Thanks for helping me out. Do you like my collection of malware? Its like an encyclopedia of malware (full of information but something i'll never read). I've got a fresh H.exe log and an uninstall_list.txt for you.
Regards,
Minh
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 7.0
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
AVI Codec Pack
BHA B's Recorder GOLD 5.32
BigPond Broadband ADSL FAQ
Client Activator 2.2 - English
DVD-RAM Driver
HijackThis 1.99.1
InCD (Ahead Software)
iriver plus (remove only)
Java 2 Runtime Environment, SE v1.4.2_05
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
MSN Messenger 7.5
MSN Music Assistant
Nero
ninemsn Toolbar
Norton AntiVirus Corporate Edition
Photo Loader 2.2E
Photohands 1.0E
POV-Ray for Windows
Safety Bar
Shockwave
ToolBar888
VSToolbar for Internet Explorer
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
Yahoo! Toolbar
ZoneAlarm Pro
Logfile of HijackThis v1.99.1
Scan saved at 12:13:11 PM, on 11/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Restart your PC, and after it starts, but before you see the Windows Splash screen Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices) Use your arrow keys and select Safe Mode and then Enter
Then Go To Add/Remove Programs (Click Start->>Control Panel->>Add/Remove Programs)
and uninstall the following
Safety Bar ToolBar888 VSToolbar for Internet Explorer
Close Add/Remove Programs ->>Reboot your PC
Next Please download
VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Ok i am having a little bit of trouble. I have set it to safe mode but i can't access/click the start button because it is not there. So i tried to access the control panel via the task manager but it still wont let me! It keeps promoting me with a warning and when i am reading it it just disappears. I had to take a photo of it so i could actually read the entire warning! It says this...
---
Windows is running in safe mode.
This special diagnostic mode of Windows enables you to fix a problem which may be caused by your network or hardware settings. Make sure these settings are correct in Control Panel, and then try starting Windows again. While in safe mode, some of your devices may not be available.
To proceed to work in safe mode, click Yes. If you prefer to use System Restore your computer to a previous state, click No.
---
If i am quick enough i click yes, the taskbar appears and i can navigate my way to Contol Panel, but it also disappears after a few seconds (including the taskbar). Same thing happens when i click no (except that the System Restore window remains). Like i said before, i am not tech savvy so i was lucky to even remember the new task (run) feature of the task manager, so it's not looking too good at the moment is it? Any suggestions?
Okay this time i was able to get rid of those three items and now i have a fresh hijackthis.txt and a new Vundofix.txt for you.
Regards,
GBAMinh
Logfile of HijackThis v1.99.1
Scan saved at 2:56:17 PM, on 11/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Attempting to delete C:\WINDOWS\system32\winhqc32.dll
C:\WINDOWS\system32\winhqc32.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxuuuv.dll
C:\WINDOWS\system32\cbxuuuv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mlllk.dll
C:\WINDOWS\system32\mlllk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\klllm.ini
C:\WINDOWS\system32\klllm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\klllm.bak1
C:\WINDOWS\system32\klllm.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\klllm.bak2
C:\WINDOWS\system32\klllm.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\klllm.ini2
C:\WINDOWS\system32\klllm.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\klllm.tmp
C:\WINDOWS\system32\klllm.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\gfkjggch.dll
C:\WINDOWS\system32\gfkjggch.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ikrfind.dll
C:\WINDOWS\system32\ikrfind.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ksrpmje.dll
C:\WINDOWS\system32\ksrpmje.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gopywxlh.exe
C:\WINDOWS\system32\gopywxlh.exe Has been deleted!
Attempting to delete C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\services.dll
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\services.dll Could not be deleted.
Attempting to delete C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\Update.exe
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\Update.exe Could not be deleted.
Attempting to delete C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\services.dll
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\services.dll Has been deleted!
Attempting to delete C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\Update.exe
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\Update.exe Has been deleted!
1)Save it to the desktop and run it. 2) Select " Delete on Reboot", and then select "All files". 3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\System32\4de4211e.exe C:\Documents and Settings\Terry Nguyen\Local Settings\Application Data\4de4211e.exe
4) Return to Killbox, go to the File menu, and choose " Paste from Clipboard". 5) Click the red-and-white " Delete File" button. Click " Yes" at the Delete on Reboot prompt. Click " No" at the Pending Operations prompt.
