





    Virus:Generic Trojan

    Not disinfected




    Virus:Generic Malware

    Not disinfected C:\Documents and

    Settings\freakkk\Desktop\stuff\XOTSPES.rar[XoftSpy SE

    v4.31.232\Patch\ParetoLogic Slayer v1.2 (Patch).exe]




    Virus:Generic Malware

    Not disinfected

    C:\RECYCLER\S-1-5-21-854245398-1958367476-839522115-1004\Dc1337.rar[key

    gen.sfx.exe][keygen.exe][OiUninstaller.exe][UE.exe]




    Virus:W32/Polipos.A

    Renamed

    C:\RECYCLER\S-1-5-21-854245398-1958367476-839522115-1004\Dc1463.zip[web

    cache.exe]
     
  11. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Now post a fresh Hijack This log.
     
  12. freakkk

    freakkk Thread Starter

    Joined:
    May 28, 2007
    Messages:
    60
    Logfile of HijackThis v1.99.1
    Scan saved at 5:16:34 PM, on 7/5/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\freakkk\LOCALS~1\Temp\Rar$EX00.828\LimeWire_4.12.3_Portable\LimeWire_4.12.3_Portable\LimeWire.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\freakkk\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
    O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {D468E8DC-AD5E-488E-8377-5A68E294A93D} - (no file)
    O2 - BHO: (no name) - {E509111A-A1AB-DD29-DF07-89ADDB947494} - (no file)
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
    O4 - HKCU\..\Run: [Arnu] "C:\PROGRA~1\COMMON~1\MBOLS~1\winlogon.exe" -vt yazb
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O8 - Extra context menu item: &Download All with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_all.htm
    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Download with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_link.htm
    O8 - Extra context menu item: &Save Video As... - res://C:\Program Files\videodetect\videodetect.dll/201
    O9 - Extra button: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
    O9 - Extra 'Tools' menuitem: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: pmnll - C:\WINDOWS\System32\pmnll.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O20 - Winlogon Notify: winqre32 - winqre32.dll (file missing)
    O20 - Winlogon Notify: xxywxww - xxywxww.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.

    Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

    O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

    O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)

    O2 - BHO: (no name) - {D468E8DC-AD5E-488E-8377-5A68E294A93D} - (no file)

    O2 - BHO: (no name) - {E509111A-A1AB-DD29-DF07-89ADDB947494} - (no file)

    O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt

    O4 - HKCU\..\Run: [Arnu] "C:\PROGRA~1\COMMON~1\MBOLS~1\winlogon.exe" -vt yazb

    O20 - Winlogon Notify: pmnll - C:\WINDOWS\System32\pmnll.dll (file missing)

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

    O20 - Winlogon Notify: winqre32 - winqre32.dll (file missing)

    O20 - Winlogon Notify: xxywxww - xxywxww.dll (file missing)


    Reboot and post another Hijack This log please.
     
  14. freakkk

    freakkk Thread Starter

    Joined:
    May 28, 2007
    Messages:
    60
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\qmyssbuo

    *******************

    Script file located at: \??\C:\WINDOWS\emkedalp.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:



    File C:\WINDOWS\system32\IExplorer.dll not found!
    Deletion of file C:\WINDOWS\system32\IExplorer.dll failed!

    Could not process line:
    C:\WINDOWS\system32\IExplorer.dll
    Status: 0xc0000034

    Folder C:\PROGRA~1\COMMON~1\MBOLS~1 deleted successfully.
    Folder C:\Documents and Settings\freakkk\Desktop\stuff\cartoonmaker_setup deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
    -------------------------------------------------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 5:30:21 PM, on 7/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\freakkk\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O8 - Extra context menu item: &Download All with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_all.htm
    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Download with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_link.htm
    O8 - Extra context menu item: &Save Video As... - res://C:\Program Files\videodetect\videodetect.dll/201
    O9 - Extra button: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
    O9 - Extra 'Tools' menuitem: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
     
  15. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    How are things now
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/590325

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice