WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Baffled On This One

Started by DrewDunk , Apr 06 2007 12:09 PM

Please log in to reply

18 replies to this topic

#1 DrewDunk

New Member

Authentic Member
13 posts

Posted 06 April 2007 - 12:09 PM

A little background: McAfee periodically says it has found a suspect file and suggests running full scan. Full scan returns nothing wrong. Get a periodic Google Toolbar pop up warning that the web page being attempted (not by me) is a known malware/spyware site. IE6 works, but hangs for a long time before allowing me to do anything. Firefox works great in the meantime. Any help is greatly appreciated.

Drew Dunk

Logfile of HijackThis v1.99.1
Scan saved at 12:02:31 PM, on 4/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\tmp168.tmp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {fbce0e11-b870-4674-922e-cbd7a10661d6} - C:\WINDOWS\system32\dx7wiz.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gwiz] C:\Documents and Settings\Owner\Application Data\21305.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102882279\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\dddefg.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127370753156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151518166937
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://courthouse.p...emote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: ?A????????????????????Ÿ????????????? A???????????????? A?C C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: dx7wiz - C:\WINDOWS\SYSTEM32\dx7wiz.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

Advertisements

Register to Remove

#2 Markka

Advanced Member

Banned
784 posts

Posted 06 April 2007 - 12:21 PM

Hi and welcome to the forums.

I'm Markka and I will be helping you with your malware issues. I will check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by teachers of Malware Removal University. Please be patient.

#3 Markka

Advanced Member

Banned
784 posts

Posted 06 April 2007 - 01:07 PM

Hello

I've a question for you. What is your language of Windows?

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

Post:
- a fresh HijackThis log
- Contents of C:\vundofix.txt
- main.txt

#4 DrewDunk

New Member

Authentic Member
13 posts

Posted 06 April 2007 - 04:04 PM

Thanks for the help. I am running Windows XP Home (SP1) on an HP Pavilion P4 4 Ghz, 1G RAM. My windows and other software came preloaded so I have to use the original 5 disks to reload. Have tried to install SP2 a number of times, but it always crashes, so I gave up. Yes, I updated all drivers, BIOS, etc., and did clean install immediately after loading the 5 disks, but no use. I downloaded and ran Vundofix.exe and DSS.exe. Here's the DSS log followed by a fresh Hijackthis log.

Thanks again, Drew

Deckard's System Scanner v20070328.36
Run by Owner on 2007-04-06 at 15:52:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
86: 2007-04-06 22:52:31 UTC - RP430 - Deckard's System Scanner Restore Point
85: 2007-04-06 08:46:16 UTC - RP429 - System Checkpoint
84: 2007-04-05 07:53:12 UTC - RP428 - System Checkpoint
83: 2007-04-04 06:53:11 UTC - RP427 - System Checkpoint
82: 2007-04-03 05:53:11 UTC - RP426 - System Checkpoint

-- First Restore Point --
1: 2007-01-07 03:38:53 UTC - RP345 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:54:39 PM, on 4/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\mcafee.com\MPS\mscifapp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\shellmon.exe
c:\program files\common files\aol\1102882279\ee\anotify.exe
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CFLFMY3P\drf1175898777[1].htm.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\hjt\Owner.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {fbce0e11-b870-4674-922e-cbd7a10661d6} - C:\WINDOWS\system32\dx7wiz.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gwiz] C:\Documents and Settings\Owner\Application Data\21305.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102882279\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\dddefg.dll",realset
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\mcafee.com\MPS\mscifapp.exe /embedding
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127370753156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151518166937
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://courthouse.p...emote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: ?A????????????????????Ÿ????????????? A???????????????? A?C C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: dx7wiz - C:\WINDOWS\SYSTEM32\dx7wiz.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys
R1 Cdr4_xp - c:\windows\system32\drivers\cdr4_xp.sys
R1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys
R1 cdudf_xp - c:\windows\system32\drivers\cdudf_xp.sys
R1 DcCam (Kodak Camera Proxy) - c:\windows\system32\drivers\dccam.sys
R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys
R1 ewido security suite driver - c:\program files\ewido anti-malware\guard.sys
R1 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys
R1 pwd_2k - c:\windows\system32\drivers\pwd_2k.sys
R1 UDFReadr - c:\windows\system32\drivers\udfreadr.sys
R2 DCFS2K (Kodak DCFS2K Driver) - c:\windows\system32\drivers\dcfs2k.sys
R2 PfModNT - c:\windows\system32\pfmodnt.sys
R3 BridgeMP (MAC Bridge Miniport) - c:\windows\system32\drivers\bridge.sys
R3 dot4 (MS IEEE-1284.4 Driver) - c:\windows\system32\drivers\dot4.sys
R3 Dot4Print (Print Class Driver for IEEE-1284.4) - c:\windows\system32\drivers\dot4prt.sys
R3 Dot4Scan (Scan Class Driver for IEEE-1284.4) - c:\windows\system32\drivers\dot4scan.sys
R3 dot4usb (Dot4USB Filter Dot4USB Filter) - c:\windows\system32\drivers\dot4usb.sys
R3 dvd_2K - c:\windows\system32\drivers\dvd_2k.sys
R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys
R3 ltmodem5 (Lucent Modem Driver) - c:\windows\system32\drivers\ltmdmnt.sys
R3 MxlW2k - c:\windows\system32\drivers\mxlw2k.sys
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys
R3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys

S1 Exportit - c:\windows\system32\drivers\exportit.sys
S3 61883 (61883 Unit Device) - c:\windows\system32\drivers\61883.sys
S3 Avc (AVC Device) - c:\windows\system32\drivers\avc.sys
S3 Bridge (MAC Bridge) - c:\windows\system32\drivers\bridge.sys
S3 DcFpoint - c:\windows\system32\drivers\dcfpoint.sys
S3 DcLps (Legacy Polling Service) - c:\windows\system32\drivers\dclps.sys
S3 DcPTP - c:\windows\system32\drivers\dcptp.sys
S3 EUDFUHLP - c:\windows\system32\drivers\eudfuhlp.sys (file missing)
S3 EUSBDFU (eUSB DFU Driver) - c:\windows\system32\drivers\eusbdfu.sys
S3 ialm - c:\windows\system32\drivers\ialmnt5.sys
S3 mmc_2K - c:\windows\system32\drivers\mmc_2k.sys
S3 MSDV (Microsoft DV Camera and VCR) - c:\windows\system32\drivers\msdv.sys
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys
S3 Ps2 - c:\windows\system32\drivers\ps2.sys
S3 S3Psddr - c:\windows\system32\drivers\s3gnbm.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aolavupd (AOL Antivirus Update Service) - "c:\program files\common files\aol\1102882279\ee\services\safetycore\ver210_5_4_1\aolavupd.exe"
R2 ITMRTSVC (CA Pest Patrol Realtime Protection Service) - "c:\program files\ca\pprt\bin\itmrtsvc.exe"
R2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe -k netsvcs

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - c:\program files\winpcap\rpcapd.exe -d -f rpcapd.ini
S4 ewido security suite guard - c:\program files\ewido anti-malware\ewidoguard.exe

-- Scheduled Tasks -------------------------------------------------------------

2007-04-06 12:33:00 494 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DUNKHOME-Owner).job<MCAFEE~1.JOB>
2007-03-30 16:56:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>