Save it to your Desktop->>Rt Click->>Extract all->>and extract it to your desktop Open The Smitfraud folder Double-click smitfraudfix.cmd Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Open that file, Ctrl+A to copy, and post a copy of that log as a reply to this thread
Do Not run option 2 until instructed to do so
Please note that some Antivirus programs flag process.exe as an infection, but it is actually a needed componient of this tool
Sorry for the delayed reply, i feel sick over the weekend. Before i forget, there was only one step that didn't "work" and that was when you wanted me to click "no" at the Pending Operations prompt; that simply didn't appear. So i just proceed with the rest of the instructions. I have the rapport report you requested.
Regards,
GBAMinh
SmitFraudFix v2.83
Scan done at 12:11:44.42, Sun 11/19/2006
Run from C:\Documents and Settings\Terry Nguyen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\urroxtl.dll FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Terry Nguyen\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
C:\DOCUME~1\TERRYN~1\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
You may want to print out these instructions for reference
1. Go
here and Download
AVG Anti-Spyware (
30 day free trial version) Save it to Your Desktop
Double Click
AVG Anti-Spyware-setup (It will create its own folder)
Once the program starts You will be at the
Status menu
Under "Your computers Security" Click change status on Resident shield to inactive Click Update now (next to last update) After the update loads Under Automatic updates Uncheck download and install updates automatically(recommended) (you can always select maual updates the next day)
At the top toolbar Click
Scanner Then the
settings tab
Under How to act? Set default action for detected malwareTo Quarantine Under how to scan All boxes should be checked Under Possibly unwanted software All boxes should be checked Under reports Select Automatically generate report after every scan Uncheck Only if threats were found Under what to scan Scan every file should be highlited
Exit AVG(But do not run it yet)
2. Reboot into
Safe Mode This can be done by
Restart your PC, and after it starts, but before you see the Windows Splash screen Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices) Use your arrow keys and select Safe Mode and then Enter
3. Open the
SmitfraudFix Folder, then double-click
smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually. Reboot in
Safe Mode.
The tool will create a log named
rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
4.Run AVG Anti-Spyware
Click scanner Select Complete system scan
Once the scan finishes
Select Apply all actions (The items found will be quarantined) Click save report as (Another window will open) Save it to your desktop (By default It will be saved in the AVG folder as) C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports
Exit AVG
Reboot your PC in
Normal Mode->>Re run Hijackthis and post a fresh Hijackthis log.
Double click the report-scan txt. you saved to your desktop It will open in Notepad Copy and paste that report as a reply to this thread
Your reply should include
a fresh hijackthis log your c:rapport.txt log from Smitfraudfix your report_scan.txt from AVG
You may have to post the results in more than one reply
I'm feeling better now, what really s is that i was sick during my trip to a friends holiday house at the beach. Okay, here are three lots of texts (i've put the hijackthis and rapport texts together, the report_scan is seperate).
Regards
GBAMinh
Logfile of HijackThis v1.99.1
Scan saved at 7:31:22 PM, on 11/20/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Scan done at 18:34:14.49, Mon 11/20/2006
Run from C:\Dell forums\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
We need to make sure we can see hidden files and folders
Click Start. Click My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Uncheck the Hide file extensions for known file types. Click OK.
Next Rerun Hijackthis (scan only) and place checks beside the follwing entries
Close all other open windows except Hiajckthis and Select "
Fix checked"
Next Using Windows Explorer
(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following
files (if found)
C:\WINDOWS\System32\4de4211e.exe C:\WINDOWS\System32\ikrfind.dll C:\Documents and Settings\Terry Nguyen\Local Settings\Application Data\4de4211e.exe
Close windows Explorer->>Reboot your PC ->>Rerun Hijackhtis and post a fresh log
This is great, it's hard to describe but you can tell that the computer is getting better simply by using it. Those three files you asked me to look for and delete weren't there (thought i might just tell you).
Regards
GBAMinh
Logfile of HijackThis v1.99.1
Scan saved at 11:22:46 AM, on 11/21/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Glad to hear it's running better. Thanks for keeping me up to date on the files, they should have already been gone, but I included them in the fix because I didn't wnat to leave anything behind.
Please download
ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.
Now Rerun Hijackthis (scan only) and place checks beside the following entries
Close all other windows except Hijackthis and Select "
Fix checked" and close Hijackthis
Next Using Windows Explorer
(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following
file (if found)
C:\DOCUME~1\TERRYN~1\LOCALS~1\Temp\MirarSetup.exe
Close windows explorer->>Reboot your PC->>Rerun Hijackthis and post a fresh log
bamajim
10.4K Posts
0
November 15th, 2006 19:00
Welcome to DCF :smileyhappy:
That's quite a malware collection you have there. It will take a couple of runs at this to completely remove the infection, so please be patient
First Open the Hijackthis folder->> Locate the file Hijackthis.exe->> Rt Click an Select Rename->>Rename Hijackthis.exe to H.exe.
Then Re Run H.exe (formerly Hijackthis)
Then select " Open uninstall manager"
Then " save list" and save it to your desktop
Copy and paste that list as a reply to this thread
Also Rerun and post a fresh log
Your reply should include
your uninstall_list.txt
GBAMinh
33 Posts
0
November 15th, 2006 23:00
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 7.0
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
AVI Codec Pack
BHA B's Recorder GOLD 5.32
BigPond Broadband ADSL FAQ
Client Activator 2.2 - English
DVD-RAM Driver
HijackThis 1.99.1
InCD (Ahead Software)
iriver plus (remove only)
Java 2 Runtime Environment, SE v1.4.2_05
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
MSN Messenger 7.5
MSN Music Assistant
Nero
ninemsn Toolbar
Norton AntiVirus Corporate Edition
Photo Loader 2.2E
Photohands 1.0E
POV-Ray for Windows
Safety Bar
Shockwave
ToolBar888
VSToolbar for Internet Explorer
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
Yahoo! Toolbar
ZoneAlarm Pro
Scan saved at 12:13:11 PM, on 11/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ismini.exe
C:\WINDOWS\System32\isnotify.exe
C:\WINDOWS\System32\issearch.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\4de4211e.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\TEMP\winDD.tmp.exe
C:\Program Files\iriver\iriver plus\iAgent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\HJT\H.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27D97ABB-EF15-4DA9-8166-D71EF18EBE55} - C:\WINDOWS\System32\mlllk.dll
O2 - BHO: (no name) - {4472E2B2-FB44-FBD4-2A58-0101EBECF47E} - C:\WINDOWS\System32\ksrpmje.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\gfkjggch.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00401} - C:\WINDOWS\g1376349.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\DOCUME~1\TERRYN~1\LOCALS~1\Temp\MirarSetup.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [4de4211e.exe] C:\WINDOWS\System32\4de4211e.exe
O4 - HKLM\..\Run: [ikrfind.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ikrfind.dll,buptmcd
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iPlusAgent] C:\Program Files\iriver\iriver plus\iAgent.exe
O4 - HKCU\..\Run: [4de4211e.exe] C:\Documents and Settings\Terry Nguyen\Local Settings\Application Data\4de4211e.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{837D8BA2-EFF1-4DE7-BE04-5221EA90C3C6}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mlllk - C:\WINDOWS\System32\mlllk.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winhqc32 - C:\WINDOWS\SYSTEM32\winhqc32.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\System32\urroxtl.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
bamajim
10.4K Posts
0
November 15th, 2006 23:00
Your welcome, and not quite an encyclopedia
Next Reboot into Safe Mode
This can be done by
- Restart your PC, and after it starts, but before you see the Windows Splash screen
Then Go To Add/Remove Programs (Click Start->>Control Panel->>Add/Remove Programs)Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
