1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: ww32.exe

Discussion in 'Virus & Other Malware Removal' started by PersianGuy, Jul 22, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. PersianGuy

    PersianGuy Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    15
    Hi,

    First of all sorry for my bad English.

    Mode 1, Antivirus (KasperSky) is disable :

    Almost everytime that I connect to the internet, an unwanted downloading happens automatically and two files named "aoh.zip" and "ww32.exe", saves in "C:\Documents and Settings\Saman" directory.

    Then, "ww32.exe" begins extracting Its files automatically.
    Here is the "ww32.exe" comment:

    "Setup=cmd.exe /C start dotdr.exe&rundll32.exe dotrm.dll,Start
    Silent=1"

    Then, if I remember right, "cmd.exe" window will quickly opens and closes and finally this files will create in "C:\Documents and Settings\Saman" directory :

    "dotrm.dll" and "dotdr.exe"

    I searched for "cmd.exe" and deleted that to prevent from installing
    "dotrm.dll" and "dotdr.exe". but it didn't work and after deleting that, everytime that I connect to the internet, "dotrm.dll" and "dotdr.exe" installs and then this error message appears :

    "Windows cannot find cmd.exe ..."

    If I active my antivirus, it will finds "dotrm.dll", "dotdr.exe", "ww32.exe" and "aoh.zip" and deletes them. but next time that I connect to the internet they will download and create again.

    --------------

    Mode 2, Antivirus is enable :

    When I connect to the internet, If my antivirus is active, It will prevent from downloading and tell me the "aoh.zip" is trying to download itself from this address:

    http://www.phatpipe.be:80/aoh.zip

    And then tell me It's a virus (IM-Worm.Win32.Opanki.ao) and can be disinfected. I accept disinfecting. then antivirus alerts me about "Trojan-Downloader.Win32.ConHook.ad" that this file have that trojan :

    http://www.phatpipe.be:80/ww32.zip/data.rar/dotrm.dll

    And then alert me about an other trojan ( if I remember right ).

    Finally two files with 0 kilobytes size remains in "C:\Documents and Settings\Saman" directory :

    "ww32.exe" and "aoh.zip".

    But next time when I connect to the internet, everything start again and I'm tired of this alerts. I have tryed other antivirus sotwares like "Panda" or "Avir Personal" but they also failed to solve my problem.

    Sometimes RUNDLL32.EXE uses from my CPU and I have a very slow PC !

    What should I do to solve this problems ?

    Please help me.

    Best regards,

    Thank you.
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!

    Click here to download HJTsetup.exe
    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. PersianGuy

    PersianGuy Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    15
    Hi again,
    Here is the logfile :

    Logfile of HijackThis v1.99.1
    Scan saved at 3:10:03 PM, on 7/23/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
    C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Firefox\firefox.exe
    D:\GetRight\getright.exe
    D:\GetRight\getright.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Yahoo!\ypager.exe
    D:\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.bazicenter.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://forums.bazicenter.com/"); (C:\Documents and Settings\Saman\Application Data\Mozilla\Profiles\default\yjwfbh4x.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Saman\Application Data\Mozilla\Profiles\default\yjwfbh4x.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2EBD36F4-F281-48F5-A424-05683815C197} - C:\WINDOWS\System32\efccc.dll (file missing)
    O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [implib] rundll32.exe C:\WINDOWS\System32\implib.dll,start
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
    O4 - HKLM\..\Run: [kav] "C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\ypager.exe" -quiet
    O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: Flash Grabber - C:\Program Files\Flash Grabber\CatchURL.htm
    O8 - Extra context menu item: Show all images in original quality - E:\www.cproxy.com\originalAll.htm
    O8 - Extra context menu item: Show image in original quality - E:\www.cproxy.com\original.htm
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Flash Grabber - {EA4492CA-ADA0-11D5-92AE-00B0D03F0921} - C:\Program Files\Flash Grabber\CatchURL.htm
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {15A8CB61-8CAF-11DA-A418-00E098C39BC7} (RSIDownload.RSI_Download) - http://rs.cetizen.com/RealSize/Application/RSIDownload.CAB
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1ED022B2-5DB5-4295-B607-B973A407D57E}: NameServer = 80.253.128.29 80.253.128.5
    O17 - HKLM\System\CS7\Services\Tcpip\..\{1ED022B2-5DB5-4295-B607-B973A407D57E}: NameServer = 80.253.128.29 80.253.128.5
    O20 - Winlogon Notify: efccc - C:\WINDOWS\System32\efccc.dll (file missing)
    O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)
    O23 - Service: NT Net Driver (NtNav) (NtNav) - Unknown owner - C:\WINDOWS\system32\netnav.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
    O20 - Winlogon Notify: efccc - C:\WINDOWS\System32\efccc.dll (file missing)
    O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)

    Close all applications and browser windows before you click "fix checked".


    Please download Webroot SpySweeper from here: http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

    (It's a 2 week trial.)

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.

    Also post a new Hijack This log.
     
  5. PersianGuy

    PersianGuy Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    15
    //Hi again,

    //Here is the Spy Sweeper's logfile contents :

    Operation: File Access
    Target:
    Source: C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\WINWORD.EXE
    10:57 PM: Tamper Detection
    10:53 PM: Deletion from quarantine completed. Elapsed time 00:00:04
    10:53 PM: Processing: burstnet cookie
    10:53 PM: Processing: commission junction cookie
    10:53 PM: Processing: ru4 cookie
    10:53 PM: Processing: bannerbank cookie
    10:53 PM: Processing: adecn cookie
    10:53 PM: Processing: webtrends cookie
    10:53 PM: Processing: webtrends cookie
    10:53 PM: Processing: specificclick.com cookie
    10:53 PM: Processing: falkag cookie
    10:53 PM: Processing: techtarget cookie
    10:53 PM: Processing: bizrate cookie
    10:53 PM: Processing: adbureau cookie
    10:53 PM: Processing: monstermarketplace cookie
    10:53 PM: Processing: pcstats.com cookie
    10:53 PM: Processing: rambler cookie
    10:53 PM: Processing: directtrack cookie
    10:53 PM: Processing: tripod cookie
    10:53 PM: Processing: ask cookie
    10:53 PM: Processing: revenue.net cookie
    10:53 PM: Processing: nextag cookie
    10:53 PM: Processing: nextag cookie
    10:53 PM: Processing: adjuggler cookie
    10:53 PM: Processing: cardomain cookie
    10:53 PM: Processing: stlyrics cookie
    10:53 PM: Processing: stlyrics cookie
    10:53 PM: Processing: overture cookie
    10:53 PM: Processing: overture cookie
    10:53 PM: Processing: overture cookie
    10:53 PM: Processing: overture cookie
    10:53 PM: Processing: realtracker cookie
    10:53 PM: Processing: realtracker cookie
    10:53 PM: Processing: starware.com cookie
    10:53 PM: Processing: starware.com cookie
    10:53 PM: Processing: starware.com cookie
    10:53 PM: Processing: starware.com cookie
    10:53 PM: Processing: adlegend cookie
    10:53 PM: Processing: bravenet cookie
    10:53 PM: Processing: bravenet cookie
    10:53 PM: Processing: bravenet cookie
    10:53 PM: Processing: bravenet cookie
    10:53 PM: Processing: tacoda cookie
    10:53 PM: Processing: tacoda cookie
    10:53 PM: Processing: tacoda cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: 2o7.net cookie
    10:53 PM: Processing: addynamix cookie
    10:53 PM: Processing: addynamix cookie
    10:53 PM: Processing: addynamix cookie
    10:53 PM: Processing: questionmarket cookie
    10:53 PM: Processing: dealtime cookie
    10:53 PM: Processing: dealtime cookie
    10:53 PM: Processing: dealtime cookie
    10:53 PM: Processing: dealtime cookie
    10:53 PM: Processing: dealtime cookie
    10:53 PM: Processing: valuead cookie
    10:53 PM: Processing: valuead cookie
    10:53 PM: Processing: valuead cookie
    10:53 PM: Processing: valuead cookie
    10:53 PM: Processing: adknowledge cookie
    10:53 PM: Processing: adknowledge cookie
    10:53 PM: Processing: adserver cookie
    10:53 PM: Processing: adserver cookie
    10:53 PM: Processing: adserver cookie
    10:53 PM: Processing: about cookie
    10:53 PM: Processing: about cookie
    10:53 PM: Processing: about cookie
    10:53 PM: Processing: about cookie
    10:53 PM: Processing: about cookie
    10:53 PM: Processing: about cookie
    10:53 PM: Processing: about cookie
    10:53 PM: Processing: about cookie
    10:53 PM: Processing: atlas dmt cookie
    10:53 PM: Processing: a cookie
    10:53 PM: Processing: cd freaks cookie
    10:53 PM: Processing: cd freaks cookie
    10:53 PM: Processing: gamespy cookie
    10:53 PM: Processing: pricegrabber cookie
    10:53 PM: Processing: pricegrabber cookie
    10:53 PM: Processing: pricegrabber cookie
    10:53 PM: Processing: findthewebsiteyouneed hijack
    10:53 PM: Processing: findthewebsiteyouneed hijack
    10:53 PM: Processing: dollarrevenue
    10:53 PM: Processing: dollarrevenue
    10:53 PM: Processing: dollarrevenue
    10:53 PM: Processing: winad
    10:53 PM: Processing: winad
    10:53 PM: Processing: winad
    10:53 PM: Processing: winad
    10:53 PM: Processing: winad
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: maxifiles
    10:53 PM: Processing: spyanytime pcspy
    10:53 PM: Processing: spyanytime pcspy
    10:53 PM: Processing: spyanytime pcspy
    10:53 PM: Processing: spyanytime pcspy
    10:53 PM: Processing: ufp 007 spy
    10:53 PM: Processing: ufp 007 spy
    10:53 PM: Deletion from quarantine initiated
    10:53 PM: Removal process completed. Elapsed time 00:01:05
    10:53 PM: A reboot was suggested but declined.
    10:53 PM: Quarantining All Traces: burstnet cookie
    10:53 PM: Quarantining All Traces: commission junction cookie
    10:53 PM: Quarantining All Traces: ru4 cookie
    10:53 PM: Quarantining All Traces: bannerbank cookie
    10:53 PM: Quarantining All Traces: adecn cookie
    10:53 PM: Quarantining All Traces: webtrends cookie
    10:53 PM: Quarantining All Traces: specificclick.com cookie
    10:53 PM: Quarantining All Traces: falkag cookie
    10:53 PM: Quarantining All Traces: techtarget cookie
    10:53 PM: Quarantining All Traces: bizrate cookie
    10:53 PM: Quarantining All Traces: adbureau cookie
    10:53 PM: Quarantining All Traces: monstermarketplace cookie
    10:53 PM: Quarantining All Traces: pcstats.com cookie
    10:53 PM: Quarantining All Traces: rambler cookie
    10:53 PM: Quarantining All Traces: directtrack cookie
    10:53 PM: Quarantining All Traces: tripod cookie
    10:53 PM: Quarantining All Traces: ask cookie
    10:53 PM: Quarantining All Traces: revenue.net cookie
    10:53 PM: Quarantining All Traces: nextag cookie
    10:53 PM: Quarantining All Traces: adjuggler cookie
    10:53 PM: Quarantining All Traces: cardomain cookie
    10:53 PM: Quarantining All Traces: stlyrics cookie
    10:53 PM: Quarantining All Traces: overture cookie
    10:53 PM: Quarantining All Traces: realtracker cookie
    10:53 PM: Quarantining All Traces: starware.com cookie
    10:53 PM: Quarantining All Traces: adlegend cookie
    10:53 PM: Quarantining All Traces: bravenet cookie
    10:53 PM: Quarantining All Traces: tacoda cookie
    10:53 PM: Quarantining All Traces: 2o7.net cookie
    10:53 PM: Quarantining All Traces: addynamix cookie
    10:53 PM: Quarantining All Traces: questionmarket cookie
    10:53 PM: Quarantining All Traces: dealtime cookie
    10:53 PM: Quarantining All Traces: valuead cookie
    10:53 PM: Quarantining All Traces: adknowledge cookie
    10:53 PM: Quarantining All Traces: adserver cookie
    10:53 PM: Quarantining All Traces: about cookie
    10:53 PM: Quarantining All Traces: atlas dmt cookie
    10:53 PM: Quarantining All Traces: a cookie
    10:53 PM: Quarantining All Traces: cd freaks cookie
    10:53 PM: Quarantining All Traces: gamespy cookie
    10:52 PM: Quarantining All Traces: pricegrabber cookie
    10:52 PM: Quarantining All Traces: findthewebsiteyouneed hijack
    10:52 PM: Quarantining All Traces: dollarrevenue
    10:52 PM: Quarantining All Traces: winad
    10:52 PM: Quarantining All Traces: maxifiles
    10:52 PM: Quarantining All Traces: spyanytime pcspy
    10:52 PM: Quarantining All Traces: ufp 007 spy
    10:52 PM: Removal process initiated
    10:44 PM: Traces Found: 132
    10:44 PM: Full Sweep has completed. Elapsed time 00:46:18
    10:44 PM: File Sweep Complete, Elapsed Time: 00:43:37
    10:17 PM: Warning: Failed to open file "g:\pagefile.sys". Access is denied
    10:15 PM: E:\ToolBar888\Activate.exe (ID = 322316)
    10:15 PM: E:\ToolBar888\MyToolBar.dll (ID = 322323)
    10:15 PM: E:\ToolBar888 (3 subtraces) (ID = 2147510985)
    10:07 PM: C:\Program Files\Common Files\{1F621CDC-05BA-1065-0411-020531200001}\Update.exe (ID = 320789)
    10:06 PM: Warning: Failed to open file "c:\documents and settings\saman\application data\mozilla\firefox\profiles\nz16en45.default\parent.lock". The process cannot access the file because it is being used by another process
    10:05 PM: Warning: Failed to open file "c:\documents and settings\saman\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
    10:05 PM: Warning: Failed to open file "c:\documents and settings\saman\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
    10:04 PM: C:\Documents and Settings\Saman\Local Settings\Temp\nse3E.tmp\nsProcess.dll (ID = 301977)
    10:04 PM: C:\Documents and Settings\Saman\Local Settings\Temp\nscD.tmp\nsProcess.dll (ID = 301977)
    10:04 PM: C:\Documents and Settings\Saman\Local Settings\Temp\nsx9.tmp\nsProcess.dll (ID = 301977)
    10:04 PM: Found Adware: dollarrevenue
    10:04 PM: Warning: Failed to open file "c:\documents and settings\saman\ntuser.dat.log". The process cannot access the file because it is being used by another process
    10:04 PM: Warning: Failed to open file "c:\documents and settings\saman\ntuser.dat". The process cannot access the file because it is being used by another process
    10:04 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\data\settings.dat". The process cannot access the file because it is being used by another process
    10:04 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
    10:04 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
    10:04 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
    10:04 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
    10:04 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
    10:04 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
    10:04 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
    10:04 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
    10:04 PM: C:\Documents and Settings\All Users\Application Data\ssdata (3 subtraces) (ID = 2147485748)
    10:01 PM: Warning: Failed to open file "c:\windows\system32\drivers\fidbox2.dat". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\drivers\fidbox2.idx". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\drivers\fidbox.dat". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\drivers\dtscsi.sys". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\drivers\sptd.sys". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\drivers\sptd7581.sys". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\drivers\fidbox.idx". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
    10:01 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
    10:01 PM: C:\WINDOWS\XPbutton.ocx (ID = 76484)
    10:01 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
    10:01 PM: Starting File Sweep
    10:01 PM: Warning: Failed to access drive A:
    10:01 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2337)
    10:01 PM: Found Spy Cookie: burstnet cookie
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 1958)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 3106)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2506)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 5014)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2455)
    10:01 PM: Found Spy Cookie: commission junction cookie
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][4].txt (ID = 2323)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 2062)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3269)
    10:01 PM: Found Spy Cookie: ru4 cookie
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 3669)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2323)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][4].txt (ID = 3185)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2281)
    10:01 PM: Found Spy Cookie: bannerbank cookie
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2063)
    10:01 PM: Found Spy Cookie: adecn cookie
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 6444)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3106)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3442)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3442)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 2141)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 6444)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 1958)
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3669)
    10:01 PM: Found Spy Cookie: webtrends cookie
    10:01 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2038)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3400)
    10:00 PM: Found Spy Cookie: specificclick.com cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2650)
    10:00 PM: Found Spy Cookie: falkag cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3627)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2038)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 2072)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3500)
