First Copy and paste the following into NotePad (Not Wordpad)
sc stop cmdService sc del cmdService
Click
File ->>
Save as ->>type in
cmd.bat
Under "Save as type" Select " all files" ->>Save it to your Desktop Close Notepad The cmd.bat file should now appear on your Desktop Double Click that file (It will appear that nothing has happened, but that's o.k.)
Next
1. Download this file - combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When complete Reboot your PC->> Rerun Hijackthis and post a fresh Hijackthis log
Note: if you have to post the requested results in more than one reply, please do so.
Logfile of HijackThis v1.99.1
Scan saved at 1:16:46 AM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"
First Lets move Hijackthis to it's own folder, instead of a desktop folder
Download a self extracting version of hijackthis
HERE
Double click on hijackthis.exe to extract hijackthis to folder c:\hijackthis.It will extract it to that folder and open the folder for you. It will also create a shortcut on your desktop to HijackThis.
Next Your Combofix log showed some programs we need to get rid of as we continue
Next Re Run Hijackthis
At the Main window select " Open the misc tool section" Then select " Open uninstall manager" Then " save list" and save it to your desktop
Copy and paste that list as a reply to this thread
Just post the
uninstall_list from Hiajckthis on this reply
802.11 Wireless LAN
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0
Adobe Photoshop Elements 2.0
Adobe Reader 7.0.5
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
AIM+ (remove only)
AOL Instant Messenger
ArcSoft ShowBiz DVD 2
ATI Multimedia Center 8.6.0.0
BestOn Software
Conexant SmartHSFi V.9x 56K DF PCI Modem
Dell Digital Jukebox Driver
Dell Support
Digital Line Detect
DVDSentry
EPSON Scan
exPressit S.E. 2.1
HijackThis 1.99.1
hkSFV (remove only)
HP DVD Writer
hp photosmart printer series (Remove only)
Icons
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
Internet Explorer Q903235
Internet Explorer Toolbar - Intelligent Explorer
iPod for Windows
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album
Java 2 Runtime Environment, SE v1.4.2
Learn2 Player (Uninstall Only)
LimeWire 4.9.33
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia FreeHand 10
McAfee SecurityCenter
McAfee VirusScan
MediaGateway
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Office 2000 SR-1 Professional
Microsoft Publisher 97
Microsoft Windows Media Video 9 VCM
Microsoft Word 2000 SR-1
mIRC
Modem Helper
Musicmatch® Jukebox
muvee autoProducer 3.5_LE10 - HPC
NetWaiting
Patch Management Using Software Update Services 1.0 SP1
PC CameraQ
Pinnacle Hollywood FX 4.6
PowerDVD
QuickTime
Registry Mechanic 5.0
RTC Client API v1.2
ScanWizard 5
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
SightSpeed (remove only)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.3
Spyware Doctor 4.0
Studio 8
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Windows Blaster Worm Removal Tool (KB833330)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WordPerfect Office 11
It is going to take a couple of runs at this to completetly remove the infection, so please be patient. I want to make sure we get it all. We have to get rid of the programs that are loading the infection.
First go to Add/Remove programs (Click Start->>Control Panel->>Add/Remove Programs)
And uninstall the following programs
MediaGateway Windows Overlay Components
And this program is an optional, but is very likely part of the reason your PC became infected. If you decide to keep it, which I don't recommend, at the very least turn it off until your PC is clean
Logfile of HijackThis v1.99.1
Scan saved at 4:28:54 PM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
You need to print out these insrtuctions for reference
First delete the first batch file we created we are going to need a new one. Just Rt click it on your Desktop and delete it.
Next Open NotePad (Not Wordpad)
Copy and paste the following into Notepad (Making sure there is no space between the first line and the top of the window)
Once it's copied and pasted,your cursor will be at the end the of the last line. Hit Enter so your cursor is under the last line. Hit Enter again to create a blank space under the last line Click File->> Save as->>type in fix.reg Under " Save as type" Select " All Files" and Save it to your Desktop Close Notepad The fix.reg file should now appear on your Desktop Rt Click->> Select Merge
Next Open Notepad again
Copy and paste the following into Notepad
Click File ->>Save as ->>type in
woc.bat Under "
Save as type" Select "
all files" ->>Save it to your Desktop
Close Notepad
The
woc.bat file should now appear on your Desktop
Double Click that file (It will appear that nothing has happened, but that's o.k.)