Use your arrow keys and select Safe Mode and then Enter
and uninstall the following
- Safety Bar
Close Add/Remove Programs ->>Reboot your PCToolBar888
VSToolbar for Internet Explorer
Next Please download VundoFix.exe to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Your reply should include
a fresh Hijackthis log
GBAMinh
33 Posts
0
November 16th, 2006 00:00
bamajim
10.4K Posts
0
November 16th, 2006 01:00
GBAMinh
33 Posts
0
November 16th, 2006 02:00
Scan saved at 2:56:17 PM, on 11/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\isnotify.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\ismini.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\4de4211e.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iriver\iriver plus\iAgent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\HJT\H.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4472E2B2-FB44-FBD4-2A58-0101EBECF47E} - C:\WINDOWS\System32\ksrpmje.dll (file missing)
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\gfkjggch.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00401} - C:\WINDOWS\g1376349.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: (no name) - {F593DC49-515E-49D4-A11F-34048B9A7005} - C:\WINDOWS\System32\mlllk.dll (file missing)
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\DOCUME~1\TERRYN~1\LOCALS~1\Temp\MirarSetup.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [4de4211e.exe] C:\WINDOWS\System32\4de4211e.exe
O4 - HKLM\..\Run: [ikrfind.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ikrfind.dll,buptmcd
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iPlusAgent] C:\Program Files\iriver\iriver plus\iAgent.exe
O4 - HKCU\..\Run: [4de4211e.exe] C:\Documents and Settings\Terry Nguyen\Local Settings\Application Data\4de4211e.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{837D8BA2-EFF1-4DE7-BE04-5221EA90C3C6}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\System32\urroxtl.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
VundoFix V6.2.8
C:\WINDOWS\system32\cbxuuuv.dll
C:\WINDOWS\system32\mlllk.dll
C:\WINDOWS\system32\klllm.ini
C:\WINDOWS\system32\klllm.bak1
C:\WINDOWS\system32\klllm.bak2
C:\WINDOWS\system32\klllm.ini2
C:\WINDOWS\system32\klllm.tmp
C:\WINDOWS\system32\gfkjggch.dll
C:\WINDOWS\system32\ikrfind.dll
C:\WINDOWS\system32\ksrpmje.dll
C:\WINDOWS\system32\gopywxlh.exe
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\services.dll
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\Update.exe
C:\WINDOWS\System32\mlllk.dll
C:\WINDOWS\system32\klllm.ini
C:\WINDOWS\system32\klllm.bak1
C:\WINDOWS\system32\klllm.bak2
C:\WINDOWS\system32\klllm.ini2
C:\WINDOWS\system32\klllm.tmp
C:\WINDOWS\System32\klllm.ini
C:\WINDOWS\System32\klllm.bak1
C:\WINDOWS\System32\klllm.bak2
C:\WINDOWS\System32\klllm.ini2
C:\WINDOWS\System32\klllm.tmp
C:\WINDOWS\system32\winhqc32.dll Has been deleted!
C:\WINDOWS\system32\cbxuuuv.dll Has been deleted!
C:\WINDOWS\system32\mlllk.dll Has been deleted!
C:\WINDOWS\system32\klllm.ini Has been deleted!
C:\WINDOWS\system32\klllm.bak1 Has been deleted!
C:\WINDOWS\system32\klllm.bak2 Has been deleted!
C:\WINDOWS\system32\klllm.ini2 Has been deleted!
C:\WINDOWS\system32\klllm.tmp Has been deleted!
C:\WINDOWS\system32\gfkjggch.dll Has been deleted!
C:\WINDOWS\system32\ikrfind.dll Has been deleted!
C:\WINDOWS\system32\ksrpmje.dll Has been deleted!
C:\WINDOWS\system32\gopywxlh.exe Has been deleted!
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\services.dll Could not be deleted.
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\Update.exe Could not be deleted.
Done!
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\Update.exe
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\services.dll Has been deleted!
C:\Program Files\Common Files\{987CCDC0-0360-1033-0706-000118000001}\Update.exe Has been deleted!
Done!
bamajim
10.4K Posts
0
November 16th, 2006 11:00
Good job :smileyhappy:
First Please download the Killbox.
- 1)Save it to the desktop and run it.
- C:\WINDOWS\System32\4de4211e.exe
Next Please go HERE2) Select " Delete on Reboot", and then select "All files".
