1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: HJT Log Assistance Required

Discussion in 'Virus & Other Malware Removal' started by AdmiralZ, Feb 1, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. AdmiralZ

    AdmiralZ Thread Starter

    Joined:
    Apr 1, 2005
    Messages:
    219
    Could someone take a look at my Highjack This report and tell me what I need to do to get all the crap of my system.

     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  3. AdmiralZ

    AdmiralZ Thread Starter

    Joined:
    Apr 1, 2005
    Messages:
    219
    Combofix Log:

    "Dougie_2" - 07-02-01 23:37:30 Service Pack 1
    ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Dougie_2\Desktop"

    ((((((((((((((((((((((((((((((( Files Created from 2007-01-01 to 2007-02-01 ))))))))))))))))))))))))))))))))))


    2007-02-01 15:30 71,680 --a------ C:\WINDOWS\SYSTEM32\bsnchml.dll
    2007-02-01 15:30 59,392 --a------ C:\WINDOWS\SYSTEM32\jwszizi.dll
    2007-02-01 15:30 13,824 --a------ C:\DOCUME~1\Dougie_2\loaded.exe
    2007-02-01 08:14 70,656 --a------ C:\WINDOWS\SYSTEM32\brlaemg.dll
    2007-02-01 08:14 59,392 --a------ C:\WINDOWS\SYSTEM32\philkxn.dll
    2007-02-01 08:14 221,184 --a------ C:\WINDOWS\SYSTEM32\psc_mon.exe
    2007-01-31 13:00 95,744 --a------ C:\WINDOWS\SYSTEM32\blooetj.dll
    2007-01-30 08:37 95,744 --a------ C:\WINDOWS\SYSTEM32\fbyghbg.dll
    2007-01-29 23:52 96,256 --a------ C:\WINDOWS\SYSTEM32\rbspgil.dll
    2007-01-29 16:39 96,256 --a------ C:\WINDOWS\SYSTEM32\jtsoomf.dll
    2007-01-29 09:07 96,256 --a------ C:\WINDOWS\SYSTEM32\vsrjpkh.dll
    2007-01-28 23:33 95,744 --a------ C:\WINDOWS\SYSTEM32\dykwlnf.dll
    2007-01-28 20:16 96,256 --a------ C:\WINDOWS\SYSTEM32\zuwsmwi.dll
    2007-01-28 13:57 95,744 --a------ C:\WINDOWS\SYSTEM32\rxdyigm.dll
    2007-01-28 09:09 96,256 --a------ C:\WINDOWS\SYSTEM32\uplvigi.dll
    2007-01-27 14:02 96,256 --a------ C:\WINDOWS\SYSTEM32\jmhwawm.dll
    2007-01-27 10:51 96,256 --a------ C:\WINDOWS\SYSTEM32\hscxrzi.dll
    2007-01-26 23:14 95,744 --a------ C:\WINDOWS\SYSTEM32\pzxsagk.dll
    2007-01-26 13:01 96,768 --a------ C:\WINDOWS\SYSTEM32\iggdqxk.dll
    2007-01-26 09:31 95,744 --a------ C:\WINDOWS\SYSTEM32\mwrqive.dll
    2007-01-25 13:03 95,232 --a------ C:\WINDOWS\SYSTEM32\ylarqae.dll
    2007-01-25 08:42 95,744 --a------ C:\WINDOWS\SYSTEM32\ogqpmml.dll
    2007-01-24 08:14 96,256 --a------ C:\WINDOWS\SYSTEM32\hizuglb.dll
    2007-01-23 19:38 95,232 --a------ C:\WINDOWS\SYSTEM32\lcufcem.dll
    2007-01-23 16:01 95,744 --a------ C:\WINDOWS\SYSTEM32\ibnlqcb.dll
    2007-01-23 12:23 95,232 --a------ C:\WINDOWS\SYSTEM32\rbfbvfe.dll
    2007-01-09 23:57 112,640 --a------ C:\WINDOWS\lsb_un20.exe
    2007-01-09 23:55 <DIR> d-------- C:\Program Files\Gallan
    2007-01-07 02:06 <DIR> d-------- C:\Program Files\Audacity
    2007-01-03 19:08 93,696 --a------ C:\WINDOWS\SYSTEM32\wdokbye.dll


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-02-01 15:41 7673 --ahs---- C:\WINDOWS\SYSTEM32\mmf.sys
    2007-02-01 15:05 -------- d-------- C:\Program Files\hijackthis
    2007-02-01 08:26 -------- d-------- C:\DOCUME~1\Dougie_2\Application Data\adobeum
    2007-01-03 10:10 93696 --a------ C:\WINDOWS\SYSTEM32\hrcopul.dll
    2006-12-26 00:22 -------- d-------- C:\DOCUME~1\Dougie_2\Application Data\sports interactive
    2006-12-26 00:13 -------- d-------- C:\Program Files\sports interactive
    2006-12-26 00:08 -------- d-------- C:\Program Files\Common Files\installshield
    2006-12-24 21:45 -------- d-------- C:\DOCUME~1\Dougie_2\Application Data\wings3d
    2006-12-24 21:33 -------- d-------- C:\Program Files\wings3d_0.98.32a
    2006-12-23 15:46 -------- d-------- C:\Program Files\Common Files\daz
    2006-12-23 02:47 -------- d-------- C:\Program Files\daz
    2006-12-21 14:44 -------- d-------- C:\Program Files\ds9
    2006-12-21 00:43 94208 --a------ C:\WINDOWS\SYSTEM32\gqljkoj.dll
    2006-12-21 00:22 -------- d-------- C:\Program Files\gds
    2006-12-20 19:53 -------- d-------- C:\Program Files\quicktime
    2006-12-20 19:39 -------- d-------- C:\Program Files\itunes
    2006-12-20 19:38 -------- d-------- C:\Program Files\google
    2006-12-20 19:29 -------- d-------- C:\Program Files\finepixviewer
    2006-12-20 17:59 93696 --a------ C:\WINDOWS\SYSTEM32\zkmqfsi.dll
    2006-12-20 14:52 -------- d-------- C:\Program Files\grisoft
    2006-12-20 13:35 -------- d--h----- C:\Program Files\installshield installation information
    2006-12-20 13:17 93696 --a------ C:\WINDOWS\SYSTEM32\ansfsrg.dll
    2006-12-14 21:21 -------- d-------- C:\Program Files\educational simulations
    2006-12-11 18:40 91648 --a------ C:\WINDOWS\SYSTEM32\vyxeevm.dll
    2006-12-07 19:07 -------- d-------- C:\Program Files\ultimate defender
    2006-12-05 15:07 32256 --a------ C:\WINDOWS\SYSTEM32\dzbryce6.dll
    2006-12-05 15:00 6144000 --a------ C:\WINDOWS\SYSTEM32\dzcore.dll
    2006-12-05 15:00 180224 --a------ C:\WINDOWS\SYSTEM32\dzwrapper.dll
    2006-11-20 16:25 4984832 --a------ C:\WINDOWS\SYSTEM32\daz-qt-mt.dll
    2006-11-20 16:25 1343488 --a------ C:\WINDOWS\SYSTEM32\daz-qsa.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "Sonic RecordNow!"=""
    "atiupdate"=""
    "NOMAD Detector"="\"C:\\Program Files\\Creative\\PlayCenter2\\CTNMRUN.EXE\""
    "ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
    "3a5c6b29.exe"="C:\\Documents and Settings\\Dougie_2\\Local Settings\\Application Data\\3a5c6b29.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
    "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
    "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
    "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
    "Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
    "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "3a5c6b29.exe"="C:\\WINDOWS\\System32\\3a5c6b29.exe"
    "philkxn.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\philkxn.dll,tnvjzof"
    "Personal Security Center Monitor"="C:\\WINDOWS\\System32\\psc_mon.exe"
    "jwszizi.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\jwszizi.dll,uxdnhxb"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "RunNarrator"="Narrator.exe"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
    "RunNarrator"="Narrator.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    @=""
    "NoCDBurning"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "_NoDriveTypeAutoRun"=dword:00000091

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
    "ktohkhblk.exe"="C:\\WINDOWS\\system\\ktohkhblk.exe"
    "rnrfv.exe"="C:\\WINDOWS\\system\\rnrfv.exe"
    "msgcaplv.exe"="C:\\WINDOWS\\system\\msgcaplv.exe"
    "wsmhtr.exe"="C:\\WINDOWS\\system\\wsmhtr.exe"
    "rjrei.exe"="C:\\WINDOWS\\system\\rjrei.exe"
    "gcilch.exe"="C:\\WINDOWS\\system\\gcilch.exe"
    "wxgwd.exe"="C:\\WINDOWS\\system\\wxgwd.exe"
    "krjgtman.exe"="C:\\WINDOWS\\system\\krjgtman.exe"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    Usnsvc REG_MULTI_SZ usnsvc\0\0