Next Re run Hijackthis and place checks beside the following entries
the folder IME wouldnt delte because something was using it but heres my hijackthis log:
Logfile of HijackThis v1.99.1 Scan saved at 12:23:00 AM, on 9/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
"the folder IME wouldnt delte because something was using it but heres my hijackthis log:"
You may want to print out these instructions for reference
First Go
here and Download
Ewido Antimalware 4.0 (
30 day free trial version) Save it to Your Desktop
Double Click
Ewido-setup (It will create its own folder)
Once the program starts You will be at the
Status menu
Under "Your computers Security" Click change status on Resident shield to inactive Click Update now (next to last update) After the update loads Under Automatic updates Uncheck download and install updates automatically(recommended) (you can always select maual updates the next day)
At the top toolbar Click
Scanner Then the
settings tab
Under How to act? Set default action for detected malwareTo Quarantine Under how to scan All boxes should be checked Under Possibly unwanted software All boxes should be checked Under reports Select Automatically generate report after every scan Uncheck Only if threats were found Under what to scan Scan every file should be highlited
Exit Ewido (
Do not run it yet)
Next Download
CCleaner from
here to clean temp files from your computer.
Double click on the file to start the installation of the program. Select your language and click OK, then next. Read the license agreement and click I Agree. Click next to use the default install location. Click Install then finish to complete installation
Double click the
CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit). If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla. Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours." Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program
Caution: It is
not recommended that you use the "
Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit
Reboot your PC into
Safe Mode This can be done by
Restart your PC, and after it starts, but before you see the Windows Splash screen Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices) Use your arrow keys and select Safe Mode and then Enter
4. Run Ewido
Click scanner Select Complete system scan
Once the scan finishes
Select Apply all actions (The items found will be quarantined) Click save report as (Another window will open) Save it to your desktop (By default It will be saved in the Ewido folder as) C:\Program Files\ewido anti-spyware 4.0\Reports
Exit Ewido
While sill in Safe mode Using Windows Explorer
locate and delete this
folder
C:\WINDOWS\ime
Reboot your PC in
Normal Mode
Double click the report-scan txt. you saved to your desktop It will open in Notepad Copy and paste that report as a reply to this thread
Do not run any other options untill instructed to do so
Your reply should include
your report_scan.txt log rom Ewido a fresh Hijackthis log
bamajim
10.4K Posts
0
August 31st, 2006 15:00
gilli86
I am currently looking at your log and will have a reply soon
thanks bamajim Training at Malware Removal University
bamajim
10.4K Posts
0
September 1st, 2006 13:00
First Copy and paste the following into NotePad (Not Wordpad)
- sc stop cmdService
Click File ->> Save as ->>type in cmd.batsc del cmdService
- Under "Save as type" Select " all files" ->>Save it to your Desktop
NextClose Notepad
The cmd.bat file should now appear on your Desktop
Double Click that file (It will appear that nothing has happened, but that's o.k.)
- 1. Download this file - combofix.exe
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
When complete Reboot your PC->> Rerun Hijackthis and post a fresh Hijackthis log
Note: if you have to post the requested results in more than one reply, please do so.
your reply should include
A fresh Hijackthis log
thanks bamajim Training at Malware Removal University
gilli86
12 Posts
0
September 1st, 2006 14:00
i made the file cmd.bat and when i double clicked it the first command sc stop cmdService came back with the error-
[SC] ControlService FAILED 1062:
The service has not been started.