3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Documents and Settings\Terry Nguyen\Local Settings\Application Data\4de4211e.exe
4) Return to Killbox, go to the File menu, and choose " Paste from Clipboard".
5) Click the red-and-white " Delete File" button. Click " Yes" at the Delete on Reboot prompt. Click " No" at the Pending Operations prompt.
And Download SmitFraudFix by S!ri
- Save it to your Desktop->>Rt Click->>Extract all->>and extract it to your desktop
Do Not run option 2 until instructed to do soOpen The Smitfraud folder
Double-click smitfraudfix.cmd
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Open that file, Ctrl+A to copy, and post a copy of that log as a reply to this thread
Please note that some Antivirus programs flag process.exe as an infection, but it is actually a needed componient of this tool
Reboot your PC and post the results
Your reply should include
GBAMinh
33 Posts
0
November 18th, 2006 23:00
Run from C:\Documents and Settings\Terry Nguyen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\urroxtl.dll FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
!!!Attention, following keys are not inevitably infected!!!
Search SharedTaskScheduler's .dll
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00401}"="z"
@="C:\WINDOWS\g1376349.dll"
@="C:\WINDOWS\g1376349.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
!!!Attention, following keys are not inevitably infected!!!
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» End
bamajim
10.4K Posts
0
November 19th, 2006 23:00
Hope you are feeling better
You may want to print out these instructions for reference
1. Go here and Download AVG Anti-Spyware
( 30 day free trial version) Save it to Your Desktop
Double Click AVG Anti-Spyware-setup
(It will create its own folder)
Once the program starts You will be at the Status menu
Click change status on Resident shield to inactive
Click Update now (next to last update)
After the update loads
Under Automatic updates Uncheck download and install updates automatically(recommended)
(you can always select maual updates the next day)
Under how to scan All boxes should be checked
Under Possibly unwanted software All boxes should be checked
Under reports Select Automatically generate report after every scan
Uncheck Only if threats were found
Under what to scan Scan every file should be highlited
2. Reboot into Safe Mode
This can be done by
Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
Use your arrow keys and select Safe Mode and then Enter
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file ?" by typing Y and hit Enter.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
4. Run AVG Anti-Spyware
Select Complete system scan
Click save report as (Another window will open)
Save it to your desktop
(By default It will be saved in the AVG folder as)
C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports
Reboot your PC in Normal Mode->>Re run Hijackthis and post a fresh Hijackthis log.
It will open in Notepad
Copy and paste that report as a reply to this thread
your c:rapport.txt log from Smitfraudfix
your report_scan.txt from AVG
GBAMinh
33 Posts
0
November 20th, 2006 06:00
Scan saved at 7:31:22 PM, on 11/20/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iriver\iriver plus\iAgent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\H.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4472E2B2-FB44-FBD4-2A58-0101EBECF47E} - C:\WINDOWS\System32\ksrpmje.dll (file missing)
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\gfkjggch.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00401} - C:\WINDOWS\g1376349.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: (no name) - {F593DC49-515E-49D4-A11F-34048B9A7005} - C:\WINDOWS\System32\mlllk.dll (file missing)
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\DOCUME~1\TERRYN~1\LOCALS~1\Temp\MirarSetup.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [4de4211e.exe] C:\WINDOWS\System32\4de4211e.exe
O4 - HKLM\..\Run: [ikrfind.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ikrfind.dll,buptmcd
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iPlusAgent] C:\Program Files\iriver\iriver plus\iAgent.exe
O4 - HKCU\..\Run: [4de4211e.exe] C:\Documents and Settings\Terry Nguyen\Local Settings\Application Data\4de4211e.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{837D8BA2-EFF1-4DE7-BE04-5221EA90C3C6}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
Run from C:\Dell forums\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
!!!Attention, following keys are not inevitably infected!!!
