79 replies to this topic

[JCInfected]

Thanks Susan. I'm more worried about the unable to disable the local area connection though over the patch, but obviously if you can figure that out as well, that would be great. Hopefully you'll be able to find something soon. Thank you for continued efforts Susan.

Edited by JCInfected, 30 April 2007 - 07:00 PM.

[Susan528]

Please go ahead and post in the Other Computer Problems about the disable the local area connection. I am not giving up but believe they may know more about the connection problems than I do.
http://forums.tomcoy...oblems_f83.html

[JCInfected]

Another update, I found " Wowexec.exe" with the extra space in front in the task manager. I also found Ntvdm.exe in there as well. I ran a Hijack This scan and " wowexec.exe" wasn't found in the scan. Is this something I should be worried about? I seems to appear randomly. Thanks Susan.

[JCInfected]

Some more information on the Microsoft updates thing, it seems under systems32/dllcache contains the updated version files of the updates, however, the same files in system32 are the older, non replaced ones. Are the updated ones supposed to be in ddlcache and not copied over to the system32 folder? Thanks

[Susan528]

These may be legitimate
Wowexec.exe
Ntvdm.exe

http://www.liutiliti...slibrary/ntvdm/
http://www.liutiliti...ibrary/wowexec/

File location is always important. A file can have the same name but for example if certain file is supposed to be in c:\Windows\System32 but you see it somewhere else, then that is indication it may be malware.

If you have doubts about a file, you can always submit it to Jotti and review the results.
=================
Please show all files for your system.
You will need to reverse this process when all steps are done.


Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
Ntvdm.exe

Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

I don’t know about the ddlcache question right off but will have to research this..

[JCInfected]

Nope, those files are clean and from microsoft. The the connectionand microsoft update thing must be something else =(. Thanks Susan

Edited by JCInfected, 02 May 2007 - 01:12 PM.

[Susan528]

You mentioned ddlcache and dllcache. I was googling ddlcache which does exist. Do you have ddlcache also or were you just referring to dllcache?

[JCInfected]

Oops, it's a typo, it's dllcache. Sorry about that. I also have some additional information in the other forum which I didn't post here. Sorry if I was also supposed to post the info here.

http://forums.tomcoy...lem_t78942.html

Edited by JCInfected, 03 May 2007 - 02:38 PM.

[Susan528]

I reviewed your log and the Files Associations showed an entry which appears to be Smitfraud related. So please do this and we will see.

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.



______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter



This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please post:
C:\rapport.txt

[JCInfected]

SmitFraudFix v2.174

Scan done at 13:05:32.73, 05/04/2007 Fri
Run from C:\SmitFraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetRight\Getright.exe
C:\WINDOWS\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ hosts


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ C:\


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ C:\WINDOWS


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ C:\WINDOWS\system


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ C:\WINDOWS\Web


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ C:\WINDOWS\system32

C:\WINDOWS\system32\migicons.exe FOUND !

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ C:\Documents and Settings\user


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ C:\Documents and Settings\user\Application Data


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Start Menu


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ C:\DOCUME~1\user\FAVORI~1


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Desktop


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ C:\Program Files


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Corrupted keys


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="131A6951-7F78-11D0-A979-00C04FD705A2"
"SubscribedURL"="131A6951-7F78-11D0-A979-00C04FD705A2"
"FriendlyName"="Internet Explorer Channel Bar"

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\KASPER~1\\KASPER~1.0\\adialhk.dll"


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ pe386-msguard-lzx32-huy32



ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ DNS

Description: NVIDIA nForce Networking Controller
DNS Server Search Order: 154.11.128.187
DNS Server Search Order: 154.11.128.59

HKLM\SYSTEM\CCS\Services\Tcpip\..\{12ECEF1F-C5B0-4AB4-8E10-2F333D2B30D0}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS1\Services\Tcpip\..\{12ECEF1F-C5B0-4AB4-8E10-2F333D2B30D0}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=154.11.128.187 154.11.128.59


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Scanning for wininet.dll infection


ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ End


In addition, I have some updated info in my other thread as well. It might help if you haven't taken a look:

http://forums.tomcoy...lem_t78942.html


Thanks a lot Susan

[Susan528]

This file did not show up in the previous hijackthis log but it shows in the previous post.

C:\WINDOWS\system32\conime.exe

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.




The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-spyware, and run a full scan.

• Click on Scanner
• Click on Settings
  • Under How to scan all boxes should be checked
  • Under Unwanted Software all boxes should be checked
  • Under What to scan select Scan every file
  • Click on Ok
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.

If AVG Anti-spyware finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

• Click Save Report button
• Save the report to your Desktop

Close AVG Anti-spyware and Reboot in Normal Mode.
______________________________

Please post:

• c:\rapport.txt
• AVG Anti-spyware log
• A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

[JCInfected]

Hi Susan, I just need some clarification. I'm using IE 7 right now and I don't find hte "Delete all offline content" check box nor do I find the "Reset Web Settings button". I do however, find the "delete all" button which also has a check box to delete settings by addons. I just clicked that. Also, there's a "Reset" button under reset Internet Explorer settings and it's under the Advanced tab, not under the programs tab. The description says it will "Delete all temp files, disable all addons and resets all changed settings". Is this the button I want to press? I've begun the AVG scan without pressing the "Reset" button. Please let me know if I should restart the scan after I press the "reset" button or if it's alright to continue with the scan. Thanks Susanl.

[Susan528]

I'm using IE 7 right now and I don't find hte "Delete all offline content" check box nor do I find the "Reset Web Settings button". I do however, find the "delete all" button which also has a check box to delete settings by addons. I just clicked that.

For Internet 7
Go to IE =>Tools=>Delete Browsing History
Temporary Internet files
Cookies

I would just continue the AVG Anti-spyware scan. I am sorry about the instructions which were for IE6. Let's see how it goes. You may need to redo stored passwords if you have any. Personally I do not like stored passwords.

[JCInfected]

SmitFraudFix v2.174

Scan done at 17:42:13.37, 05/04/2007 Fri
Run from C:\SmitFraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\migicons.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{12ECEF1F-C5B0-4AB4-8E10-2F333D2B30D0}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS1\Services\Tcpip\..\{12ECEF1F-C5B0-4AB4-8E10-2F333D2B30D0}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=154.11.128.187 154.11.128.59


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:44:11 PM 5/4/2007

+ Scan result:



:mozilla.102:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.53:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.54:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.65:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.66:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.67:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.68:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.112:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.109:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.110:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.111:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.80:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.81:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.103:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.104:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.6:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.57:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.58:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.59:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86wqtv11.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end





Logfile of HijackThis v1.99.1
Scan saved at 7:49:41 PM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GetRight\Getright.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Windows\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GETRIGHT.EXE
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES12031.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES12031.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120209053671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160072345984
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe



I let AVG delete the cookies in Firefox instead of create encyrpted backups since they're cookies and no other virues were found. I still haven't clicked the "Reset button" under the Advanced Tab in IE 7. Should I press the reset button or leave it?

For the conime.exe thing, it sometimes appears in the process viewer and sometimes it doesn't. Not sure why that happens but I'm running on Japanese language settings right now so my japanese games will work on my computer. Hope that helps

Thanks Susan.

Edited by JCInfected, 04 May 2007 - 09:00 PM.

[Susan528]

Should I press the reset button or leave it?

I would leave it.

This is what I was after.
C:\WINDOWS\system32\migicons.exe Deleted

I am relieved to hear that you have Japanese language settings which may explain the conine.exe. But please go ahead and submit it to Jotti. I would like to check it out for sure.

Please show all files for your system.
You will need to reverse this process when all steps are done.


Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\WINDOWS\system32\conime.exe
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

You are still having the problem with disabling the LAN connection right?