so the second cammand sc del cmdService came back
*** Unrecognized Command***
bamajim
10.4K Posts
0
September 1st, 2006 17:00
gilli86
Sometimes infections keep those from running properly
Proceed on with the Combofix please and post the results
bamajim Training at Malware Removal University
gilli86
12 Posts
0
September 3rd, 2006 04:00
Scan saved at 1:16:46 AM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Gildo86\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [nyqchmhA] C:\WINDOWS\nyqchmhA.exe
O4 - HKLM\..\Run: [{9F-F7-7F-F4-ZN}] c:\windows\system32\dwdsregt.exe GID002
O4 - HKLM\..\Run: [FQQERQ] "C:\WINDOWS\system32\kcnzrop6.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [mkzz] C:\PROGRA~1\COMMON~1\mkzz\mkzzm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nyqchmh.exe (file missing)
gilli86
12 Posts
0
September 3rd, 2006 04:00
"path"="C:\\Documents and Settings\\Gildo86\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\SYSTEM32\\lwinqpex.exe GID002"
"item"="Think-Adz"
"path"="C:\\Documents and Settings\\Gildo86\\Start Menu\\Programs\\Startup\\Webshots.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Webshots.lnk.disabledStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Gildo86\\Start Menu\\Programs\\Startup\\Webshots.lnk.disabled"
"item"="Webshots.lnk"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AIM+"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\AIM+\\AIM+.exe\" -cnetwait.odl"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashmaisv"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashmaisv.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDBitSet"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDBitSet.exe\" /NOUI"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSentry"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\DSentry.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDTray.exe\""
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="messplus"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Messenger Plus\\messplus.exe\" -silent"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pop06ap2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\pop06ap2.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SYSC00"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SYSC00.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="susp"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\susp.exe"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whAgent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"inimapping"="0"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"HPHmon03"="C:\\WINDOWS\\System32\\hphmon03.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"BitDefender Antivirus"="BITDEFENDERX.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
C:\WINDOWS\tasks\.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (JGILL-Gildo86).job
Completion time: Sun 09/03/2006 1:13:28.00
ComboFix.txt
gilli86
12 Posts
0
September 3rd, 2006 04:00
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Gildo86\Desktop
REGISTRY ENTRIES REMOVED:
@=""
@=""
@=""
@="blank"
"ThreadingModel"="Apartment"
@=""
@=""
@=""
@="C:\\WINDOWS\\system32\\wnaservc.dll"
"ThreadingModel"="Apartment"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Granting sedebugprivilege to Administrators ... successful
((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))
* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
C:\Documents and Settings\Gildo86\Application Data\Sskknwrd.dll
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname.dat
C:\drsmartload45a2002.exe
C:\drsmartload46a2002.exe
C:\drsmartload849a2002.exe
C:\nwnmff_13.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\tsuninst.exe
C:\deskbar.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Cas2Stub
C:\Program Files\Cowabanga
C:\Program Files\Deskbar
C:\WINDOWS\R2lsZG8
C:\Program Files\PSLister
((((((((((((((((((((((((((((((( Files Created from 2006-08-03 to 2006-09-03 ))))))))))))))))))))))))))))))))))
2006-08-28 16:34 235,914 -r--s---- C:\WINDOWS\SYSTEM32\wnaservc.dll
2006-08-25 14:28 208,896 --a------ C:\WINDOWS\SYSTEM32\otpddpea5.dll
2006-08-25 14:28 0 --a------ C:\WINDOWS\system32ha3f.exe
2006-08-25 14:26 24,576 --a------ C:\WINDOWS\SYSTEM32\ha3f.exe
2006-08-24 00:00 7,473 --a------ C:\WINDOWS\SYSTEM32\cawpemgl.exe
2006-08-22 01:42 290,816 --a------ C:\installerwnusnewer.exe
2006-08-22 01:41 36,237 --a------ C:\WINDOWS\RDFX4.exe
2006-08-17 16:30 186,223 --a------ C:\WINDOWS\srvznpyknd.exe
2006-08-17 12:46 930 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys
2006-08-16 17:04 186,223 --a------ C:\WINDOWS\srvuamvkzn.exe
2006-08-16 16:59 7,477 --a------ C:\WINDOWS\SYSTEM32\hnonpwya.exe
2006-08-15 21:22 1,167 --a------ C:\WINDOWS\SYSTEM32\gqu11351.sys
2006-08-15 21:21 2 --a------ C:\WINDOWS\SYSTEM32\wnsintsu.exe
2006-08-15 21:20 32,768 --a------ C:\WINDOWS\unstall.exe
2006-08-09 15:15 7,458 --a------ C:\WINDOWS\SYSTEM32\wjaxkudr.exe
2006-08-07 11:17 61,440 --a------ C:\WINDOWS\SYSTEM32\BattyRun2.dll
2006-08-06 14:22 8 --a------ C:\WINDOWS\SYSTEM32\smaexp32.dll
2006-08-06 14:21 7,464 --a------ C:\WINDOWS\system32fab.exe
2006-08-06 14:21 7,464 --a------ C:\WINDOWS\SYSTEM32\winblsrv.dll
2006-08-31 13:32 -------- d-------- C:\Documents and Settings\Gildo86\Application Data\AdobeUM
2006-08-30 23:29 -------- d-------- C:\Program Files\AIM
2006-08-29 21:50 -------- d---s---- C:\Documents and Settings\Gildo86\Application Data\Microsoft
2006-08-28 12:39 -------- d-------- C:\Program Files\SEARCHESSISTANT Toolbar
2006-08-28 12:39 -------- d-------- C:\Program Files\CMFibula
2006-08-28 00:30 -------- d-------- C:\Program Files\NetMeeting
2006-08-26 17:44 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-26 17:00 -------- d-------- C:\Documents and Settings\Gildo86\Application Data\PC Tools
2006-08-26 13:58 -------- d-------- C:\Program Files\Common Files
2006-08-25 01:48 -------- d-------- C:\Program Files\Batty2
2006-08-17 16:35 -------- d-------- C:\Program Files\microsoft frontpage
2006-08-17 16:30 -------- d-a------ C:\Program Files\MSN
2006-08-15 21:20 -------- d-------- C:\Program Files\mIRC
2006-08-13 03:02 -------- d-------- C:\Program Files\Internet Explorer
2006-07-31 12:09 24576 --a------ C:\WINDOWS\SYSTEM32\ewxcksr.exe
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-10 16:38 51072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikhlayer.sys
2006-07-10 16:38 30592 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikhfile.sys
2006-06-19 14:38 53248 --a------ C:\WINDOWS\uni_ehhhh.exe
2006-06-18 17:56 8704 --a------ C:\WINDOWS\SYSTEM32\my_update.exe
2006-06-12 00:42 4 --a------ C:\WINDOWS\SYSTEM32\thlwin32.dll
*Note* empty entries are not shown
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"nyqchmhA"="C:\\WINDOWS\\nyqchmhA.exe"
"{9F-F7-7F-F4-ZN}"="c:\\windows\\system32\\dwdsregt.exe GID002"
"FQQERQ"="\"C:\\WINDOWS\\system32\\kcnzrop6.exe\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"Installed"="1"
"NoChange"="1"
"Installed"="1"
"Installed"="1"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""
"mkzz"="C:\\PROGRA~1\\COMMON~1\\mkzz\\mkzzm.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AIM"="\"C:\\Program Files\\AIM+\\AIM+.exe\" -cnetwait.odl"
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
@=""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"Sonic RecordNow!"=""
"Weather"="C:\\PROGRA~1\\AWS\\WEATHE~1\\Weather.EXE 1"
"AIM"="\"C:\\Program Files\\AIM+\\AIM+.exe\" -cnetwait.odl"
"NoDriveTypeAutoRun"=dword:00000091
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
"Source"="C:\\Program Files\\NetMeeting\\kybe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
"Source"="C:\\Program Files\\MSN\\hoxyma.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"NoDriveTypeAutoRun"=dword:00000091
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"NoDriveTypeAutoRun"=dword:00000091
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk.disabled"
"item"="Adobe Reader Speed Launch.lnk"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk.disabled"
"item"="Microsoft Office.lnk"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microtek Scanner Finder.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Microtek Scanner Finder.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microtek Scanner Finder.lnk.disabled"
"item"="Microtek Scanner Finder.lnk"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"
"path"="C:\\Documents and Settings\\Gildo86\\Start Menu\\Programs\\Startup\\Configuration & Monitor Utility.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Configuration & Monitor Utility.lnk.disabledStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Gildo86\\Start Menu\\Programs\\Startup\\Configuration & Monitor Utility.lnk.disabled"
"item"="Configuration & Monitor Utility.lnk"
bamajim
10.4K Posts
0
September 3rd, 2006 23:00
First Lets move Hijackthis to it's own folder, instead of a desktop folder
Download a self extracting version of hijackthis HERE
- Double click on hijackthis.exe to extract hijackthis to folder c:\hijackthis.It will extract it to that folder and open the folder for you. It will also create a shortcut on your desktop to HijackThis.