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a05761fd-a683-11d8-96ce-806d6172696f}]
    Shell\AutoRun\command D:\autorun.exe


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\ISP signup reminder 1.job

    Completion time: 07-02-01 23:47:51
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {6EB2C10B-C07F-EEAD-2395-07973B88015D} - C:\WINDOWS\System32\brlaemg.dll
    O4 - HKLM\..\Run: [philkxn.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\philkxn.dll,tnvjzof
    O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINDOWS\System32\psc_mon.exe
    O4 - HKCU\..\Run: [3a5c6b29.exe] C:\Documents and Settings\Dougie_2\Local Settings\Application Data\3a5c6b29.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: GetMP3 - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\GetMP3 (file missing)

    Close all applications and browser windows before you click "fix checked".


    Open notepad. Copy and paste the quote box below in to the notepad.
    Save as select all files name it fix.reg and place it on your desktop.

    Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes.


    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy the entire contents of the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):



    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger¬ís actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh hijackthis log.
     
  5. AdmiralZ

    AdmiralZ Thread Starter

    Joined:
    Apr 1, 2005
    Messages:
    219
    I can't open notepad for some reason, I press the button but nothing happens. Any idea why this could be?
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  7. AdmiralZ

    AdmiralZ Thread Starter

    Joined:
    Apr 1, 2005
    Messages:
    219
    Avenger Log:

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\ovyauijk

    *******************

    Script file located at: \??\C:\Documents and Settings\jvvfnhgp.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\DOCUME~1\Dougie_2\loaded.exe deleted successfully.
    File C:\Documents and Settings\Dougie_2\Local Settings\Application Data\3a5c6b29.exe deleted successfully.
    File C:\WINDOWS\lsb_un20.exe deleted successfully.


    File C:\WINDOWS\system\gcilch.exe not found!
    Deletion of file C:\WINDOWS\system\gcilch.exe failed!

    Could not process line:
    C:\WINDOWS\system\gcilch.exe
    Status: 0xc0000034



    File C:\WINDOWS\system\krjgtman.exe not found!
    Deletion of file C:\WINDOWS\system\krjgtman.exe failed!

    Could not process line:
    C:\WINDOWS\system\krjgtman.exe
    Status: 0xc0000034



    File C:\WINDOWS\system\ktohkhblk.exe not found!
    Deletion of file C:\WINDOWS\system\ktohkhblk.exe failed!

    Could not process line:
    C:\WINDOWS\system\ktohkhblk.exe
    Status: 0xc0000034



    File C:\WINDOWS\system\msgcaplv.exe not found!
    Deletion of file C:\WINDOWS\system\msgcaplv.exe failed!

    Could not process line:
    C:\WINDOWS\system\msgcaplv.exe
    Status: 0xc0000034



    File C:\WINDOWS\system\rjrei.exe not found!
    Deletion of file C:\WINDOWS\system\rjrei.exe failed!

    Could not process line:
    C:\WINDOWS\system\rjrei.exe
    Status: 0xc0000034



    File C:\WINDOWS\system\rnrfv.exe not found!
    Deletion of file C:\WINDOWS\system\rnrfv.exe failed!

    Could not process line:
    C:\WINDOWS\system\rnrfv.exe
    Status: 0xc0000034



    File C:\WINDOWS\system\wsmhtr.exe not found!
    Deletion of file C:\WINDOWS\system\wsmhtr.exe failed!

    Could not process line:
    C:\WINDOWS\system\wsmhtr.exe
    Status: 0xc0000034



    File C:\WINDOWS\system\wxgwd.exe not found!
    Deletion of file C:\WINDOWS\system\wxgwd.exe failed!