    10:00 PM: Found Spy Cookie: techtarget cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2308)
    10:00 PM: Found Spy Cookie: bizrate cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2060)
    10:00 PM: Found Spy Cookie: adbureau cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 2037)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 2506)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3006)
    10:00 PM: Found Spy Cookie: monstermarketplace cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3126)
    10:00 PM: Found Spy Cookie: pcstats.com cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 3185)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3225)
    10:00 PM: Found Spy Cookie: rambler cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3106)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2528)
    10:00 PM: Found Spy Cookie: directtrack cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2141)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 1958)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2038)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2506)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3591)
    10:00 PM: Found Spy Cookie: tripod cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 1958)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][3].txt (ID = 1958)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3242)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3462)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2245)
    10:00 PM: Found Spy Cookie: ask cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3258)
    10:00 PM: Found Spy Cookie: revenue.net cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 5014)
    10:00 PM: Found Spy Cookie: nextag cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2071)
    10:00 PM: Found Spy Cookie: adjuggler cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 1958)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3442)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2350)
    10:00 PM: Found Spy Cookie: cardomain cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3461)
    10:00 PM: Found Spy Cookie: stlyrics cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2062)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3106)
    10:00 PM: Found Spy Cookie: overture cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2323)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3242)
    10:00 PM: Found Spy Cookie: realtracker cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3442)
    10:00 PM: Found Spy Cookie: starware.com cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2074)
    10:00 PM: Found Spy Cookie: adlegend cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2323)
    10:00 PM: Found Spy Cookie: bravenet cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3627)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 1958)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 6444)
    10:00 PM: Found Spy Cookie: tacoda cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 1958)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 1958)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2505)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 1958)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3626)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 1958)
    10:00 PM: Found Spy Cookie: 2o7.net cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2038)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2038)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2038)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2062)
    10:00 PM: Found Spy Cookie: addynamix cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3217)
    10:00 PM: Found Spy Cookie: questionmarket cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2506)
    10:00 PM: Found Spy Cookie: dealtime cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 3627)
    10:00 PM: Found Spy Cookie: valuead cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2072)
    10:00 PM: Found Spy Cookie: adknowledge cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2141)
    10:00 PM: Found Spy Cookie: adserver cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2037)
    10:00 PM: Found Spy Cookie: about cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2253)
    10:00 PM: Found Spy Cookie: atlas dmt cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2027)
    10:00 PM: Found Spy Cookie: a cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2371)
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 2371)
    10:00 PM: Found Spy Cookie: cd freaks cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][1].txt (ID = 2719)
    10:00 PM: Found Spy Cookie: gamespy cookie
    10:00 PM: c:\documents and settings\saman\cookies\[email protected][2].txt (ID = 3185)
    10:00 PM: Found Spy Cookie: pricegrabber cookie
    10:00 PM: Starting Cookie Sweep
    10:00 PM: Registry Sweep Complete, Elapsed Time:00:00:22
    10:00 PM: HKU\S-1-5-21-1708537768-688789844-854245398-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || Default_Search_URL (ID = 1554015)
    10:00 PM: HKU\S-1-5-21-1708537768-688789844-854245398-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {cbcc61fa-0221-4ccc-b409-cee865caca3a} (ID = 1530952)
    10:00 PM: HKU\S-1-5-21-1708537768-688789844-854245398-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
    10:00 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{cbcc61fa-0221-4ccc-b409-cee865caca3a}\ (ID = 1538596)
    10:00 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {cbcc61fa-0221-4ccc-b409-cee865caca3a} (ID = 1530992)
    10:00 PM: HKLM\software\classes\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\ (ID = 1530980)
    10:00 PM: HKLM\software\classes\clsid\{cbcc61fa-0221-4ccc-b409-cee865caca3a}\ (ID = 1530968)
    10:00 PM: HKCR\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\ (ID = 1530936)
    10:00 PM: HKCR\clsid\{cbcc61fa-0221-4ccc-b409-cee865caca3a}\ (ID = 1530906)
    10:00 PM: HKLM\software\microsoft\windows\currentversion\uninstall\toolbar888\ (ID = 1498367)
    10:00 PM: HKLM\software\classes\mytoolbar.mytoolbarobj.1\ (ID = 1498211)
    10:00 PM: HKLM\software\classes\mytoolbar.mytoolbarobj\ (ID = 1498205)
    10:00 PM: HKCR\mytoolbar.mytoolbarobj.1\ (ID = 1497803)
    10:00 PM: HKCR\mytoolbar.mytoolbarobj\ (ID = 1497797)
    10:00 PM: HKLM\software\classes\appid\activex.dll\ || appid (ID = 1049594)
    10:00 PM: HKLM\software\classes\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (ID = 1049593)
    10:00 PM: HKCR\appid\activex.dll\ || appid (ID = 1049592)
    10:00 PM: HKLM\software\classes\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (ID = 1023399)
    10:00 PM: HKCR\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (ID = 1023387)
    10:00 PM: HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (ID = 1023385)
    10:00 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
    10:00 PM: Found Adware: winad
    10:00 PM: HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438)
    10:00 PM: Found Adware: findthewebsiteyouneed hijack
    10:00 PM: HKCR\typelib\{56acc949-e6ee-4bf7-af56-0a44fede4b42}\ (ID = 142089)
    10:00 PM: HKCR\clsid\{f3c047af-74b1-4c61-9756-92f8d9f11a56}\ (ID = 142086)
    10:00 PM: HKCR\jasonbutton.xpbutton\ (ID = 142085)
    10:00 PM: Found System Monitor: spyanytime pcspy
    10:00 PM: Starting Registry Sweep
    10:00 PM: HKLM\software\sysmnt\ (ID = 101813)
    10:00 PM: Found System Monitor: ufp 007 spy
    10:00 PM: Memory Sweep Complete, Elapsed Time: 00:01:51
    9:58 PM: Detected running threat: E:\ToolBar888\MyToolBar.dll (ID = 322323)
    9:58 PM: Starting Memory Sweep
    9:58 PM: E:\ToolBar888\MyToolBar.dll (ID = 1537866)
    9:58 PM: HKCR\clsid\{cbcc61fa-0221-4ccc-b409-cee865caca3a}\inprocserver32\ (ID = 1537866)
    9:58 PM: Found Adware: maxifiles
    9:58 PM: Sweep initiated using definitions version 724
    9:58 PM: Spy Sweeper 5.0.5.1286 started
    9:58 PM: | Start of Session, Monday, July 24, 2006 |
    ********
    9:58 PM: | End of Session, Monday, July 24, 2006 |
    9:55 PM: Your spyware definitions have been updated.
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    9:36 PM: Shield States
    9:36 PM: Spyware Definitions: 691
    9:36 PM: Spy Sweeper 5.0.5.1286 started
    9:36 PM: Spy Sweeper 5.0.5.1286 started
    9:36 PM: | Start of Session, Monday, July 24, 2006 |
    ********
     