Next Your Combofix log showed some programs we need to get rid of as we continueNext Re Run Hijackthis
Then select " Open uninstall manager"
Then " save list" and save it to your desktop
Copy and paste that list as a reply to this thread
Just post the uninstall_list from Hiajckthis on this reply
thanks bamajim Graduate of Malware Removal University
gilli86
12 Posts
0
September 4th, 2006 03:00
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0
Adobe Photoshop Elements 2.0
Adobe Reader 7.0.5
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
AIM+ (remove only)
AOL Instant Messenger
ArcSoft ShowBiz DVD 2
ATI Multimedia Center 8.6.0.0
BestOn Software
Conexant SmartHSFi V.9x 56K DF PCI Modem
Dell Digital Jukebox Driver
Dell Support
Digital Line Detect
DVDSentry
EPSON Scan
exPressit S.E. 2.1
HijackThis 1.99.1
hkSFV (remove only)
HP DVD Writer
hp photosmart printer series (Remove only)
Icons
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
Internet Explorer Q903235
Internet Explorer Toolbar - Intelligent Explorer
iPod for Windows
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album
Java 2 Runtime Environment, SE v1.4.2
Learn2 Player (Uninstall Only)
LimeWire 4.9.33
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia FreeHand 10
McAfee SecurityCenter
McAfee VirusScan
MediaGateway
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Office 2000 SR-1 Professional
Microsoft Publisher 97
Microsoft Windows Media Video 9 VCM
Microsoft Word 2000 SR-1
mIRC
Modem Helper
Musicmatch® Jukebox
muvee autoProducer 3.5_LE10 - HPC
NetWaiting
Patch Management Using Software Update Services 1.0 SP1
PC CameraQ
Pinnacle Hollywood FX 4.6
PowerDVD
QuickTime
Registry Mechanic 5.0
RTC Client API v1.2
ScanWizard 5
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
SightSpeed (remove only)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.3
Spyware Doctor 4.0
Studio 8
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Windows Blaster Worm Removal Tool (KB833330)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WordPerfect Office 11
bamajim
10.4K Posts
0
September 4th, 2006 11:00
First go to Add/Remove programs (Click Start->>Control Panel->>Add/Remove Programs)
And uninstall the following programs
Windows Overlay Components
And this program is an optional, but is very likely part of the reason your PC became infected.
If you decide to keep it, which I don't recommend, at the very least turn it off until your PC is clean
After completed->>Reboot your PC->>Re Run Hijackthis and post a fresh Hijackthis log
thanks bamajim Graduate of Malware Removal University
gilli86
12 Posts
0
September 6th, 2006 19:00
Scan saved at 4:28:54 PM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AIM\aim.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [nyqchmhA] C:\WINDOWS\nyqchmhA.exe
O4 - HKLM\..\Run: [{9F-F7-7F-F4-ZN}] c:\windows\system32\dwdsregt.exe GID002
O4 - HKLM\..\Run: [FQQERQ] "C:\WINDOWS\system32\kcnzrop6.exe"
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [mkzz] C:\PROGRA~1\COMMON~1\mkzz\mkzzm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nyqchmh.exe (file missing)
bamajim
10.4K Posts
0
September 8th, 2006 00:00
gillie86
You need to print out these insrtuctions for reference
First delete the first batch file we created we are going to need a new one. Just Rt click it on your Desktop and delete it.