    Could not process line:
    C:\WINDOWS\system\wxgwd.exe
    Status: 0xc0000034

    File C:\WINDOWS\System32\3a5c6b29.exe deleted successfully.
    File C:\WINDOWS\SYSTEM32\ansfsrg.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\blooetj.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\brlaemg.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\bsnchml.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\dykwlnf.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\fbyghbg.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\gqljkoj.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\hizuglb.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\hrcopul.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\hscxrzi.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\ibnlqcb.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\iggdqxk.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\jmhwawm.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\jtsoomf.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\jwszizi.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\lcufcem.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\mwrqive.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\ogqpmml.dll deleted successfully.
    File C:\WINDOWS\System32\philkxn.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\psc_mon.exe deleted successfully.
    File C:\WINDOWS\SYSTEM32\pzxsagk.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\rbfbvfe.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\rbspgil.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\rxdyigm.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\uplvigi.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\vsrjpkh.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\vyxeevm.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\wdokbye.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\ylarqae.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\zkmqfsi.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\zuwsmwi.dll deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
  8. AdmiralZ

    AdmiralZ Thread Starter

    Joined:
    Apr 1, 2005
    Messages:
    219
    HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 14:41:05, on 03/02/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\runservice.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\dwwin.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.tiscali.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4218C234-8B55-7B5C-0DC4-02C4E551896C} - C:\WINDOWS\System32\lfzglqc.dll
    O2 - BHO: (no name) - {51771211-D409-F4D9-CF59-00504F895E21} - C:\WINDOWS\System32\bsnchml.dll (file missing)
    O2 - BHO: (no name) - {5313DACB-4196-E725-3542-0B2D5DFF4498} - C:\WINDOWS\System32\blamntj.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [3a5c6b29.exe] C:\WINDOWS\System32\3a5c6b29.exe
    O4 - HKLM\..\Run: [jwszizi.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\jwszizi.dll,uxdnhxb
    O4 - HKLM\..\Run: [hcbzwfd.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\hcbzwfd.dll,lqwjbwc
    O4 - HKLM\..\Run: [fqznfrb.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\fqznfrb.dll,jdcdgob
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: (no name) - {B93AC13A-2E2F-428c-A426-2C131FAD7305} - (no file) (HKCU)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
    O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110069436593
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://intranet.bedfordschool.org.uk/tsweb/msrdp.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{52DE1572-A4C5-41FC-A905-F04A5B8E67AD}: NameServer = 212.139.132.21 212.139.132.20
    O17 - HKLM\System\CS1\Services\Tcpip\..\{52DE1572-A4C5-41FC-A905-F04A5B8E67AD}: NameServer = 212.139.132.21 212.139.132.20
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  9. AdmiralZ

    AdmiralZ Thread Starter

    Joined:
    Apr 1, 2005
    Messages:
    219
    And, thanks for the notepad thing, I been trying to find a solution to that for a while!
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.



    Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Scan with AVG Anti-Spyware as follows:
    1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
    • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
    • Under "How to Scan?" check all (default).
    • Under "Possibly unwanted software" check all (default).
    • Under "What to Scan?" make sure "Scan every file" is selected (default).
    • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
    2. Click the "Scan" tab to return to scanning options.
    3. Click "Complete System Scan" to start.
    4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

    IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

    5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    6. Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.

    Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

    Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
    1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

    2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
     
  11. AdmiralZ

    AdmiralZ Thread Starter

    Joined:
    Apr 1, 2005
    Messages:
    219
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    A V G A n t i - S p y w a r e - S c a n R e p o r t

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



    + C r e a t e d a t : 1 7 : 1 6 : 3 8 0 5 / 0 2 / 2 0 0 7



    + S c a n r e s u l t :