Search SharedTaskScheduler's .dll
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00401}"="z"
@="C:\WINDOWS\g1376349.dll"
@="C:\WINDOWS\g1376349.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
C:\WINDOWS\System32\urroxtl.dll -> Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
Search SharedTaskScheduler's .dll
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00401}"="z"
@="C:\WINDOWS\g1376349.dll"
@="C:\WINDOWS\g1376349.dll"
GBAMinh
33 Posts
0
November 20th, 2006 06:00
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087369.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087397.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087410.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087426.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087438.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087444.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084498.exe -> Downloader.Zlob.amw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084493.dll -> Downloader.Zlob.amx : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temporary Internet Files\Content.IE5\JPOKG733\l11[1].exe -> Downloader.Zlob.aop : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087449.exe -> Downloader.Zlob.apm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087448.exe -> Downloader.Zlob.avy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP209\A0082358.dll -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temp\mst15.tmp -> Logger.Agent.ab : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087377.dll -> Logger.Agent.ab : Cleaned with backup (quarantined).
C:\VundoFix Backups\winhqc32.dll.bad -> Logger.Agent.ab : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temp\bvtoqcim.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temp\emakdsqi.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temp\fllbajjt.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temp\iugeuajl.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\phong\Local Settings\Temp\bqwbdmmg.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\phong\Local Settings\Temp\njvqehfh.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\phong\Local Settings\Temp\qbsmjeya.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087447.dll -> Not-A-Virus.Hoax.Win32.Renos.ds : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087454.dll -> Not-A-Virus.Hoax.Win32.Renos.ds : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087455.dll -> Not-A-Virus.Hoax.Win32.Renos.ds : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084529.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084573.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084606.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0086606.DLL -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0086623.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0086634.DLL -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087334.DLL -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087356.DLL -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087362.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087370.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087398.DLL -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087415.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087425.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087440.DLL -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087450.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087453.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\Documents and Settings\phong\Cookies\phong@217.73.66[2].txt -> TrackingCookie.217.73.66.16 : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@217.73.66[3].txt -> TrackingCookie.217.73.66.16 : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@adbrite[3].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@cpvfeed[3].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@findwhat[2].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@phg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\phong\Cookies\phong@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Terry Nguyen\Cookies\terry nguyen@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Terry Nguyen\Local Settings\Temporary Internet Files\Content.IE5\JQTKH3R7\antzom[1].exe -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087381.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\VundoFix Backups\gfkjggch.dll.bad -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temporary Internet Files\Content.IE5\9X73MWF7\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temporary Internet Files\Content.IE5\9X73MWF7\q387[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\Documents and Settings\phong\Local Settings\Temporary Internet Files\Content.IE5\OPQFS567\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temporary Internet Files\Content.IE5\RGL5V8KO\srvawp[1].exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\Documents and Settings\phong\Local Settings\Temporary Internet Files\Content.IE5\0XS1AJAD\srvuyj[1].exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084444.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084509.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084535.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cool.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd47.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd4D.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temporary Internet Files\Content.IE5\6AVTPZPN\srvfnx[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temporary Internet Files\Content.IE5\9X73MWF7\srvkwj[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\phong\Local Settings\Temporary Internet Files\Content.IE5\0XS1AJAD\srvpmc[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win11B.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win4C.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win4F.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win69.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win85.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winDD.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087391.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).
C:\VundoFix Backups\Update.exe.bad -> Trojan.Starter.65 : Cleaned with backup (quarantined).
::Report end
GBAMinh
33 Posts
0
November 20th, 2006 06:00
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:20:35 PM 11/20/2006
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{a43385f0-7113-496d-96d7-b9b550e3fcca} -> Adware.Isearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a43385f0-7113-496d-96d7-b9b550e3fcca} -> Adware.Isearch : Cleaned with backup (quarantined).
C:\Program Files\Save -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Current -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Current\03_NYC_BatteryPark.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Current\03_NYC_UNATCOHQ.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Current\03_NYC_UNATCOIsland.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Current\SaveInfo.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0005 -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0005\02_NYC_Bar.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0005\02_NYC_BatteryPark.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0005\02_NYC_FreeClinic.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0005\02_NYC_Hotel.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0005\02_NYC_Smug.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0005\02_NYC_Street.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0005\02_NYC_Underground.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0005\02_NYC_Warehouse.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0005\SaveInfo.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0006 -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0006\03_NYC_BatteryPark.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0006\03_NYC_UNATCOHQ.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0006\03_NYC_UNATCOIsland.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0006\SaveInfo.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0007 -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0007\03_NYC_UNATCOHQ.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0007\03_NYC_UNATCOIsland.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0007\SaveInfo.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0008 -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0008\03_NYC_BatteryPark.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0008\03_NYC_BrooklynBridgeStation.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0008\03_NYC_UNATCOHQ.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0008\03_NYC_UNATCOIsland.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Save\Save0008\SaveInfo.dxs -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087384.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\VundoFix Backups\gopywxlh.exe.bad -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\Program Files\VSToolbar\VSToolBar.dll -> Adware.Searchcolours : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888 -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888\MyToolBar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temporary Internet Files\Content.IE5\JPOKG733\anti4[1].exe -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087378.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\VundoFix Backups\cbxuuuv.dll.bad -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\ja.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087382.dll -> Downloader.Busky.az : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087383.dll -> Downloader.Busky.az : Cleaned with backup (quarantined).
C:\VundoFix Backups\ikrfind.dll.bad -> Downloader.Busky.az : Cleaned with backup (quarantined).
C:\VundoFix Backups\ksrpmje.dll.bad -> Downloader.Busky.az : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087443.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\!KillBox\4de4211e.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\!KillBox\4de4211e.exe( 1) -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\Documents and Settings\phong\Local Settings\Application Data\4de4211e.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP209\A0083381.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP209\A0083399.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP209\A0083421.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084439.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084452.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084465.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084480.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084494.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084530.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084575.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084607.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0086607.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0086637.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087336.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087358.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087371.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087399.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087411.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087418.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087419.EXE -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Terry Nguyen\Local Settings\Temporary Internet Files\Content.IE5\8DUZCTAZ\L2[1].exe -> Downloader.Small.dod : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084502.exe -> Downloader.Zlob.aew : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP209\A0082315.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP209\A0082327.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP209\A0082368.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP209\A0083380.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP209\A0083396.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP209\A0083420.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP210\A0083438.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084438.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084451.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084464.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084479.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084492.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084528.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084572.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0084605.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0086605.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0086622.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0086633.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087333.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{55CF12A8-0BAF-4F4D-9E80-0DD49CE38512}\RP211\A0087355.exe -> Downloader.Zlob.aif : Cleaned with backup (quarantined).
bamajim
10.4K Posts
0
November 20th, 2006 12:00
Looking better
We need to make sure we can see hidden files and folders
Click My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Uncheck the Hide file extensions for known file types.
Click OK.
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\gfkjggch.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00401} - C:\WINDOWS\g1376349.dll (file missing)
O2 - BHO: (no name) - {F593DC49-515E-49D4-A11F-34048B9A7005} - C:\WINDOWS\System32\mlllk.dll (file missing)
O4 - HKLM\..\Run: [4de4211e.exe] C:\WINDOWS\System32\4de4211e.exe
O4 - HKLM\..\Run: [ikrfind.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ikrfind.dll,buptmcd
O4 - HKCU\..\Run: [4de4211e.exe] C:\Documents and Settings\Terry Nguyen\Local Settings\Application Data\4de4211e.exe
O4 - Startup: PowerReg Scheduler.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
Next Using Windows Explorer
C:\WINDOWS\System32\ikrfind.dll
C:\Documents and Settings\Terry Nguyen\Local Settings\Application Data\4de4211e.exe
GBAMinh
33 Posts
0
November 20th, 2006 22:00
Scan saved at 11:22:46 AM, on 11/21/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iriver\iriver plus\iAgent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\HJT\H.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\DOCUME~1\TERRYN~1\LOCALS~1\Temp\MirarSetup.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iPlusAgent] C:\Program Files\iriver\iriver plus\iAgent.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{837D8BA2-EFF1-4DE7-BE04-5221EA90C3C6}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
bamajim
10.4K Posts
0
November 21st, 2006 01:00
Glad to hear it's running better. Thanks for keeping me up to date on the files, they should have already been gone, but I included them in the fix because I didn't wnat to leave anything behind.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Under Main choose: Select All
Click the Empty Selected button.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.
Now Rerun Hijackthis (scan only) and place checks beside the following entries
O4 - Startup: PowerReg Scheduler.exe
Next Using Windows Explorer