Next Open NotePad (Not Wordpad)
Copy and paste the following into Notepad (Making sure there is no space between the first line and the top of the window)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nyqchmhA"=-
"{9F-F7-7F-F4-ZN}"=-
"FQQERQ"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSLister"=-
"mkzz"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"@"=-
"Weather"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared
Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Gildo86^Start
Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Messenger
Plus]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pop06ap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TheMonitor]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Transponder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\webHancer
Agent]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\webHancer
Survey Companion]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"ViewMgr"=-
"IMEKRMIG6.1"=-
- Once it's copied and pasted,your cursor will be at the end the of the last line.
Next Open Notepad againHit Enter so your cursor is under the last line.
Hit Enter again to create a blank space under the last line
Click File->> Save as->>type in fix.reg
Under " Save as type" Select " All Files" and Save it to your Desktop
Close Notepad
The fix.reg file should now appear on your Desktop
Rt Click->> Select Merge
Copy and paste the following into Notepad
- sc stop "Windows Overlay Components"
Click File ->>Save as ->>type in woc.batsc delete "Windows Overlay Components"
Under " Save as type" Select " all files" ->>Save it to your Desktop
Close Notepad
The woc.bat file should now appear on your Desktop
Double Click that file (It will appear that nothing has happened, but that's o.k.)
Next Re run Hijackthis and place checks beside the following entries
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O4 - HKLM\..\Run: [nyqchmhA] C:\WINDOWS\nyqchmhA.exe
O4 - HKLM\..\Run: [{9F-F7-7F-F4-ZN}] c:\windows\system32\dwdsregt.exe GID002
O4 - HKLM\..\Run: [FQQERQ] "C:\WINDOWS\system32\kcnzrop6.exe"
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [mkzz] C:\PROGRA~1\COMMON~1\mkzz\mkzzm.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nyqchmh.exe (file missing)
Close all other open windows except Hijackthis and Select " Fix checked"
If prompted to reboot your PC Select No and close Hijackthis
Next Using Windows Explorer (Rt click Start->> Explore. And using the tree of folders on the left)
Locate and delete these folders
- C:\Program Files\Viewpoint
Locate and delete these filesC:\Program Files\webHancer
C:\Program Files\Messenger Plus
C:\Program Files\AWS
C:\Program Files\Common Files\mkzz
C:\Program Files\Batty2
C:\Program Files\CMFibula
C:\Program Files\SEARCHESSISTANT Toolbar
C:\WINDOWS\ime
C:\WINDOWS\pss
- C:\WINDOWS\system32\susp.exe
Close Windows ExplorerC:\WINDOWS\SYSC00.exe
C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\SYSTEM32\lwinqpex.exe
C:\WINDOWS\system32\kcnzrop6.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\nyqchmhA.exe
C:\WINDOWS\SYSTEM32\thlwin32.dll
C:\WINDOWS\SYSTEM32\my_update.exe
C:\WINDOWS\uni_ehhhh.exe
C:\WINDOWS\SYSTEM32\ewxcksr.exe
C:\WINDOWS\SYSTEM32\winblsrv.dll
C:\WINDOWS\system32fab.exe
C:\WINDOWS\SYSTEM32\smaexp32.dll
C:\WINDOWS\SYSTEM32\BattyRun2.dll
C:\WINDOWS\SYSTEM32\wjaxkudr.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\SYSTEM32\wnsintsu.exe
C:\WINDOWS\SYSTEM32\gqu11351.sys
C:\WINDOWS\SYSTEM32\hnonpwya.exe
C:\WINDOWS\srvuamvkzn.exe
C:\WINDOWS\SYSTEM32\winpfg32.sys
C:\WINDOWS\srvznpyknd.exe
C:\WINDOWS\RDFX4.exe
C:\installerwnusnewer.exe
C:\WINDOWS\SYSTEM32\cawpemgl.exe
C:\WINDOWS\SYSTEM32\ha3f.exe
C:\WINDOWS\system32ha3f.exe
C:\WINDOWS\SYSTEM32\otpddpea5.dll
C:\WINDOWS\SYSTEM32\wnaservc.dll
C:\WINDOWS\SYSTEM32\gmgmcckp.exe
C:\WINDOWS\nyqchmh.exe
C:\Program Files\NetMeeting\kybe.html
C:\Program Files\MSN\hoxyma.html
Reboot your PC->>Rerun Hijackthis and post a fresh Hijackthis log
thanks bamajim Graduate of Malware Removal University
Message Edited by bamajim on 09-08-200610:17 AM
gilli86
12 Posts
0
September 10th, 2006 03:00
the folder IME wouldnt delte because something was using it but heres my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:23:00 AM, on 9/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AIM\aim.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
bamajim
10.4K Posts
0
September 11th, 2006 13:00
gillie86
Much Better
You may want to print out these instructions for reference
First Go here and Download Ewido Antimalware 4.0
( 30 day free trial version) Save it to Your Desktop
Double Click Ewido-setup
(It will create its own folder)
Once the program starts You will be at the Status menu
- Under "Your computers Security"
At the top toolbar Click Scanner Then the settings tabClick change status on Resident shield to inactive
Click Update now (next to last update)
After the update loads
Under Automatic updates Uncheck download and install updates automatically(recommended)
(you can always select maual updates the next day)
- Under How to act? Set default action for detected malwareTo Quarantine
Exit Ewido ( Do not run it yet)Under how to scan All boxes should be checked
Under Possibly unwanted software All boxes should be checked
Under reports Select Automatically generate report after every scan
Uncheck Only if threats were found
Under what to scan Scan every file should be highlited
Next Download CCleaner from here to clean temp files from your computer.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation
Double click the CCleaner shortcut on the desktop to start the program.
- On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
Caution: It is not recommended that you use the " Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program
- After CCleaner has completed its process, click Exit
Reboot your PC into Safe ModeThis can be done by
Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
Use your arrow keys and select Safe Mode and then Enter
4. Run Ewido
Select Complete system scan
Once the scan finishes
- Select Apply all actions (The items found will be quarantined)
Exit EwidoClick save report as (Another window will open)
Save it to your desktop
(By default It will be saved in the Ewido folder as)
C:\Program Files\ewido anti-spyware 4.0\Reports
While sill in Safe mode Using Windows Explorer
locate and delete this folder
Reboot your PC in Normal Mode
- Double click the report-scan txt. you saved to your desktop
Do not run any other options untill instructed to do soIt will open in Notepad
Copy and paste that report as a reply to this thread
Your reply should include
- your report_scan.txt log rom Ewido
thanks bamajima fresh Hijackthis log
gilli86
12 Posts
0
September 12th, 2006 20:00
ewido anti-spyware - Scan Report
---------------------------------------------------------
C:\Program Files\PowerSearch\Toolbar -> Adware.404Search : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP767\A0068709.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP767\A0068693.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP767\A0068706.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP767\A0068707.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\A0066965.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\A0066966.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-10.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-11.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-12.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-13.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-14.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-3.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-5.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-6.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-7.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-8.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\snapshot\MFEX-9.DAT -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP750\A0066912.exe -> Adware.DollarRevenue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066949.dll -> Adware.Ezula : Cleaned with backup (quarantined).
C:\Documents and Settings\Gildo86\Start Menu\Play Poker Online!.lnk -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{900FBC20-6AEE-4E05-ABA9-AC46E309C029} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066934.exe -> Adware.IEPlug : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\intexp -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\intexp\Config -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\intexp\Config\button0 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\intexp\Config\button1 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\intexp\Config\button2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\intexp\Config\button3 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\intexp -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\intexp\Config -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\intexp\Config\button0 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\intexp\Config\button1 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\intexp\Config\button2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\intexp\Config\button3 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066937.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066938.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066939.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066940.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066942.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066943.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066945.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066946.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066947.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066950.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066951.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066952.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066954.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066958.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752\A0066967.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP753\A0067025.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP753\A0067029.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP753\A0068131.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP753\A0068141.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP761\A0068556.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP767\A0068686.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP758\A0068457.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP750\A0066916.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP750\A0066917.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066953.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066955.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP751\A0066956.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).