-- Files created between 2007-03-06 and 2007-04-06 -----------------------------

2007-04-06 15:16:19 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-04-06 12:32:59 0 d-------- C:\WINDOWS\System32\mclsphlr
2007-04-06 12:32:57 11264 --a------ C:\WINDOWS\System32\sporder.dll
2007-04-06 12:32:57 32768 --a------ C:\WINDOWS\System32\instlsp.exe
2007-04-06 12:32:56 90112 --a------ C:\WINDOWS\System32\mcrtl32.dll
2007-04-06 12:32:56 131072 --a------ C:\WINDOWS\System32\mclsp.dll
2007-04-06 12:32:56 143360 --a------ C:\WINDOWS\System32\dunzip32.dll
2007-04-06 12:30:52 8704 --a------ C:\WINDOWS\System32\MPFApi.dll
2007-04-06 12:30:52 80640 --a------ C:\WINDOWS\System32\drivers\MpFirewall.sys<MPFIRE~1.SYS>
2007-04-06 12:30:49 0 d-------- C:\Documents and Settings\All Users\Application Data\mcafee.com personal firewall<MCAFEE~1.COM>
2007-04-06 11:52:31 0 d-------- C:\Program Files\hjt
2007-04-06 11:21:04 106767 --a------ C:\WINDOWS\dddefg.dll
2007-04-06 11:11:41 33588 -ra------ C:\WINDOWS\System32\drivers\wanatw4.sys
2007-04-05 23:38:33 0 d-------- C:\Program Files\CA
2007-04-05 23:37:55 8448 --a------ C:\WINDOWS\System32\drivers\EntDrv51.sys
2007-04-05 23:36:59 41018 --a------ C:\WINDOWS\System32\EntAPI.dll
2007-04-05 23:36:55 114464 --a------ C:\WINDOWS\System32\drivers\naiavf5x.sys
2007-04-05 23:36:35 82432 --a------ C:\WINDOWS\System32\msxml4r.dll
2007-04-05 23:36:35 44544 --a------ C:\WINDOWS\System32\msxml4a.dll
2007-04-05 23:36:34 1233920 --a------ C:\WINDOWS\System32\msxml4.dll
2007-04-05 23:36:04 0 d-------- C:\Program Files\Common Files\McAfee
2007-04-05 23:35:20 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-04-04 12:29:34 19216 --a------ C:\WINDOWS\System32\dx7wiz.dll
2007-03-31 11:46:53 0 d-------- C:\WINDOWS\LastGood
2007-03-29 14:52:54 1168 --a------ C:\WINDOWS\mozver.dat
2007-03-29 13:57:31 0 d-------- C:\WINDOWS\LastGood.Tmp
2007-03-25 13:00:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2007-03-18 21:28:59 0 d-------- C:\WINDOWS\Windows Update Setup Files<WINDOW~1>
2007-03-18 19:49:23 0 d-------- C:\Program Files\AOL 9.0<AOL9~1.0>
2007-03-17 18:11:47 0 d-------- C:\Documents and Settings\Owner\Application Data\bak
2007-03-17 18:11:45 0 d-------- C:\WINDOWS\System32\bak
2007-03-17 18:11:45 0 d-------- C:\WINDOWS\system\bak
2007-03-17 18:11:45 0 d-------- C:\WINDOWS\bak
2007-03-09 21:51:26 0 d-------- C:\Program Files\iTunes

-- Find3M Report ---------------------------------------------------------------

2007-04-06 15:25:52 288 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-0000000A-00001102-00000002-80691102}.dat<DVCSTA~2.DAT>
2007-04-06 15:25:52 288 --a------ C:\WINDOWS\System32\DVCState-{00000002-00000000-0000000A-00001102-00000002-80691102}.dat<DVCSTA~1.DAT>
2007-04-06 12:32:27 0 d-------- C:\Program Files\McAfee.com
2007-04-06 12:29:18 0 d-------- C:\Program Files\Common Files\AOL
2007-04-06 11:14:40 0 d-------- C:\Documents and Settings\Owner\Application Data\AOL
2007-04-05 23:23:38 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-03-23 19:35:21 0 d-------- C:\Program Files\iPod
2007-03-18 19:52:35 0 d-------- C:\Program Files\Common Files\aolshare
2007-03-18 19:23:13 0 d-------- C:\Program Files\America Online 9.0a<AMERIC~1.0A>
2007-03-17 18:11:47 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-17 18:11:44 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-17 18:10:34 37058 --a------ C:\WINDOWS\UpdReg.EXE
2007-03-17 18:10:34 37058 --a------ C:\WINDOWS\System32\hkcmd.exe
2007-03-09 21:37:20 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>
2007-02-20 09:56:06 0 d-------- C:\Documents and Settings\Owner\Application Data\ultra
2007-02-15 22:43:38 0 d-------- C:\Program Files\Google
2007-01-23 04:40:09 1044480 --a------ C:\WINDOWS\System32\roboex32.dll
2007-01-23 04:40:09 54784 --a------ C:\WINDOWS\System32\INETWH32.DLL