    H K U \ S - 1 - 5 - 2 1 - 1 9 6 7 2 9 8 9 0 8 - 2 8 5 1 8 1 1 6 0 9 - 1 9 8 1 6 1 7 4 9 6 - 1 0 0 9 \ S o f t w a r e \ C l a s s e s \ C L S I D \ { 0 0 C E A F 8 F - B F 5 9 - 4 2 9 b - A 1 D 9 - 9 1 C 8 8 C C F E 9 4 B } - > A d w a r e . A B X T o o l b a r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    H K U \ S - 1 - 5 - 2 1 - 1 9 6 7 2 9 8 9 0 8 - 2 8 5 1 8 1 1 6 0 9 - 1 9 8 1 6 1 7 4 9 6 - 1 0 0 9 _ C l a s s e s \ C L S I D \ { 0 0 C E A F 8 F - B F 5 9 - 4 2 9 b - A 1 D 9 - 9 1 C 8 8 C C F E 9 4 B } - > A d w a r e . A B X T o o l b a r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 2 9 \ A 0 0 1 4 7 4 4 . e x e - > A d w a r e . U l t i m a t e D e f e n d e r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ a v e n g e r \ b a c k u p . z i p / a v e n g e r / p s c _ m o n . e x e - > A d w a r e . U l t i m a t e D e f e n d e r : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ a v e n g e r \ b a c k u p - 0 3 . 0 2 . 2 0 0 7 - 1 4 . 3 8 . 3 0 . 1 5 . z i p / a v e n g e r / a n s f s r g . d l l - > D o w n l o a d e r . B u s k y : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ a v e n g e r \ b a c k u p - 0 3 . 0 2 . 2 0 0 7 - 1 4 . 3 8 . 3 0 . 1 5 . z i p / a v e n g e r / h n u j v p c . d l l - > D o w n l o a d e r . B u s k y : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 0 6 \ A 0 0 1 0 5 2 2 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 0 6 \ A 0 0 1 0 5 4 1 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 0 7 \ A 0 0 1 0 5 6 1 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 0 7 \ A 0 0 1 0 5 8 1 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 0 7 \ A 0 0 1 0 6 1 6 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 0 8 \ A 0 0 1 0 6 4 0 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 0 9 \ A 0 0 1 0 6 5 7 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 0 9 \ A 0 0 1 0 6 8 2 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 0 \ A 0 0 1 0 7 0 9 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 0 \ A 0 0 1 0 7 2 2 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 1 \ A 0 0 1 0 7 4 5 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 2 \ A 0 0 1 1 7 5 2 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 2 \ A 0 0 1 1 7 7 4 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 3 \ A 0 0 1 1 7 9 7 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 3 \ A 0 0 1 1 8 1 1 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 4 \ A 0 0 1 1 8 4 9 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 4 \ A 0 0 1 1 8 7 4 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 4 \ A 0 0 1 1 9 0 0 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 5 \ A 0 0 1 1 9 1 5 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 5 \ A 0 0 1 2 9 1 5 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 5 \ A 0 0 1 2 9 2 6 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 6 \ A 0 0 1 2 9 8 7 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 6 \ A 0 0 1 3 0 5 7 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 7 \ A 0 0 1 3 1 3 6 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 1 7 \ A 0 0 1 3 1 4 7 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 2 9 \ A 0 0 1 4 7 3 0 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 9 8 7 E 0 3 3 1 - 0 F 0 1 - 4 2 7 C - A 5 8 A - 7 A 2 E 4 A A B F 8 4 D } \ R P 1 2 9 \ A 0 0 1 4 7 5 2 . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ a v e n g e r \ b a c k u p . z i p / a v e n g e r / h r c o p u l . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ a v e n g e r \ b a c k u p . z i p / a v e n g e r / w d o k b y e . d l l - > D o w n l o a d e r . B u s k y . a z : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ m s n p o r t a l . 1 1 2 . 2 o 7 [ 1 ] . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ a d r e v o l v e r [ 2 ] . t x t - > T r a c k i n g C o o k i e . A d r e v o l v e r : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ a d t e c h [ 2 ] . t x t - > T r a c k i n g C o o k i e . A d t e c h : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ a d v e r t i s i n g [ 1 ] . t x t - > T r a c k i n g C o o k i e . A d v e r t i s i n g : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ a d v i v a [ 2 ] . t x t - > T r a c k i n g C o o k i e . A d v i v a : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ a t d m t [ 2 ] . t x t - > T r a c k i n g C o o k i e . A t d m t : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ b l u e s t r e a k [ 2 ] . t x t - > T r a c k i n g C o o k i e . B l u e s t r e a k : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ d o u b l e c l i c k [ 1 ] . t x t - > T r a c k i n g C o o k i e . D o u b l e c l i c k : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ a d o p t . e u r o c l i c k [ 2 ] . t x t - > T r a c k i n g C o o k i e . E u r o c l i c k : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ m e d i a p l e x [ 1 ] . t x t - > T r a c k i n g C o o k i e . M e d i a p l e x : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ b s . s e r v i n g - s y s [ 1 ] . t x t - > T r a c k i n g C o o k i e . S e r v i n g - s y s : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ s e r v i n g - s y s [ 2 ] . t x t - > T r a c k i n g C o o k i e . S e r v i n g - s y s : C l e a n e d .

    C : \ D o c u m e n t s a n d S e t t i n g s \ D o u g i e _ 2 \ C o o k i e s \ d o u g i e _ 2 @ a d . y i e l d m a n a g e r [ 1 ] . t x t - > T r a c k i n g C o o k i e . Y i e l d m a n a g e r : C l e a n e d .

    C : \ W I N D O W S \ S Y S T E M 3 2 \ o u t . d l l - > T r o j a n . A g e n t . a d l : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .





    : : R e p o r t e n d
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please post your HJT log again and let's get that cleaned up.
     
  13. AdmiralZ

    AdmiralZ Thread Starter

    Joined:
    Apr 1, 2005
    Messages:
    219
    Logfile of HijackThis v1.99.1
    Scan saved at 01:57:13, on 06/02/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\runservice.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\WISPTIS.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.tiscali.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4218C234-8B55-7B5C-0DC4-02C4E551896C} - C:\WINDOWS\System32\lfzglqc.dll
    O2 - BHO: (no name) - {51771211-D409-F4D9-CF59-00504F895E21} - C:\WINDOWS\System32\bsnchml.dll (file missing)
    O2 - BHO: (no name) - {5313DACB-4196-E725-3542-0B2D5DFF4498} - C:\WINDOWS\System32\blamntj.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [3a5c6b29.exe] C:\WINDOWS\System32\3a5c6b29.exe
    O4 - HKLM\..\Run: [jwszizi.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\jwszizi.dll,uxdnhxb
    O4 - HKLM\..\Run: [hcbzwfd.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\hcbzwfd.dll,lqwjbwc
    O4 - HKLM\..\Run: [fqznfrb.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\fqznfrb.dll,jdcdgob
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
    O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110069436593
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://intranet.bedfordschool.org.uk/tsweb/msrdp.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{52DE1572-A4C5-41FC-A905-F04A5B8E67AD}: NameServer = 212.139.132.21 212.139.132.20
    O17 - HKLM\System\CS1\Services\Tcpip\..\{52DE1572-A4C5-41FC-A905-F04A5B8E67AD}: NameServer = 212.139.132.21 212.139.132.20
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {4218C234-8B55-7B5C-0DC4-02C4E551896C} - C:\WINDOWS\System32\lfzglqc.dll
    O2 - BHO: (no name) - {51771211-D409-F4D9-CF59-00504F895E21} - C:\WINDOWS\System32\bsnchml.dll (file missing)
    O2 - BHO: (no name) - {5313DACB-4196-E725-3542-0B2D5DFF4498} - C:\WINDOWS\System32\blamntj.dll
    O4 - HKLM\..\Run: [3a5c6b29.exe] C:\WINDOWS\System32\3a5c6b29.exe
    O4 - HKLM\..\Run: [jwszizi.dll] C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\jwszizi.dll,uxdnhxb
    O4 - HKLM\..\Run: [hcbzwfd.dll] C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\hcbzwfd.dll,lqwjbwc
    O4 - HKLM\..\Run: [fqznfrb.dll] C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\fqznfrb.dll,jdcdgob

    Close all applications and browser windows before you click "fix checked".


    Double-click on Killbox.exe to run it.
    Put a tick by Delete on Reboot.
    Copy the following list of files to clipboard, CTRL+C to copy

    C:\WINDOWS\System32\jwszizi.dll
    C:\WINDOWS\System32\3a5c6b29.exe
    C:\WINDOWS\System32\lfzglqc.dll


    Now in Killbox go to File, Paste from clipboard.
    Click the All Files button.
    Click on the button that has the red circle with the X in the middle.
    It will ask for confimation to delete the file.
    Click Yes.
    It will ask if you want to reboot now,
    Click Yes.

    Note: It is possible that Killbox will tell you that the file does not exist.

    If your computer does not restart automatically then please restart it manually.
    If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.




    Click Here and download Killbox and save it to your desktop.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


    Run Panda ActiveScan here

    Once you are on the Panda site click the "Scan your PC" button.
    A new window will open... click the "Check Now" button.
    Enter your Country.
    Enter your State/Province.
    Enter your e-mail address.
    Select either Home User or Company.
    Click the big "Scan Now" button.
    If it wants to install an ActiveX component allow it.
    It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
    When download is complete, click on "Local Disks" to start the scan.
    When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.


    Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Don&#8217;t do anything with it yet!


    Reboot to safe mode.


    Double click WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.

    Reboot to normal mode.

    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Copy and paste WinPFind.txt in your next post here please.
    se the Add Reply button and Copy/Paste the information back here in your next reply.
     
  15. AdmiralZ

    AdmiralZ Thread Starter

    Joined:
    Apr 1, 2005
    Messages:
    219
    Vundo Report:

    PS: I find it highly unlikely that this is true.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/540186

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice