Solved: cannot remove ?ti2evxx.exe

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

freakkk

Thread Starter
Joined
May 28, 2007
Messages
60
hi i scan my computer everyday and everyday whan i scan ?ti2evxx.exe comes up and it sais deleted.it is in C:\windows\??crosoft\?ti2evxx.exe could some one tell me how to remove it?
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Sounds like a virus

* Click here to download HJTsetup.exe.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 
Joined
Apr 14, 2005
Messages
68
I remember fixing computer with that problem, this is a virus.
keep posting ppl will help you to fix this :)
 

freakkk

Thread Starter
Joined
May 28, 2007
Messages
60
Logfile of HijackThis v1.99.1
Scan saved at 6:29:27 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\freakkk\Desktop\Ms VideoGrabber\{app}\Ms VideoGrabber.exe
C:\Documents and Settings\freakkk\Desktop\Ms VideoGrabber\{app}\Clip.exe
C:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\flashget.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\freakkk\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - (no file)
O2 - BHO: (no name) - {D468E8DC-AD5E-488E-8377-5A68E294A93D} - (no file)
O2 - BHO: (no name) - {E509111A-A1AB-DD29-DF07-89ADDB947494} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Arnu] "C:\PROGRA~1\COMMON~1\MBOLS~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_link.htm
O8 - Extra context menu item: &Save Video As... - res://C:\Program Files\videodetect\videodetect.dll/201
O9 - Extra button: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
O9 - Extra 'Tools' menuitem: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: pmnll - C:\WINDOWS\System32\pmnll.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winqre32 - winqre32.dll (file missing)
O20 - Winlogon Notify: xxywxww - xxywxww.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,257
SmashD said:
I remember fixing computer with that problem, this is a virus.
keep posting ppl will help you to fix this :)
I think a ppl is already helping. ;)
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,257
SmashD,

Please refer to the rules concerning malware removal.

http://www.techguy.org/rules.html

Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield
next to their name and authorized malware removal trainees have a blue shield next to their
next to their names. Anyone wishing to participate in a training program should contact a Moderator for more information.

Please refrain from replying to security related matters on this forum until you have presented evidence to one of the moderators or admins here that proves you to be qualified to do so. If you are not yet qualified and interested in being trained, we will be glad to help you get enrolled at one of the free online training facilities. Just PM me or one of the other moderators that work Security and we'll point you in the right direction.

Thanks in advance for your cooperation. :)
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Oooof, what a mess.

Download the Trial version of Superantispyware Pro (SAS):
http://www.superantispyware.com/superantispyware.html?rid=3132


Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new Hijack This log.
 

freakkk

Thread Starter
Joined
May 28, 2007
Messages
60
Logfile of HijackThis v1.99.1
Scan saved at 1:45:00 AM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\freakkk\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D468E8DC-AD5E-488E-8377-5A68E294A93D} - (no file)
O2 - BHO: (no name) - {E509111A-A1AB-DD29-DF07-89ADDB947494} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Arnu] "C:\PROGRA~1\COMMON~1\MBOLS~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_link.htm
O8 - Extra context menu item: &Save Video As... - res://C:\Program Files\videodetect\videodetect.dll/201
O9 - Extra button: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
O9 - Extra 'Tools' menuitem: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: pmnll - C:\WINDOWS\System32\pmnll.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winqre32 - winqre32.dll (file missing)
O20 - Winlogon Notify: xxywxww - xxywxww.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
--------------------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/04/2007 at 01:38 AM

Application Version : 3.9.1008

Core Rules Database Version : 3265
Trace Rules Database Version: 1276

Scan type : Complete Scan
Total Scan Time : 01:00:04

Memory items scanned : 311
Memory threats detected : 0
Registry items scanned : 4469
Registry threats detected : 21
File items scanned : 69703
File threats detected : 90

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
HKLM\Software\Classes\CLSID\{8A61098D-612B-4EF2-943D-64E920684061}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A61098D-612B-4EF2-943D-64E920684061}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{8A61098D-612B-4EF2-943D-64E920684061}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}
HKCR\CLSID\{8A61098D-612B-4EF2-943D-64E920684061}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP15\A0006021.NFO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP17\A0006851.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP17\A0006860.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP17\A0007150.EXE

Adware.Tracking Cookie
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][3].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][2].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt
C:\Documents and Settings\freakkk\Cookies\[email protected][1].txt

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PID
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid
HKLM\SOFTWARE\Microsoft\MSSMGR#LID
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP28\A0015114.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP28\A0015115.EXE
C:\WINDOWS\SYSTEM32\WNSAPII32.EXE

BearShare File Sharing Client
C:\DOCUMENTS AND SETTINGS\FREAKKK\DESKTOP\STUFF\TEDDYBEAR\BEARSHARE_PRO_V5[1].2.5.3-DIGERATI\CRACK\BEARSHARE.EXE
C:\DOCUMENTS AND SETTINGS\FREAKKK\DESKTOP\STUFF\TEDDYBEAR\BEARSHARE_PRO_V5[1].2.5.3-DIGERATI\SETUP\BSPROINSTALL\MAINDIR\BEARSHARE.EXE

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP13\A0005113.DLL

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP13\A0005117.DLL

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP18\A0007693.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D77515B0-1D6C-4389-B72F-0B2B1DEB756A}\RP4\A0000060.DLL

Adware.ClickSpring
C:\WINDOWS\CROSOF~1\TI2EVX~1.EXE
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Run ActiveScan online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report.
 

freakkk

Thread Starter
Joined
May 28, 2007
Messages
60
Incident

Status Location









Spyware:Cookie/Casalemedia

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.casalemedia

.com/]


Spyware:Cookie/FastClick

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.fastclick.n

et/]


Spyware:Cookie/YieldManager

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[ad.yieldmana

ger.com/]


Spyware:Cookie/QuestionMarket

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.questionmar

ket.com/]


Spyware:Cookie/Atlas DMT

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.atdmt.com/]




Spyware:Cookie/SexList

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.sexlist.com

/]


Spyware:Cookie/Inet-Traffic

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.inet-traffi

c.com/]


Spyware:Cookie/adultfriendfinder

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.adultfriend

finder.com/]


Spyware:Cookie/Tribalfusion

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.tribalfusio

n.com/]


Spyware:Cookie/SpyLog

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.spylog.com/

]


Spyware:Cookie/HotLog

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.hotlog.ru/]




Spyware:Cookie/Yadro

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.yadro.ru/]




Spyware:Cookie/2o7

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.2o7.net/]




Spyware:Cookie/Reliablestats

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[stats1.relia

blestats.com/]


Spyware:Cookie/Winantivirus

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.winantiviru

s.com/]


Spyware:Cookie/Reliablestats

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[stats1.relia

blestats.com/]


Spyware:Cookie/Winantivirus

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.winantiviru

s.com/]


Spyware:Cookie/DriveCleaner

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[drivecleaner

.com/.freeware/]


Spyware:Cookie/DriveCleaner

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[.drivecleane

r.com/]


Spyware:Cookie/DriveCleaner

Not disinfected C:\Documents and

Settings\freakkk\Application

Data\Mozilla\Firefox\Profiles\do7b1htr.default\cookies.txt[drivecleaner

.com/]


Spyware:Cookie/YieldManager

Not disinfected C:\Documents and

Settings\freakkk\Cookies\[email protected][2].txt






Spyware:Cookie/Cgi-bin

Not disinfected C:\Documents and

Settings\freakkk\Cookies\[email protected][1].txt






Spyware:Cookie/FastClick

Not disinfected C:\Documents and

Settings\freakkk\Cookies\[email protected][1].txt






Adware:Adware/PurityScan

Not disinfected C:\Documents and

Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

eygen.READ.NFO-CRD.exe][install.exe][OiUninstaller.exe][UE.exe]


Adware:Adware/OuterInfo

Not disinfected C:\Documents and

Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

eygen.READ.NFO-CRD.exe][install.exe][OinFP.exe]


Adware:Adware/OuterInfo

Not disinfected C:\Documents and

Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

eygen.READ.NFO-CRD.exe][install.exe][²ÖÇ\OinADInst.exe][Outerinfo.dll]


Adware:Adware/PurityScan

Not disinfected C:\Documents and

Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

eygen.READ.NFO-CRD.exe][install.exe][²ÖÇ\OinADInst.exe][²ÜÇ\KillNDrv.dl

l]
Adware:Adware/OuterInfo

Not disinfected C:\Documents and

Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

eygen.READ.NFO-CRD.exe][install.exe][²ÖÇ\OinADInst.exe][Outerinfo.exe]


Adware:Adware/PurityScan

Not disinfected C:\Documents and

Settings\freakkk\Desktop\stuff\cartoonmaker_setup\Cartoon[1].Maker.v3.1

7.WinAll.Incl.Keygen.READ.NFO.CRD.zip[Cartoon.Maker.v3.17.WinAll.Incl.K

eygen.READ.NFO-CRD.exe][install.exe][²ÜÇ\KillNDrv.dll]





Virus:Generic Trojan

Not disinfected




Virus:Generic Malware

Not disinfected C:\Documents and

Settings\freakkk\Desktop\stuff\XOTSPES.rar[XoftSpy SE

v4.31.232\Patch\ParetoLogic Slayer v1.2 (Patch).exe]




Virus:Generic Malware

Not disinfected

C:\RECYCLER\S-1-5-21-854245398-1958367476-839522115-1004\Dc1337.rar[key

gen.sfx.exe][keygen.exe][OiUninstaller.exe][UE.exe]




Virus:W32/Polipos.A

Renamed

C:\RECYCLER\S-1-5-21-854245398-1958367476-839522115-1004\Dc1463.zip[web

cache.exe]
 

freakkk

Thread Starter
Joined
May 28, 2007
Messages
60
Logfile of HijackThis v1.99.1
Scan saved at 5:16:34 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\freakkk\LOCALS~1\Temp\Rar$EX00.828\LimeWire_4.12.3_Portable\LimeWire_4.12.3_Portable\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\freakkk\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D468E8DC-AD5E-488E-8377-5A68E294A93D} - (no file)
O2 - BHO: (no name) - {E509111A-A1AB-DD29-DF07-89ADDB947494} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Arnu] "C:\PROGRA~1\COMMON~1\MBOLS~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_link.htm
O8 - Extra context menu item: &Save Video As... - res://C:\Program Files\videodetect\videodetect.dll/201
O9 - Extra button: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
O9 - Extra 'Tools' menuitem: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: pmnll - C:\WINDOWS\System32\pmnll.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winqre32 - winqre32.dll (file missing)
O20 - Winlogon Notify: xxywxww - xxywxww.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\IExplorer.dll

Folders to delete:
C:\PROGRA~1\COMMON~1\MBOLS~1
C:\Documents and Settings\freakkk\Desktop\stuff\cartoonmaker_setup

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)

O2 - BHO: (no name) - {D468E8DC-AD5E-488E-8377-5A68E294A93D} - (no file)

O2 - BHO: (no name) - {E509111A-A1AB-DD29-DF07-89ADDB947494} - (no file)

O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt

O4 - HKCU\..\Run: [Arnu] "C:\PROGRA~1\COMMON~1\MBOLS~1\winlogon.exe" -vt yazb

O20 - Winlogon Notify: pmnll - C:\WINDOWS\System32\pmnll.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O20 - Winlogon Notify: winqre32 - winqre32.dll (file missing)

O20 - Winlogon Notify: xxywxww - xxywxww.dll (file missing)


Reboot and post another Hijack This log please.
 

freakkk

Thread Starter
Joined
May 28, 2007
Messages
60
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qmyssbuo

*******************

Script file located at: \??\C:\WINDOWS\emkedalp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\IExplorer.dll not found!
Deletion of file C:\WINDOWS\system32\IExplorer.dll failed!

Could not process line:
C:\WINDOWS\system32\IExplorer.dll
Status: 0xc0000034

Folder C:\PROGRA~1\COMMON~1\MBOLS~1 deleted successfully.
Folder C:\Documents and Settings\freakkk\Desktop\stuff\cartoonmaker_setup deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
-------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:30:21 PM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\freakkk\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Documents and Settings\freakkk\Desktop\flash get\MAINDIR\jc_link.htm
O8 - Extra context menu item: &Save Video As... - res://C:\Program Files\videodetect\videodetect.dll/201
O9 - Extra button: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
O9 - Extra 'Tools' menuitem: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top