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"AOL Fast Start"="\"C:\\Program Files\\AOL 9.0\\AOL.EXE\" -b"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BlockTracker"="c:\\hp\\bin\\BlockTracker.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"AutoTBar"="C:\\hp\\bin\\autotbar.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"CTHelper"="CTHELPER.EXE"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1102882279\\ee\\AOLSoftware.exe"
"DVDTray"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDTray.exe\""
"MimBoot"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mimboot.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"DVDBitSet"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDBitSet.exe\" /NOUI"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"gwiz"="C:\\Documents and Settings\\Owner\\Application Data\\21305.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AOLSPScheduler"="C:\\Program Files\\Common Files\\AOL\\1102882279\\ee\\services\\safetyCore\\ver210_5_4_1\\AOLSP Scheduler.exe"
"sscRun"="C:\\Program Files\\Common Files\\AOL\\1102882279\\ee\\SSCRun.exe"
"OASClnt"="C:\\Program Files\\mcafee.com\\antivirus\\oasclnt.exe"
"EmailScan"="C:\\Program Files\\mcafee.com\\antivirus\\mcvsescn.exe"
"BootService"="rundll32.exe \"C:\\WINDOWS\\dddefg.dll\",realset"
"MPFExe"="C:\\Program Files\\mcafee.com\\personal firewall\\MPfTray.exe"
"MPSExe"="C:\\Program Files\\mcafee.com\\MPS\\mscifapp.exe /embedding"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"PlayCenter2"="\"C:\\Program Files\\Creative\\SBLive\\PlayCenter2\\MDEntry.EXE\" \"C:\\Program Files\\Creative\\SBLive\\PlayCenter2\""
"SetDefaultMIDI"="MIDIDEF.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="?A????????????????????Ÿ????????????? A???????????????? A?C C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C}"="WaitWain for Windows"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoCDBurning"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dx7wiz

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll, xlibgfl254.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- Hosts -----------------------------------------------------------------------

127.0.0.1 localmachine # ***Inserted By STOPzilla***
127.0.0.1 teen-biz.com # ***Inserted By STOPzilla***
127.0.0.1 coolwebsearch.com # ***Inserted By STOPzilla***
127.0.0.1 search4www.com # ***Inserted By STOPzilla***
127.0.0.1 best4all.net # ***Inserted By STOPzilla***
127.0.0.1 zonebest.com # ***Inserted By STOPzilla***
127.0.0.1 all-websearch.com # ***Inserted By STOPzilla***
127.0.0.1 www.nude-teens-bodies.com # ***Inserted By STOPzilla***
127.0.0.1 picslab.com # ***Inserted By STOPzilla***
127.0.0.1 teen-fantazi.com # ***Inserted By STOPzilla***

48 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2007-04-06 at 15:55:02 ---------

HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 4:03:10 PM, on 4/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\mcafee.com\MPS\mscifapp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\shellmon.exe
c:\program files\common files\aol\1102882279\ee\anotify.exe
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CFLFMY3P\drf1175898777[1].htm.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hjt\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {fbce0e11-b870-4674-922e-cbd7a10661d6} - C:\WINDOWS\system32\dx7wiz.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gwiz] C:\Documents and Settings\Owner\Application Data\21305.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102882279\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\dddefg.dll",realset
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\mcafee.com\MPS\mscifapp.exe /embedding
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127370753156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151518166937
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://courthouse.p...emote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: ?A????????????????????Ÿ????????????? A???????????????? A?C C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: dx7wiz - C:\WINDOWS\SYSTEM32\dx7wiz.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

#5 Markka

Advanced Member

Banned
784 posts

Posted 07 April 2007 - 04:15 AM

Hello

Before we'll continue I would like you to too upload few malware files for further inspection.

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

Please go here to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread
- Click "Browse" on the 1. field.
  Browse to the following file and click the file with your mouse, press "Open"
  C:\WINDOWS\system32\dx7wiz.dll
In the comments, please mention that I asked you to upload this file
Click on Send File

Thank you

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens,Click Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\system32\dx7wiz.dll
- C:\WINDOWS\system32\ziw7xd.*
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Please download FindAWF by noahdfear and save it to your desktop.
Double-click on FindAWF.exe. The program will start, press any key to continue and after that you can start the scan. When it finished the log will open and save that log to your desktop.

Post:
- A fresh HijackThis log
- Contents of C:\vundofix.txt
- Logfile of SmitfraudFix
- Logfile of FindAWF

#6 DrewDunk

New Member

Authentic Member
13 posts

Posted 08 April 2007 - 07:37 PM

Thanks. Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 7:30:31 PM, on 4/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\mps\mscifapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hjt\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {fbce0e11-b870-4674-922e-cbd7a10661d6} - C:\WINDOWS\system32\dx7wiz.dll (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gwiz] C:\Documents and Settings\Owner\Application Data\47106.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102882279\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\mcafee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\nnkhif.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127370753156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151518166937
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://courthouse.p...emote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: ?A????????????????????Ÿ????????????? A???????????????? A?C C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

VUNDOFIX LOG:

VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 3:16:19 PM 4/6/2007

Listing files found while scanning....

C:\WINDOWS\System32\tmp168.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\tmp168.tmp.dll
C:\WINDOWS\System32\tmp168.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:26:33 PM 4/6/2007

Listing files found while scanning....

VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 6:57:11 PM 4/8/2007

Listing files found while scanning....

C:\WINDOWS\System32\tmp77.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dx7wiz.dll
C:\WINDOWS\system32\dx7wiz.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\tmp77.tmp.dll
C:\WINDOWS\System32\tmp77.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

SMITFRAUDFIX (RAPPORT) LOG:

SmitFraudFix v2.166

Scan done at 19:15:11.64, Sun 04/08/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\mps\mscifapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=hex(1):D8,ae,1b,00,12,00,02,00,00,01,10,00,68,29,16,00,e8,fd,18,\
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: MAC Bridge Miniport - Packet Scheduler Miniport
DNS Server Search Order: 66.75.164.90
DNS Server Search Order: 66.75.164.89

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AE940D9A-71FC-4C8A-B066-DDF2671BB1CB}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AE940D9A-71FC-4C8A-B066-DDF2671BB1CB}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AE940D9A-71FC-4C8A-B066-DDF2671BB1CB}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

FINDAWF LOG:

Find AWF report by noahdfear ©2006

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK

05/11/2000 01:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\HP\BIN\BAK

0 File(s) 0 bytes

Directory of C:\HP\KBD\BAK

02/11/2003 01:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\AMERIC~1.0A\BAK

07/12/2005 07:17 AM 50,776 AOL.EXE
1 File(s) 50,776 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

03/02/2007 04:24 PM 257,088 iTunesHelper.exe
1 File(s) 257,088 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/16/2007 11:54 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 10:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 05:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

09/09/2002 08:05 AM 114,688 hkcmd.exe
1 File(s) 114,688 bytes

Directory of C:\DOCUME~1\OWNER\APPLIC~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

10/18/2006 11:45 AM 190,464 GoogleDesktop.exe
1 File(s) 190,464 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 06:42 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK

12/18/2003 02:37 PM 184,320 DVDBitSet.exe
09/03/2004 10:14 AM 57,344 DVDTray.exe
2 File(s) 241,664 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

11/19/2004 02:00 PM 1,343,488 MpfTray.exe
1 File(s) 1,343,488 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

01/18/2005 11:50 AM 11,776 mimboot.exe
1 File(s) 11,776 bytes

Directory of C:\PROGRA~1\PURENE~1\PORTMA~1\BAK

05/07/2004 04:54 PM 99,480 PortAOL.exe
1 File(s) 99,480 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\121128~1.546\BAK

02/15/2007 11:35 AM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

06/18/2002 12:11 AM 69,632 hpqcmon.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

10/30/2004 09:59 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK

04/13/2004 03:36 PM 1,470,464 DrgToDsc.exe
1 File(s) 1,470,464 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\110288~1\EE\BAK

09/25/2006 05:52 PM 50,736 AOLSoftware.exe
1 File(s) 50,736 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
38000 May 7 2004 "C:\Program Files\America Online 9.0\aol.exe"
50736 Jan 23 2007 "C:\Program Files\AOL 9.0\aol.exe"
50776 Jul 12 2005 "C:\Program Files\America Online 9.0a\bak\AOL.EXE"
257088 Mar 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
257088 Mar 2 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Mar 23 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
36636224 Sep 24 2006 "C:\Documents and Settings\Owner\Desktop\Drew's Stuff\recorder software\iTunesSetup 7.0.0.70.exe"
116288 Mar 23 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
282624 Feb 16 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
114688 Sep 9 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Sep 9 2002 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
52272 Feb 15 2007 "C:\Program Files\Google\googletoolbar4user.exe"
458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe"
1846584 Mar 19 2007 "C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe"
138168 Feb 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
190464 Oct 18 2006 "C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
1862144 Mar 19 2007 "C:\Program Files\Google\Google Desktop Search\gcdtmp1\GoogleDesktopSetupHelper.exe"
1862144 Mar 19 2007 "C:\Program Files\Google\Google Desktop Search\gcdtmp2\GoogleDesktopSetupHelper.exe"
171448 Feb 15 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
184320 Dec 18 2003 "C:\Program Files\HP DVD\Umbrella\bak\DVDBitSet.exe"
57344 Sep 3 2004 "C:\Program Files\HP DVD\Umbrella\bak\DVDTray.exe"
992808 Mar 7 2006 "C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe"
1343488 Nov 19 2004 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
11776 Jan 18 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe"
11776 Feb 5 2005 "C:\Program Files\MUSICMATCH\Musicmatch Update\MMJB\mimboot.exe"
99480 May 7 2004 "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
52272 Feb 15 2007 "C:\Program Files\Google\googletoolbar4user.exe"
458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe"
1846584 Mar 19 2007 "C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe"
138168 Feb 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
190464 Oct 18 2006 "C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
1862144 Mar 19 2007 "C:\Program Files\Google\Google Desktop Search\gcdtmp1\GoogleDesktopSetupHelper.exe"
1862144 Mar 19 2007 "C:\Program Files\Google\Google Desktop Search\gcdtmp2\GoogleDesktopSetupHelper.exe"
171448 Feb 15 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
69632 Jun 18 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
32881 Oct 30 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
1470464 Apr 13 2004 "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
1470464 Apr 13 2004 "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe"
1470464 Apr 13 2004 "C:\CDs\Roxio Easy Media Creator 7\Disc 1\Roxio_Program (E)\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1102882279\EE\AOLSoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1102882279\EE\bak\AOLSoftware.exe"

end of report

#7 Markka

Advanced Member

Banned
784 posts

Posted 09 April 2007 - 12:15 PM

Hello

Open Notepad
-> copy the following lines into a new document:

@ECHO OFF
move /Y "C:\WINDOWS\bak\UpdReg.EXE" "C:\WINDOWS"
move /Y "C:\hp\KBD\bak\KBD.EXE""C:\hp\KBD"
move /Y "C:\Program Files\America Online 9.0a\bak\AOL.EXE" "C:\Program Files\America Online 9.0a"
move /Y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes"
move /Y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
move /Y "C:\WINDOWS\SMINST\bak\RECGUARD.EXE" "C:\WINDOWS\SMINST"
move /Y "C:\WINDOWS\system\bak\hpsysdrv.exe" "C:\WINDOWS\system"
move /Y "C:\WINDOWS\system32\bak\hkcmd.exe" "C:\WINDOWS\system32"
move /Y "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe" "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox"
move /Y "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe" "C:\Program Files\Pure Networks\Port Magic"
move /Y "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe" "C:\Program Files\Common Files\Sonic\Update Manager"
move /Y "C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe" "C:\Program Files\Google\Google Desktop Search"
move /Y "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe" "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload"
move /Y "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe" "C:\Program Files\Java\j2re1.4.2_03\bin"
move /Y "C:\Program Files\Common Files\AOL\1102882279\EE\bak\AOLSoftware.exe" "C:\Program Files\Common Files\AOL\1102882279\EE"
move /Y "C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK\hpgs2wnd.exe" "C:\PROGRA~1\HEWLET~1\HPSHAR~1"
move /Y "C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK\DVDBitSet.exe" "C:\PROGRA~1\HPDVD~1\UMBRELLA"
move /Y "C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK\DVDTray.exe" "C:\PROGRA~1\HPDVD~1\UMBRELLA"
move /Y "C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK\MpfTray.exe" "C:\PROGRA~1\MCAFEE.COM\PERSON~1"
move /Y "C:\PROGRA~1\GOOGLE\GOOGLE~3\121128~1.546\BAK\GoogleToolbarNotifier.exe" "C:\PROGRA~1\GOOGLE\GOOGLE~3\121128~1.546"
move /Y "C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK\DrgToDsc.exe" "C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1"

Save the document to your desktop as Fix.bat and filetype: All Files

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Don't run it yet!

Please download ATF-cleaner and save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Go to your desktop and run the file Fix.bat and answer yes to any questions.

Run a scan with Dr.Web CureIt

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode

Re-run with FindAWF.

Post:
- A fresh HijackThis log
- Report of Dr.web Cureit
- Logfile of FindAWF

#8 DrewDunk

New Member

Authentic Member
13 posts

Posted 10 April 2007 - 10:49 AM

Thanks again.

Here is the HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 9:43:00 AM, on 4/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\shellmon.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {fbce0e11-b870-4674-922e-cbd7a10661d6} - C:\WINDOWS\system32\dx7wiz.dll (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gwiz] C:\Documents and Settings\Owner\Application Data\47106.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102882279\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\mcafee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\nnkhif.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127370753156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151518166937
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://courthouse.p...emote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: ?A????????????????????Ÿ????????????? A???????????????? A?C C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

DR WEB CUREIT LOG:

DRWEB said it did not find anything and would not allow me the option to print a log.

FINDAWF LOG:

Find AWF report by noahdfear ©2006

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\HP\BIN\BAK

0 File(s) 0 bytes

Directory of C:\HP\KBD\BAK

02/11/2003 01:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\AMERIC~1.0A\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SMINST\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\DOCUME~1\OWNER\APPLIC~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\PURENE~1\PORTMA~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\121128~1.546\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\110288~1\EE\BAK

0 File(s) 0 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"

end of report

#9 Markka

Advanced Member

Banned
784 posts

Posted 11 April 2007 - 12:12 PM

Hello and sorry for the delay.

Open Notepad
-> copy the following lines into a new document:

@echo off
RD /s /q "C:\WINDOWS\bak"
RD /s /q "C:\hp\KBD\bak"
RD /s /q "C:\Program Files\America Online 9.0a\bak"
RD /s /q "C:\Program Files\iTunes\bak"
RD /s /q "C:\Program Files\QuickTime\bak"
RD /s /q "C:\WINDOWS\SMINST\bak"
RD /s /q "C:\WINDOWS\system\bak"
RD /s /q "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak"
RD /s /q "C:\Program Files\Pure Networks\Port Magic\bak"
RD /s /q "C:\Program Files\Common Files\Sonic\Update Manager\bak"
RD /s /q "C:\Program Files\Google\Google Desktop Search\bak"
RD /s /q "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak"
RD /s /q "C:\Program Files\Java\j2re1.4.2_03\bin\bak"
RD /s /q "C:\Program Files\Common Files\AOL\1102882279\EE\bak"

Save the document to your desktop as Fix.bat and filetype: All Files

Do not run the Fix.bat file yet!

Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Go to here: C:\hp\KBD\bak\KBD.EXE
Move that KBD.EXE to here: C:\hp\KBD

Go to your desktop and run the file Fix.bat and answer yes to any questions.

Reboot in normal mode!

Re-run with FINDAWF.

Post:
- A fresh HijackThis log
- Logfile of FINDAWF

#10 DrewDunk

New Member

Authentic Member
13 posts

Posted 11 April 2007 - 06:46 PM

Thanks again for the help. Here are the logs:

Find AWF report by noahdfear ©2006

bak folders found
~~~~~~~~~~~

Directory of C:\HP\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\DOCUME~1\OWNER\APPLIC~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\121128~1.546\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK

0 File(s) 0 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:41:02 PM, on 4/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\mcafee.com\MPS\mscifapp.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\Virus Fix DREW\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {fbce0e11-b870-4674-922e-cbd7a10661d6} - C:\WINDOWS\system32\dx7wiz.dll (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gwiz] C:\Documents and Settings\Owner\Application Data\47106.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102882279\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\mcafee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\nnkhif.dll",realset
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127370753156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151518166937
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://courthouse.p...emote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O20 - AppInit_DLLs: ?A????????????????????Ÿ????????????? A???????????????? A?C C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

Advertisements

Register to Remove

#11 Markka

Advanced Member

Banned
784 posts

Posted 12 April 2007 - 12:22 PM

Hello

Ewido is nowdays AVG Anti-Spyware so you're using an outdated version. Go to contol panel -> add/remove programs -> delete this: ewido anti-malware

Reboot!

Delete this folder:
C:\Program Files\ewido anti-malware

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~v

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"gwiz"=-
"BootService"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dx7wiz]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fbce0e11-b870-4674-922e-cbd7a10661d6}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C}"=- 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

It should look like this -> Posted Image

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Open HijackThis, Click Do a system scan only, checkmark these. Then close all others windows except HijackThis and press fix checked.

O2 - BHO: (no name) - {fbce0e11-b870-4674-922e-cbd7a10661d6} - C:\WINDOWS\system32\dx7wiz.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\nnkhif.dll",realset
O4 - HKLM\..\Run: [gwiz] C:\Documents and Settings\Owner\Application Data\47106.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make your hidden files visible:

Click start
Click my computer
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please download ATF-cleaner and save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Delete these files: (if found)
C:\WINDOWS\nnkhif.dll
C:\Documents and Settings\Owner\Application Data\47106.exe

Use the Windows "search" tool
Start->Search
-> All files and folders
Click More advanced options

Checkmark these options:
"Search system folders"
"Search hidden files and folders"
"Search subfolders"

->Search for these and delete if found: ntoskrnl.dll and xlibgfl254.dll

Delete these folders: (if found)
C:\HP\BIN\BAK
C:\Program files\MESSEN~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\Documents and settings\OWNER\Application data\BAK
C:\Program files\HEWLET~1\HPSHAR~1\BAK
C:\Program files\HPDVD~1\UMBRELLA\BAK
C:\Program files\MCAFEE.COM\PERSON~1\BAK
C:\Program files\GOOGLE\GOOGLE~3\121128~1.546\BAK
C:\Program files\ROXIO\EASYME~1\DRAGTO~1\BAK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Create a new folder named REG to C-drive (C:\REG)
Download SWReg by Bobbi Flekman and save it to the C:\REG folder.

Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as:

Name the file check.bat
Save as Type: All files
Select the desktop icon on the left to save it to the C:\REG folder.

SWREG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" C:\REG\result.reg

Now Go to My computer and navigate to the C:\REG folder. You should now have two files there; swreg.exe and check.bat
Doubleclick on check.bat and let the file run if prompted. A window will open and close.

A third file named result.reg should appear to the C:\REG folder.

Now I need you to upload that result.reg for analysis.

Please go to this forum
There's no need to register. Just start a new topic, titled "Registry export for Markka".
Copy the link of this topic to the message.

Use the Attachment box to upload the C:\REG\result.reg file.

NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Re-run wtih FINDAWF!

Post:
- A fresh HijackThis log
- AVG's log
- Logfile of FINDAWF

#12 DrewDunk

New Member

Authentic Member
13 posts

Posted 14 April 2007 - 09:01 AM

Wow. Thanks so much for all the help! Here are the logs:

HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 7:57:53 AM, on 4/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\mcafee.com\MPS\mscifapp.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\Virus Fix DREW\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102882279\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\mcafee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127370753156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151518166937
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://courthouse.p...emote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: ?A????????????????????Ÿ????????????? A???????????????? A?C C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

AVG LOG

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:16:10 AM 4/14/2007

+ Scan result:

C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP438\A0066565.dll -> Downloader.ConHook : Cleaned with backup (quarantined).
C:\VundoFix Backups\dx7wiz.dll.bad -> Downloader.ConHook : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP434\A0066406.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP429\A0066137.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP438\A0066566.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\VundoFix Backups\tmp168.tmp.dll.bad -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\VundoFix Backups\tmp77.tmp.dll.bad -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\tmp77.tmp.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

FINDAWF LOG

Find AWF report by noahdfear ©2006

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

#13 Markka

Advanced Member

Banned
784 posts

Posted 15 April 2007 - 10:31 PM

Hello and sorry for the delay

Delete this folder:
C:\Program files\MESSEN~1\BAK

We need to delete Google toolbar and Google desktop search, because one line which is related to Google has infected and you can re-install them when your computer is clean

Go to control panel -> add/remove programs -> delete this/these:
Google toolbar
Google desktop search

Panda online scanner works only with IE!

Please go HERE to run PandaActiveScan...
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Post:
- A fresh HijackThis log
- Report of Panda

#14 DrewDunk

New Member

Authentic Member
13 posts

Posted 17 April 2007 - 10:36 AM

Again, many thanks. I had some difficulty removing the Google Desktop Search. Apparently, this is a known issue. Finally, I wound up removing the registry keys and manually deleting the directory files.

I ran Panda overnight, but it didn't appear to complete its scan (the progress bar stopped about half-way through) and I could not get Panda to print a report. I noted that it found and disinfected a single virus, but I don't know which virus it found.

I rebooted and ran Panda a second time, but no virus was found. The report follows:

Incident Status Location

Adware:adware/sbsoft Not disinfected c:\windows\downloaded program files\webdlg32.inf
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvvht1ct.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tickle[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@yadro[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\Virus Fix DREW\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\Virus Fix DREW\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\Virus Fix DREW\smitrem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\Virus Fix DREW\smitrem\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\Virus Fix DREW\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe

HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 9:30:09 AM, on 4/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\mcafee.com\MPS\mscifapp.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Common Files\AOL\1102882279\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\Virus Fix DREW\HijackThis.exe

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102882279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102882279\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\mcafee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127370753156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151518166937
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://courthouse.p...emote/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D2259E5-6548-40FD-8BB4-BDBD1EE741D8}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: ?A????????????????????Ÿ????????????? A???????????????? A?C
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102882279\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

#15 Markka

Advanced Member

Banned
784 posts

Posted 18 April 2007 - 06:26 AM

Hello

Open HijackThis, Click Do a system scan only, checkmark this. Then close all others windows except HijackThis and press fix checked.
O20 - AppInit_DLLs: ?A????????????????????Ÿ????????????? A???????????????? A?C

Post:
- A fresh HijackThis log

And btw. how is your computer running now?

Body Background

skin color theme