  6. PersianGuy

    PersianGuy Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    15
    //And this is a new HJT's logfile contents:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:04:41 PM, on 7/24/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    D:\FIREFOX\FIREFOX.EXE
    D:\GetRight\getright.exe
    D:\GetRight\getright.exe
    C:\WINDOWS\explorer.exe
    E:\ipwins\ipwins.exe
    c:\Spy Sweeper\SpySweeper.exe
    C:\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Narcis Soft\NAW\NAW.exe
    C:\WINDOWS\System32\taskmgr.exe
    c:\Spy Sweeper\SSU.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    D:\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.bazicenter.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://forums.bazicenter.com/"); (C:\Documents and Settings\Saman\Application Data\Mozilla\Profiles\default\yjwfbh4x.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Saman\Application Data\Mozilla\Profiles\default\yjwfbh4x.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2EBD36F4-F281-48F5-A424-05683815C197} - C:\WINDOWS\System32\efccc.dll (file missing)
    O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [implib] "rundll32.exe" C:\WINDOWS\System32\implib.dll,start
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe"
    O4 - HKLM\..\Run: [kav] "C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [IpWins] E:\ipwins\ipwins.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\ypager.exe" -quiet
    O4 - HKCU\..\Run: [TClock.exe] E:\TClock\tclock_install.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: Flash Grabber - C:\Program Files\Flash Grabber\CatchURL.htm
    O8 - Extra context menu item: Show all images in original quality - E:\www.cproxy.com\originalAll.htm
    O8 - Extra context menu item: Show image in original quality - E:\www.cproxy.com\original.htm
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Flash Grabber - {EA4492CA-ADA0-11D5-92AE-00B0D03F0921} - C:\Program Files\Flash Grabber\CatchURL.htm
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {15A8CB61-8CAF-11DA-A418-00E098C39BC7} (RSIDownload.RSI_Download) - http://rs.cetizen.com/RealSize/Application/RSIDownload.CAB
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NT Net Driver (NtNav) (NtNav) - Unknown owner - C:\WINDOWS\system32\netnav.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Spy Sweeper\SpySweeper.exe
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {2EBD36F4-F281-48F5-A424-05683815C197} - C:\WINDOWS\System32\efccc.dll (file missing)
    O4 - HKLM\..\Run: [implib] "rundll32.exe" C:\WINDOWS\System32\implib.dll,start
    O4 - HKLM\..\Run: [IpWins] E:\ipwins\ipwins.exe
    O4 - HKCU\..\Run: [TClock.exe] E:\TClock\tclock_install.exe

    Close all applications and browser windows before you click "fix checked".

    Restart in Safe Mode.
    Click here to see how.


    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

    Delete these folders:
    E:\TClock
    E:\ipwins

    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files".

    Put a check by "Delete Offline Content" and click OK.


    Empty your recycle bin.

    Reboot to normal mode.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
     
  8. PersianGuy

    PersianGuy Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    15
    Hi,

    I did all steps.

    1.VundoFix didn't find any infected file :

    VundoFix V5.1.5

    Checking Java version...

    Sun Java not detected
    Scan started at 3:05:27 AM 7/25/2006

    Listing files found while scanning....

    No infected files were found.

    ---------

    2. A new unwanted file named "moot32" has been creating since morning also :

    [​IMG]

    ---------

    3. A new unwanted toolbar (ToolBar888) creates in IE and you can find that in the new HJTs logfile contents :

    [​IMG]

    Logfile of HijackThis v1.99.1
    Scan saved at 3:08:23 AM, on 7/25/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
    C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\{1F621CDC-05BA-1065-0411-020531200001}\Update.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Yahoo!\ypager.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Narcis Soft\NAW\NAW.exe
    D:\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.bazicenter.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://forums.bazicenter.com/"); (C:\Documents and Settings\Saman\Application Data\Mozilla\Profiles\default\yjwfbh4x.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Saman\Application Data\Mozilla\Profiles\default\yjwfbh4x.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - E:\ToolBar888\MyToolBar.dll
    O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - E:\ToolBar888\MyToolBar.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe"
    O4 - HKLM\..\Run: [kav] "C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\ypager.exe" -quiet
    O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: Flash Grabber - C:\Program Files\Flash Grabber\CatchURL.htm
    O8 - Extra context menu item: Show all images in original quality - E:\www.cproxy.com\originalAll.htm
    O8 - Extra context menu item: Show image in original quality - E:\www.cproxy.com\original.htm
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Flash Grabber - {EA4492CA-ADA0-11D5-92AE-00B0D03F0921} - C:\Program Files\Flash Grabber\CatchURL.htm
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {15A8CB61-8CAF-11DA-A418-00E098C39BC7} (RSIDownload.RSI_Download) - http://rs.cetizen.com/RealSize/Application/RSIDownload.CAB
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NT Net Driver (NtNav) (NtNav) - Unknown owner - C:\WINDOWS\system32\netnav.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Spy Sweeper\SpySweeper.exe
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    What folder is this in?

    The exact path is what I'm looking for c:\ ???
     
  10. PersianGuy

    PersianGuy Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    15
    Hi,

    C:\Documents and Settings\Saman


    But I have good news !

    Those files that are showing in above picture, have not created since this morning. even when my antivirus is disable, they don't create (y)

    It seems that my problem has been solved.
    Am I right or wrong ?
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Go to this site: http://virusscan.jotti.org/
    Submit this file C:\WINDOWS\system32\netnav.exe

    You can just copy and paste it into the submission box.
     
  12. PersianGuy

    PersianGuy Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    15
    I don't have "netnav.exe" in "C:\WINDOWS\system32\" folder !
    Even when hidden files and protected operating system files are showing.
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    OK, post your log again and let's see if it's gone.
     
  14. PersianGuy

    PersianGuy Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    15
    Logfile of HijackThis v1.99.1
    Scan saved at 12:18:11 AM, on 7/26/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\{1F621CDC-05BA-1065-0411-020531200001}\Update.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Narcis Soft\NAW\NAW.exe
    C:\Program Files\Yahoo!\ypager.exe
    D:\Firefox\firefox.exe
    C:\WINDOWS\system32\mspaint.exe
    D:\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.bazicenter.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://forums.bazicenter.com/"); (C:\Documents and Settings\Saman\Application Data\Mozilla\Profiles\default\yjwfbh4x.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Saman\Application Data\Mozilla\Profiles\default\yjwfbh4x.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - E:\ToolBar888\MyToolBar.dll (file missing)
    O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - E:\ToolBar888\MyToolBar.dll (file missing)
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe"
    O4 - HKLM\..\Run: [kav] "C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\ypager.exe" -quiet
    O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: Flash Grabber - C:\Program Files\Flash Grabber\CatchURL.htm
    O8 - Extra context menu item: Show all images in original quality - E:\www.cproxy.com\originalAll.htm
    O8 - Extra context menu item: Show image in original quality - E:\www.cproxy.com\original.htm
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Flash Grabber - {EA4492CA-ADA0-11D5-92AE-00B0D03F0921} - C:\Program Files\Flash Grabber\CatchURL.htm
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {15A8CB61-8CAF-11DA-A418-00E098C39BC7} (RSIDownload.RSI_Download) - http://rs.cetizen.com/RealSize/Application/RSIDownload.CAB
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1ED022B2-5DB5-4295-B607-B973A407D57E}: NameServer = 81.91.129.67 213.207.240.2
    O17 - HKLM\System\CS7\Services\Tcpip\..\{1ED022B2-5DB5-4295-B607-B973A407D57E}: NameServer = 81.91.129.67 213.207.240.2
    O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NT Net Driver (NtNav) (NtNav) - Unknown owner - C:\WINDOWS\system32\netnav.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Spy Sweeper\SpySweeper.exe
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - E:\ToolBar888\MyToolBar.dll (file missing)
    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - E:\ToolBar888\MyToolBar.dll (file missing)
    O23 - Service: NT Net Driver (NtNav) (NtNav) - Unknown owner - C:\WINDOWS\system32\netnav.exe

    Close all applications and browser windows before you click "fix checked".



    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):



    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/485470

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice