# Solved: Trojan.vundo virus in my laptop



## Black_Dragon (May 8, 2007)

Hi, Im suffering with the trojan.vundo virus in my laptop....
I think, this was due to the P2P connection , I have made to download a movie...
My Norton AV detects it and pops on the desktop.... but its unable to quarantine it.....
I have tried most spyware detectors but invain......still the problem exists.....

The pop up window shows that.....
c:\windows\system32\ddaya.dll trojan.vundo virus
c:\windows\system32\fccbcaa.dll trojan.vundo virus

And i think, due to this , my system performance has been dropped too much lower level..
I have read the topics over this forum and came to post my hijackthis log file here.....

Please check my log and suggest me the process to remove the trojans and gimme some tips to improve my system performance.....

Thanks a lot for the help...... in advance...

This is my log details........

Logfile of HijackThis v1.99.1
Scan saved at 10:23:42 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\EditPlus 2\editplus.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E2B9878-3872-4EEC-8FB5-3B0DA11DD672} - (no file)
O2 - BHO: (no name) - {1C78AF95-FC58-4E4A-AE93-51261D5D6472} - C:\WINDOWS\system32\fccbcaa.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: TBSB08057 Class - {75E5BE62-491C-43D1-9AA0-764A88CF2D32} - C:\PROGRA~1\VCRICK~1.COM\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O2 - BHO: (no name) - {EB41590C-0F3A-417D-BCC7-7299AA138D70} - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SvcManager] mdmex4.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\ygjurdit.dll",realset
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O20 - Winlogon Notify: ddaya - C:\WINDOWS\system32\ddaya.dll
O20 - Winlogon Notify: fccbcaa - C:\WINDOWS\SYSTEM32\fccbcaa.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


----------



## DFW (Jun 12, 2004)

*Hello Black Dragon, My name is DFW and I will be assisting you with your malware issues today.*

Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs. 
As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. 

Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer. 
Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you! 
Please bookmark or favourite this page. In case you need it as reference or etc.


----------



## Black_Dragon (May 8, 2007)

Thanks for u r response.....
I'll be in touch with the thread and follow u r instructions.


----------



## DFW (Jun 12, 2004)

Hi Black Dragon,

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to run it. 
Click the *Scan for Vundo* button. 
Once it's done scanning, click the *Remove Vundo* button. 
You will receive a prompt asking if you want to remove the files, click *YES* 
Once you click yes, your desktop will go blank as it starts removing Vundo. 
When completed, it will prompt that it will reboot your computer, click *OK*. 
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log. 
Note: It is possible that VundoFix encountered a file it could not remove. 
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when VundoFix appears at reboot.

*Next*

*Download* *SDFix* *and save it to your Desktop.*

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer 
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; 
Instead of Windows loading as normal, the Advanced Options Menu should appear; 
Select the first option, to run Windows in Safe Mode, then press *Enter*. 
Choose your usual account. 

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process. 
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons. 
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum). 
 *Finally paste the contents of the Report.txt back on the forum with a new HijackThis log * 

*Please post the Vundo Log, the SDfix Log and a new HJT Log*

.


----------



## Black_Dragon (May 8, 2007)

Hi DFW,
I have followed u r instructions and ran the first part.
The vundoFix.exe has identified the trojan.vundo file, ddaya.dll, one of those i have specified viruses, and removed it from the system.

But it was unable to identify the second one , fccbcaa.dll , it still coming on popups...

And the second part, while restarting in SAFE mode, my system displayed loading all the system files and after that... screen goes blank and having "safe mode" text at all the four corners of the screen....
I have waited so many mins but no use....
From the blank screen, it showed nothing.....

Im presenting the VundoFix log and the HijackThis log after the running of first part...

Please check this and suggest me the cure for my system problem....

And one more thing, my system is performing very slow. while booting....
Is it because, of these viruses or anything else ??

VundoFix Log :

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 10:30:03 PM 5/9/2007

Listing files found while scanning....

C:\WINDOWS\system32\ayadd.bak1
C:\WINDOWS\system32\ayadd.bak2
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\ayadd.tmp
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ycwmjqjw.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ayadd.bak1
C:\WINDOWS\system32\ayadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ayadd.bak2
C:\WINDOWS\system32\ayadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ayadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\ayadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ayadd.tmp
C:\WINDOWS\system32\ayadd.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ddaya.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ycwmjqjw.dll
C:\WINDOWS\system32\ycwmjqjw.dll Has been deleted!

Performing Repairs to the registry.
Done!

Hijack This log of my system :

Logfile of HijackThis v1.99.1
Scan saved at 11:22:16 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\EditPlus 2\editplus.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E2B9878-3872-4EEC-8FB5-3B0DA11DD672} - (no file)
O2 - BHO: (no name) - {1C78AF95-FC58-4E4A-AE93-51261D5D6472} - C:\WINDOWS\system32\fccbcaa.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: TBSB08057 Class - {75E5BE62-491C-43D1-9AA0-764A88CF2D32} - C:\PROGRA~1\VCRICK~1.COM\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8FE5AC93-1315-4DBE-B2BC-1CE7D6EBADD1} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com

Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SvcManager] mdmex4.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\ygjurdit.dll",realset
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common

Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All

Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

(file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) -

https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) -

https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) -

https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer =

202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer =

172.30.0.1,202.56.250.5
O20 - Winlogon Notify: fccbcaa - C:\WINDOWS\SYSTEM32\fccbcaa.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\IWP\NPFMntor.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared

files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program

Files\Intel\Wireless\Bin\WLKeeper.exe

Please help me in solving the "SAFEMODE" problem , my system facing ..


----------



## DFW (Jun 12, 2004)

Your system slowness is probably down to the Malware you have, let's see how it is once your clean

*Ok let's try this*


*Download* *avz4en.zip* 
Unzip it to a folder on your desktop 
Double click on *AVZ.exe* 
Click on the *file* tab and then click on *System recovery*. 
Put a checkmark next to *Restore SafeBoot registry keys*. 
Click on *Execute selected operations*. 

Please visit www.uploadmalware.com.
Enter your username in the first field. 
In the 2nd field, include a link to this thread http://forums.techguy.org/security/571105-trojan-vundo-virus-my-laptop.html#post4706084 
Press the *Browse* button next to the first *File(s) To Submit*: field. 
Browse to the following file and upload it: 
* C:\WINDOWS\system32\fccbcaa.dll*


Double-click *VundoFix.exe* to run it. 
Click the *Scan for Vundo* button. 
 Once the scan is complete, Right Click inside the listbox (white box) and click add more files 
 Copy&Paste the 1 entries below into the top 2 boxes 
*C:\WINDOWS\system32\fccbcaa.dll*


 Click Add Files and Click Close Window 
 Click the Remove Vundo button. 
 You will receive a prompt asking if you want to remove the files, click YES 
 Once you click yes, your desktop will go blank as it starts removing Vundo. 
 When completed, it will prompt that it will reboot your computer, click *OK*. 
 Please post the contents of C:\*vundofix.txt* and a *new HiJackThis log*. 

Note: It is possible that VundoFix encountered a file it could not remove. 
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when VundoFix appears at reboot.

Now try and reboot your computer in *Safe Mode* by doing the following :
Restart your computer 
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; 
Instead of Windows loading as normal, the Advanced Options Menu should appear; 
Select the first option, to run Windows in Safe Mode, then press *Enter*. 
Choose your usual account. 

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process. 
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons. 
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum). 
 *Finally paste the contents of the Report.txt back on the forum with a new HijackThis log * 

*Please post the SDfix Log, vundo log again and a new HJT Log*

The last HJT Log you posted was hard to read, This may be because you need to alter a setting in Notepad.

Click Start, click All Programs

Click Accessories, click Notepad

Click Format on the menu bar and click Wordwrap so it appears unchecked or unticked.

.


----------



## Black_Dragon (May 8, 2007)

Hi DFW,
I have done the same as u specified to me in the previous post....

Now the popup for the trojan.vundo has gone , but still facing the problem in booting in "SAFE MODE"......

The screen goes blank with "safemode" text at all the four corners......

Shall I reboot in DOS mode, for the safe boot ??

Here is the Vundo Fix log .....

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 11:43:49 PM 5/10/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fccbcaa.dll
C:\WINDOWS\system32\fccbcaa.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fccbcaa.dll
C:\WINDOWS\system32\fccbcaa.dll Has been deleted!

Performing Repairs to the registry.
Done!

and here is the HJT log ..... as u asked me to the changes to notepad...... I have done the same and presenting the log to u .....

Logfile of HijackThis v1.99.1
Scan saved at 12:12:59 AM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\EditPlus 2\editplus.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E2B9878-3872-4EEC-8FB5-3B0DA11DD672} - (no file)
O2 - BHO: (no name) - {1C78AF95-FC58-4E4A-AE93-51261D5D6472} - C:\WINDOWS\system32\fccbcaa.dll (file missing)
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: TBSB08057 Class - {75E5BE62-491C-43D1-9AA0-764A88CF2D32} - C:\PROGRA~1\VCRICK~1.COM\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8FE5AC93-1315-4DBE-B2BC-1CE7D6EBADD1} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SvcManager] mdmex4.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\ygjurdit.dll",realset
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Please go through this log and suggest me the things to be done inorder to remove the remaining malware and their registries from my system.....

and suggest me something to be done to start my system in safe mode with the display screen ..?


----------



## DFW (Jun 12, 2004)

*Hi Black Dragon, let's try this, then we can look at the safe boot problem*

*Reconfigure Windows XP to show hidden files:* 
Double-click the My Computer icon on the Windows desktop.  
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".  
Uncheck the "Hide protected operating system files (recommended)" option. 
Uncheck the "Hide file extensions for known file types" option. 
Click Yes to confirm. Click OK.

*Open up Hijackthis *
Click on do a system scan only. 
Place a checkmark next to these lines(if still present)

*O2 - BHO: (no name) - {0E2B9878-3872-4EEC-8FB5-3B0DA11DD672} - (no file)
O2 - BHO: (no name) - {1C78AF95-FC58-4E4A-AE93-51261D5D6472} - C:\WINDOWS\system32\fccbcaa.dll (file missing)
O2 - BHO: (no name) - {8FE5AC93-1315-4DBE-B2BC-1CE7D6EBADD1} - C:\WINDOWS\system32\ddaya.dll (file missing)
O4 - HKLM\..\Run: [SvcManager] mdmex4.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\ygjurdit.dll",realset
*

Then close all windows except Hijackthis and click *Fix Checked*

*Delete suspect files/folders* 
Using Windows Explorer, browse for the following files/folders and delete as instructed 
NB Some files may have already been deleted by earlier actions so don't worry if you do not see them:

FILES

C:\WINDOWS\system32\mdmex4.exe 
C:\WINDOWS\system32\autosys.exe
C:\WINDOWS\system32\ygjurdit.dll

*If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete. 
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the filename is in there, highlight it and click End Process, 
then retry Delete. Note the name and location of any file you cannot delete*.

*Please post a new HJT Log,*


----------



## Black_Dragon (May 8, 2007)

Hi,
I have done the same as u specified....

I have deleted the file ....... C:\WINDOWS\system32\mdmex4.exe 
but the remaining two files are not found....

Now Im attaching the HJT log .......

Logfile of HijackThis v1.99.1
Scan saved at 12:16:54 AM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: TBSB08057 Class - {75E5BE62-491C-43D1-9AA0-764A88CF2D32} - C:\PROGRA~1\VCRICK~1.COM\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Now suggest me the next thing to do....


----------



## DFW (Jun 12, 2004)

Hi Black Dragon

*Lets try and fix that safe boot problem again.*

*Download SafeBootKeyRepair*

http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

Save it to your desktop.

Double Click to run it, and follow instruction.

*Download these tools to make sure your good and clean *

*Please download AVG anti-spyware to your Desktop or to your usual Download Folder, from HERE

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner. 
1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program. 
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files. 
3. On the main screen select the icon "Update" then select the "Update now" link. 
Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed. 
4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab. 
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". 
6. Under "Reports" 
Select "Automatically generate report after every scan" 
Un-Select "Only if threats were found" 
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode. 
On the main screen under Your Computer's security. 
Click on Change state next to Resident shield. It should now change to inactive.  
Click on Change state next to Automatic updates. It should now change to inactive. 

Do Not Run It Yet

DownLoad CCleaner

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, 
back it up or move it to a permanent folder prior to running CCleaner! 

Download CCleaner to clean temp files from your computer.

http://www.ccleaner.com/download/downloadpage.aspx?f=2

Double click on the file to start the installation of the program. 
Select your language and click OK, then next. 
Read the license agreement and click I Agree. 
Click next to use the default install location. Click Install then finish to complete installation. 
Double click the CCleaner shortcut on the desktop to start the program. 
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. 
(If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit). 
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla. 
Click on the "Options" icon at the left side of the window, then click on "Advanced." 
deselect "Only delete files in Windows Temp folders older than 48 hours." 
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.

Close Cleaner, will run it later

INFO http://www.ccleaner.com/help/tour/

Now boot into safe mode

Now Run CCleaner

Double click CCleaner icon on desktop 
Click on Run Cleaner 
Confirm to delete

Now close CCleaner

Run AVG
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process: 
2. Launch AVG Anti-Spyware by double clicking the icon on your desktop. 
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". 
4. AVG will now begin the scanning process. Please be patient as this may take a little time. 
Once the scan is complete, do the following: 
5. If you have any infections you will be prompted. Then select "Apply all actions." 
6. Next select the "Reports" icon at the top. 
7. Select the "Save report as" button in the lower left- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important). 
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Post a HJT Log and the AVG Log and tell me how, is your system now*


----------



## Black_Dragon (May 8, 2007)

Hi, 
Sorry for the long delay......

Actually, Im out of station ......

Today only , I have read the report again....

I have downloaded all the softwares u have specified.....

and I have some doubts on this.......

This CCleaner will delete all the content in the temp folder ?
Will it delete the temporary internet files & the cookies ?

and abt the "SafeBootKeyRepair", it gave me a message saying all the files & settings for safe boot are fine......
and still Im getting the problem of safe boot ....!!!

Will it damage any system files ? Imean will it delete any system files ?


----------



## DFW (Jun 12, 2004)

Hi Blach_Dragon, Glad you made it back.



> This CCleaner will delete all the content in the temp folder ?
> Will it delete the temporary internet files & the cookies ?


Yes it will delete content in the temp folders, temporary internet files, which we need it to do, but look at the instructions when it comes to cookies, 
some of them you may wish to keep...



> Will it damage any system files ? Imean will it delete any system files ?


No, CCleaner is safe, but as the instructions say, keep away from the Issues/Reg Cleaner, if your not sure what you are doing, this is 
a great tool for cleaning your system, none of the other tools will do any damage if you follow the instructions.

*We need to check your safemode reg entries.*

Click *Start* > *Run* > copy and paste the following command please:

*regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot"*

Click OK

Using windows explorer, please find this file:

*C:\look.txt* then post all of its contents at the end.

*Now Run CCleaner*

Double click CCleaner icon on desktop 
Click on Run Cleaner 
Confirm to delete

*Now close CCleaner*

*If you did not download AVG AS before download it and install please, if you have already installed it, then please update it*

*Please download AVG anti-spyware to your Desktop or to your usual Download Folder, from **HERE*


Install AVG Anti-Spyware by double clicking the installer. 
Follow the prompts. Make sure that *Launch AVG Anti-Spyware* is checked. 
On the main screen under *Your Computer's security*. 
Click on *Change state* next to *Resident shield*. It should now change to inactive. 
Click on *Change state* next to *Automatic updates*. It should now change to inactive. 
Next to *Last Update*, click on *Update now*. (You will need an active internet connection to perform this) 
Wait until you see the Update succesfull message. 

Right-click the AVG Anti-Spyware Tray Icon and uncheck *Start with Windows*. 
Right-click the AVG Anti-Spyware Tray Icon and select *Exit*. Confirm by clicking *Yes*. 
If you are having problems with the updater, you can use this link to manually update ewido. 
AVG Anti-Spyware manual updates. 
Download the* Full database* to your Desktop or to your usual Download Folder and install it by double clicking the file. 
Make sure that AVG Anti-Spyware is closed before installing the update.

*Run AVG AS*

Close ALL open Windows / Programs / Folders. Please start *AVG Anti-Spyware* and run a full scan. 

Click on *Scanner* on the toolbar. 
Click on the *Settings* tab. 
Under *How to act?* 
Click on* Recommended Action* and choose *Quarantine* from the popup menu. 

Under *How to scan?* 
All checkboxes should be ticked. 

Under *Possibly unwanted software: * 
All checkboxes should be ticked. 

Under *Reports:* 
Select *Automatically generate report after every scan* and uncheck *Only if threats were found*. 

Under *What to scan?* 
Select *Scan every file*. 


Click on the *Scan* tab. 
Click on *Complete System Scan* to start the scan process. 
Let the program scan the machine. 
When the scan has finished, follow the instructions below. 
*IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.* 
Make sure that *Set all elements to:* shows *Quarantine* *(1)*, if not click on the link and choose *Quarantine* from the popup menu. *(2)* 
At the bottom of the window click on the *Apply all Actions* button. *(3)* 









When done, click the *Save Scan Report* button. *(4)* 
Click the *Save Report as* button. 
Save the report to your Desktop. 

Right-click the AVG Anti-Spyware Tray Icon and select *Exit*. Confirm by clicking *Yes*.

Lets see what left

*Kaspersky Online Scanner .*

Go Here http://www.kaspersky.com/virusscanner

*Read the Requirements and limitations before you click Accept*. 
Allow the ActiveX download if necessary 
Once the database has downloaded, click Next. 
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK. 
*Click on "My Computer"* and then put the kettle on! 
*When the scan has completed, click Save Report As... * 
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt) 
*Click Save *- by default the file will be saved to your Desktop, but you can change this if you wish.

*Copy and paste the kaspersky report *into your next reply along with a fresh HJT log,look.txt file, AVG AS Log and a description of how your PC is behaving.


----------



## Black_Dragon (May 8, 2007)

Hey, DFW, sorry for the delay...
I had problems with my internet connection last week...

And here are the results of the operations done on my system, after your following instructions....

Here is the Look.txt file....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"


----------



## Black_Dragon (May 8, 2007)

Hey, here Im posting the CCleaner report...

Can u plz check this file and confirm the files.... ? 
Imean, Are there any system files , it has deleted or not ?

Now Im running the AVG antivirus......

I'll post the content of the report of AVG antivirus.... tomorrow....


----------



## DFW (Jun 12, 2004)

CCleaner report looks fine and dandy


----------



## DFW (Jun 12, 2004)

Black_Dragon said:


> Now Im running the AVG antivirus......
> 
> I'll post the content of the report of AVG antivirus.... tomorrow....


Ok I need to see the AVG report before we look deeper into the safe mode boot problem.


----------



## Black_Dragon (May 8, 2007)

Hey, DFW.....

I have followed u r instructions and installed AVG antivirus ,... and did a full system scan.... after following all u r instructions.....

But after Applying all actions, the "Save Report" button didn't activated....It still in hidden mode..... so I can't save the report.....
But Im attaching the report screen shot with this thread.....

Please tell me wat should I do now ??


----------



## DFW (Jun 12, 2004)

*Hi black_Dragon, theres been a few changes to AVG since you downloaded it, try insructions below for the scan and saving report*.

*AVG Anti-Spyware*


Click on *Scanner* on the toolbar. 
Click on *Complete System Scan* to start the scan process. 
Let the program scan your computer. 
When the scan has finished, follow the instructions below: 
Make sure that *Set all elements to:* shows *Quarantine* 
*Important:* Click on the *Apply all Actions* button (**** This must done before saving the report ****) 
 When the program has finished, it will display the message *All actions have been applied*. 
Then click the *Save Scan Report* button. 
Click the *Save Report as* button. 
Save the report to your Desktop. 

Right-click the AVG Tray Icon and select *Exit*. 
Now copy the report back to this topic. 

*A copy of each report will also be saved in C:\Documents and Settings\Your User Name\Application Data\Grisoft\AVG Antispyware 7.5\Reports*

We are looking into the safe mode problem :up:

.


----------



## Black_Dragon (May 8, 2007)

Hi DFW,
I have done the same....
I have selected the "Complete System Scan" and completed the whole scan....
After that, I have done ---------Set all elements to: shows Quarantine...
and "Apply all actions".....
After this , I was trying to save the report.... but , the button is hidden....
That was my problem , due to that only , I haven't saved the scan report and I have taken a screen shot , and sent that to u....

Is there anything to do with settings , to unhide the button,... actually the button was not active at the completion of the process....

I think, there is something wrong with the settings, so it must be changed at the settings tab, so that the "button" will be active again....

Waiting for u r reply.....


----------



## DFW (Jun 12, 2004)

Did you look in C:\Documents and Settings\Your User Name\Application Data\Grisoft\AVG Antispyware 7.5\Reports to see if one is in there


----------



## DFW (Jun 12, 2004)

*Hi Black_Dragon, Please run a online scan to see whats left*

*Kaspersky Online Scanner .*

Go Here http://www.kaspersky.com/virusscanner

*Read the Requirements and limitations before you click Accept*. 
Allow the ActiveX download if necessary 
Once the database has downloaded, click Next. 
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK. 
*Click on "My Computer"* and then put the kettle on! 
*When the scan has completed, click Save Report As... * 
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt) 
*Click Save *- by default the file will be saved to your Desktop, but you can change this if you wish.

*Copy and paste the report *into your next reply.


----------



## Black_Dragon (May 8, 2007)

yaa...
I have checked the folder.... for the AVG reports...

But the folder is empty...


----------



## DFW (Jun 12, 2004)

Black_Dragon said:


> yaa...
> I have checked the folder.... for the AVG reports...
> 
> But the folder is empty...


Ok do the KAS online scan, and we have that report instead.


----------



## Black_Dragon (May 8, 2007)

> Ok do the KAS online scan, and we have that report instead.


I have tried the KAS online scan, while doing that, it prompted me to install Active X control to run the online scanner,... but after installing the ActiveX control , it got failed at downloading the antivirus files into my local system....

The scanner didn't run after that........


----------



## DFW (Jun 12, 2004)

Hi Black_Dragon I never got a email saying you posted, be back soon.


----------



## DFW (Jun 12, 2004)

*Download and run Sysclean* 

Create a folder on your desktop called *Sysclean*. 
Go to http://www.trendmicro.com/download/dcs.asp and download *sysclean package* to the folder you made. 
Go to http://www.trendmicro.com/download/pattern.asp and download the *Virus Pattern File (Official Pattern Release)* to your desktop. 
This file will be called lptXXX.zip (XXX represents the version number) 
*Unzip* lptXXX.zip and you'll get the file lpt$vpn.XXX. Read here how to unzip/extract properly. 
Move the lpt$vpn.XXX to the Sysclean-folder you created on your desktop. 
Open the sysclean-folder and doubleclick *sysclean.com*. 
Check: "Automatically clean or delete detected files". 
Click scan. 

*Open your sysclean-folder and copy and paste the contents of sysclean.log in your next reply.*

Also as it been a while post a new HJT log

.


----------



## Black_Dragon (May 8, 2007)

hi DFW....
sorry for the long delay.....

Actually im facing some internet problems for the last month.....

and i have seen u r latest message .....

and followed u r instructions .........

here im posting the sysclean.log file details........

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2007-08-05, 09:49:58, Auto-clean mode specified.
2007-08-05, 09:49:58, Running scanner "C:\Documents and Settings\Alien\Desktop\Sysclean\TSC.BIN"...
2007-08-05, 09:50:45, Scanner "C:\Documents and Settings\Alien\Desktop\Sysclean\TSC.BIN" has finished running.
2007-08-05, 09:50:45, TSC Log:

Damage Cleanup Engine (DCE) 5.3(Build 1103)
Windows XP(Build 2600: Service Pack 2)

Start time : Sun Aug 05 2007 09:50:00

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Alien\Desktop\Sysclean\TMRDCT.ptn" (version ) [fail]
Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Alien\Desktop\Sysclean\tsc.ptn" (version 884) [success]

Complete time : Sun Aug 05 2007 09:50:45
Execute pattern count(2882), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-08-05, 09:50:50, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-08-05, 10:36:34, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/5/2007 09:50:52
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 633 (212790 Patterns) (2007/08/03) (463300)
Command Line: C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Alien\Desktop\Sysclean

C:\WINDOWS\system32\wvuvvur.dll [TROJ_AGENT.VMD]
72271 files have been read.
72271 files have been checked.
66871 files have been scanned.
240820 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/5/2007 10:36:34
---------*---------*---------*---------*---------*---------*---------*---------*
2007-08-05, 10:36:34, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/5/2007 09:50:52
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 633 (212790 Patterns) (2007/08/03) (463300)
Command Line: C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Alien\Desktop\Sysclean

72271 files have been read.
72271 files have been checked.
66871 files have been scanned.
240820 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/5/2007 10:36:34	45 minutes 41 seconds (2741.05 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-08-05, 10:36:34, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/5/2007 09:50:52
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 633 (212790 Patterns) (2007/08/03) (463300)
Command Line: C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Alien\Desktop\Sysclean

72271 files have been read.
72271 files have been checked.
66871 files have been scanned.
240820 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/5/2007 10:36:34	45 minutes 41 seconds (2741.05 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-08-05, 10:36:34, Scanner "C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN" has finished running.

and the hijackthis log file.......

Logfile of HijackThis v1.99.1
Scan saved at 11:03:11 AM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Attache Transparent Clock\AttacheClock.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AttacheTransparentClock] C:\Program Files\Attache Transparent Clock\AttacheClock.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


----------



## DFW (Jun 12, 2004)

*Hi Black_Dragon, it's been some time, let's see if we can finish up this time, are you still having problems with safemode.*

You are running * MyWebSearch (or MyBar). * Although not technically malware, it is thought to be bad by many experts and it will bring malware with it. There are safer alternatives available such as the *Google toolbar*. *My Web Search* also known as the *My Way Speedbar* 
is the Internet Explorer toolbar part of the *Fun Web Products* suite of utilities such as *Smiley Central, Cursor Mania, My Mail Stationary, My Mail Signature, PopSwatter, Popular Screensavers*, and the *My Way* website portal. The toolbar allows easy access to search engine results and a 404 Error Redirector called My Total Search among other things to your browser. 
This is not to be confused with the IBIS Web Search toolbar. MyWay is a search toolbar that installs into Internet Explorer and Netscape Navigator, adding search functions and popup blocking. It reports your surfing activity anonymously to MyWay affiliates, helping them to serve targeted advertising to you. As a BHO, MyWay shares the memory that your browser uses, detects events, 
creates additional windows while you are surfing, and monitors your activity. When a new browser window is opened, MyWay will send a configuration request about 5k in size.

Although none of these products claim to be spyware, they do slow your computer down. All of the products use cookies to track usage, although they claim not to use cookies or anything else to track personally identifiable information. That being said, I would still recommend uninstalling the toolbar and other Fun Web Products if you feel your computer runs better without them. 
They are found by most spyware removal tools such as Spybot Search and Destroy, Lavasoft Ad-Aware, although they are deemed spyware safe by Aluria Software who created a Spyware SAFE Certification.

*More Info Here*

http://www.sophos.com/security/analyses/mywebsearch.html

*Removing it is optional, if you would like to keep it, don't uninstall it or delete the folder as posted below*

*We need you to remove programs from the Add/Remove Programs List*

Please go to: Start Menu\Settings\Control Panel\Add/Remove Programs

*Find and remove these programs (if they are present)*

MyWebSearch

*Do you still have hidden files set to show, if not see below*.

*Reconfigure Windows XP to show hidden files:* 
Double-click the My Computer icon on the Windows desktop.  
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".  
Uncheck the "Hide protected operating system files (recommended)" option. 
Uncheck the "Hide file extensions for known file types" option. 
Click Yes to confirm. Click OK.

*Delete suspect files/folders* 
Using Windows Explorer, browse for the following files/folders and delete as instructed 
NB Some files may have already been deleted by earlier actions so don't worry if you do not see them:

C:\Program Files\MYwedsearch <<<<<Folder

C:\WINDOWS\system32\wvuvvur.dll <<<<File

*Reboot your system and delete your current Sysclean folder on your desktop*


Create a new folder on your desktop called *Sysclean*. 
*Download* *Sysclean Package* *to the folder you made.* 
*Download* *Virus Pattern File (Official Pattern Release)* *to your desktop.* This file will be called *lptXXX.zip* (XXX represents the version number) 
*Unzip* *lptXXX.zip* and you'll get the file *lpt$vpn.XXX*. Read *here* how to unzip/extract properly. 
Move the *lpt$vpn.XXX* to the *Sysclean* folder you created on your desktop. 
Open the sysclean folder and doubleclick *sysclean.com*. 
Check: *Automatically clean or delete detected files*. 
Click *scan*. 
*Open your sysclean folder and copy and paste the contents of sysclean.log in your next reply, with a new HJT Log*


----------



## Black_Dragon (May 8, 2007)

hi DFW, Thanks a lot for u r reply....
now i can login to Safe Mode without any problems....but somewat timetaking ....
My system is taking much time in startup....

and ,
Actually , i have installed as part of "Smiley central" installation for my messengers....

but i think, its installation is not good as u said here....

but right now im having some other problem with my sytem .....

http://forums.techguy.org/malware-r...s/604626-norton-popups-saying-email-scan.html

this is the thread i have placed for the problem im facing right now....
and now, im facing the "Microsoft Windows" error messages which were placed in the last post of the thread specified in this post....

so, can u plz help me in this new problem... ?


----------



## Black_Dragon (May 8, 2007)

hi, DFW....

just now, i got one more popup saying "WinAntiVirusPro 2007"..... and asked to download the program....

And the link is ......
http://winantivirus.com/download/2007/index.php?aid=ffnm_ba_ff_ron_mtrt&lid=http>_wav-d2007&affid=ffnm_67602_76525c52417311dcabc0f67602ffffff_bea39c96751d48dda082ac1ca43fb12a&rff=http%3A%2F%2Fforums.techguy.org%2Fmalware-removal-hijackthis-logs%2F571105-trojan-vundo-virus-my-laptop-2.html

Does it belongs to any spyware or any virus program ?
Can it be a good antivirus program ?


----------



## DFW (Jun 12, 2004)

I am waiting to have your fix checked, *do not download WinAntiVirusPro 2007*, post a new HJT Log.


----------



## Black_Dragon (May 8, 2007)

Hi DFW,

I have uninstalled the MyWebSearch tool bar from control panel as you said in the post....

I have tried to delete the file u have specified the "wvuvvur.dll" file....

but im getting the message saying.... "file in use... cannot be deleted".....

I have tried in safe mode also, but no use...

What shall i do now..??

Here Im posting the SysClean Log file and Hijackthis log file.......

Sysclean Log :

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2007-08-07, 08:21:18, Auto-clean mode specified.
2007-08-07, 08:21:18, Running scanner "C:\Documents and Settings\Alien\Desktop\Sysclean\TSC.BIN"...
2007-08-07, 08:21:48, Scanner "C:\Documents and Settings\Alien\Desktop\Sysclean\TSC.BIN" has finished running.
2007-08-07, 08:21:48, TSC Log:

Damage Cleanup Engine (DCE) 5.3(Build 1103)
Windows XP(Build 2600: Service Pack 2)

Start time : Tue Aug 07 2007 08:21:19

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Alien\Desktop\Sysclean\TMRDCT.ptn" (version ) [fail]
Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Alien\Desktop\Sysclean\tsc.ptn" (version 884) [success]

Complete time : Tue Aug 07 2007 08:21:48
Execute pattern count(2882), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-08-07, 08:23:04, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-08-07, 08:45:53, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/7/2007 08:23:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 635 (213261 Patterns) (2007/08/05) (463500)
Command Line: C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Alien\Desktop\Sysclean

C:\Documents and Settings\Alien\Local Settings\Temporary Internet Files\Content.IE5\4FSP6R2P\kcehc_eicooc20070702[1] [TROJ_TINY.EN]
C:\Documents and Settings\Alien\Local Settings\Temporary Internet Files\Content.IE5\4FSP6R2P\masiyxanidi[1] [TROJ_AGENT.WHS]
2007-08-07, 08:45:53, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/7/2007 08:23:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 635 (213261 Patterns) (2007/08/05) (463500)
Command Line: C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Alien\Desktop\Sysclean

Success Clean [ TROJ_TINY.EN]( 1) from C:\Documents and Settings\Alien\Local Settings\Temporary Internet Files\Content.IE5\4FSP6R2P\kcehc_eicooc20070702[1]
Success Clean [ TROJ_AGENT.WHS]( 1) from C:\Documents and Settings\Alien\Local Settings\Temporary Internet Files\Content.IE5\4FSP6R2P\masiyxanidi[1]
2007-08-07, 08:45:53, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/7/2007 08:23:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 635 (213261 Patterns) (2007/08/05) (463500)
Command Line: C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Alien\Desktop\Sysclean

2007-08-07, 08:45:53, Scanner "C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2007-08-07, 08:45:53, The user stopped the operation.

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2007-08-07, 08:47:11, Auto-clean mode specified.
2007-08-07, 08:47:11, Running scanner "C:\Documents and Settings\Alien\Desktop\Sysclean\TSC.BIN"...
2007-08-07, 08:47:53, Scanner "C:\Documents and Settings\Alien\Desktop\Sysclean\TSC.BIN" has finished running.
2007-08-07, 08:47:53, TSC Log:

Damage Cleanup Engine (DCE) 5.3(Build 1103)
Windows XP(Build 2600: Service Pack 2)

Start time : Tue Aug 07 2007 08:47:15

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Alien\Desktop\Sysclean\TMRDCT.ptn" (version ) [fail]
Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Alien\Desktop\Sysclean\tsc.ptn" (version 884) [success]

Complete time : Tue Aug 07 2007 08:47:53
Execute pattern count(2882), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-08-07, 08:48:31, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-08-07, 09:27:42, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/7/2007 08:48:47
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 635 (213261 Patterns) (2007/08/05) (463500)
Command Line: C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Alien\Desktop\Sysclean

C:\WINDOWS\system32\dkvkxgil.exe [TROJ_TINY.EN]
C:\WINDOWS\system32\okpywkkw.exe [TROJ_AGENT.WHS]
C:\WINDOWS\system32\wvuvvur.dll [TROJ_AGENT.VMD]
77819 files have been read.
77819 files have been checked.
72411 files have been scanned.
239541 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/7/2007 09:27:42
---------*---------*---------*---------*---------*---------*---------*---------*
2007-08-07, 09:27:42, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/7/2007 08:48:47
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 635 (213261 Patterns) (2007/08/05) (463500)
Command Line: C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Alien\Desktop\Sysclean

Success Clean [ TROJ_AGENT.WHS]( 1) from C:\WINDOWS\system32\okpywkkw.exe
77819 files have been read.
77819 files have been checked.
72411 files have been scanned.
239541 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/7/2007 09:27:42	38 minutes 54 seconds (2333.61 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-08-07, 09:27:42, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/7/2007 08:48:47
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 635 (213261 Patterns) (2007/08/05) (463500)
Command Line: C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Alien\Desktop\Sysclean

77819 files have been read.
77819 files have been checked.
72411 files have been scanned.
239541 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/7/2007 09:27:42	38 minutes 54 seconds (2333.61 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-08-07, 09:27:42, Scanner "C:\Documents and Settings\Alien\Desktop\Sysclean\VSCANTM.BIN" has finished running.

and here is the Hijackthis Log :

Logfile of HijackThis v1.99.1
Scan saved at 9:36:20 AM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Attache Transparent Clock\AttacheClock.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dkvkxgil.exe
C:\Documents and Settings\Alien\Desktop\Sysclean\sysclean.com
C:\Documents and Settings\Alien\Desktop\Sysclean\sysclean.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\wuvgdirp.dll",forkonce
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AttacheTransparentClock] C:\Program Files\Attache Transparent Clock\AttacheClock.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186309914578
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Please check these logs and advice me the next steps to do......


----------



## DFW (Jun 12, 2004)

1. *Download this file *- combofix.exe 
2. Double click combofix.exe & follow the prompts. 
3. When finished, it shall produce a log for you. *Post that log *in your next reply

*Note: 
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


----------



## Black_Dragon (May 8, 2007)

I have downloaded the combofix.exe file....

Now shall I run the program in "Normal" mode or in "Safe" mode ?

Do I need to get any updates or just run the ComboFix ?


----------



## DFW (Jun 12, 2004)

Run it as it is in normal mode.


----------



## Black_Dragon (May 8, 2007)

I have ran the ComboFix and these are the logs.....

ComboFix 07-08-07.6 - "Alien" 2007-08-08 20:10:41.1 - NTFSx86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1416 [GMT 5.5:30]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Alien\APPLIC~1.\macromedia\Flash Player\#SharedObjects\GVP00001\www.broadcaster.com
C:\DOCUME~1\Alien\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Alien\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\bnddxkqv.ini
C:\WINDOWS\system32\egjlm.bak1
C:\WINDOWS\system32\egjlm.bak2
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\egjlm.ini2
C:\WINDOWS\system32\egjlm.tmp
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\rfbcauql.dll
C:\WINDOWS\system32\vqkxddnb.dll
C:\WINDOWS\system32\wvuvvur.dll
C:\WINDOWS\system32\xoniwibo.dll
C:\WINDOWS\system32\xpdx.sys

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\xpdx

((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))

2007-08-08 20:09	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-08-06 14:02 d--------	C:\Program Files\iTunes
2007-08-06 14:02 d--------	C:\Program Files\iPod
2007-08-05 20:08 d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-05 20:06 d--------	C:\Program Files\MSBuild
2007-08-05 19:59 d--------	C:\WINDOWS\system32\XPSViewer
2007-08-05 19:56 d--------	C:\Program Files\Reference Assemblies
2007-08-05 19:54	14,048	--a------	C:\WINDOWS\system32\spmsg2.dll
2007-08-05 18:25 d--------	C:\Program Files\MSXML 6.0
2007-08-05 17:51	271,224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-08-05 07:48	13,135	--ahs----	C:\WINDOWS\system32\qpqss.ini2
2007-08-03 23:34	6,466	--ahs----	C:\WINDOWS\system32\qpqss.bak1
2007-08-02 20:33 d--------	C:\Program Files\Endorsor Verifier
2007-08-02 01:46 d--------	C:\Program Files\Free Desktop Clock
2007-08-01 23:59 d--------	C:\Program Files\Attache Transparent Clock
2007-08-01 23:46	278,528	--a------	C:\WINDOWS\system32\livesnth.dll
2007-08-01 23:46	203,776	--a------	C:\WINDOWS\system32\clrviddc.dll
2007-08-01 00:50 d--------	C:\Program Files\Lavasoft
2007-08-01 00:50 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-08-01 00:50 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-28 12:01 d--------	C:\Program Files\HEROSOFT
2007-07-26 08:57 d--------	C:\Program Files\RadioXpi
2007-07-25 22:03 d--------	C:\Program Files\Raxco
2007-07-25 22:03 d--------	C:\Program Files\Common Files\Raxco
2007-07-25 22:03 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Raxco
2007-07-25 20:06 d--------	C:\Program Files\Common Files\xing shared
2007-07-25 01:05 d--------	C:\WINDOWS\system32\vmm32
2007-07-25 00:08	1,795	--a------	C:\WINDOWS\mozver.dat
2007-07-25 00:08 d--------	C:\Program Files\DivX
2007-07-24 20:42 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-07-23 07:26	0	--a------	C:\WINDOWS\nsreg.dat
2007-07-22 20:20 d--------	C:\Program Files\WinAVI MP4 Converter
2007-07-22 13:24	22,112	-ra------	C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-07-21 14:05	129,784	--a------	C:\WINDOWS\system32\pxafs.dll
2007-07-21 13:11	21,504	--a------	C:\WINDOWS\system32\drivers\motmodem.sys
2007-07-21 13:11	1,419,232	--a------	C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-07-21 13:11 d--------	C:\Program Files\Common Files\Motorola Shared
2007-07-21 13:10	92,064	--a------	C:\DOCUME~1\Alien\mqdmmdm.sys
2007-07-21 13:10	9,232	--a------	C:\DOCUME~1\Alien\mqdmmdfl.sys
2007-07-21 13:10	79,328	--a------	C:\DOCUME~1\Alien\mqdmserd.sys
2007-07-21 13:10	66,656	--a------	C:\DOCUME~1\Alien\mqdmbus.sys
2007-07-21 13:10	6,208	--a------	C:\DOCUME~1\Alien\mqdmcmnt.sys
2007-07-21 13:10	5,936	--a------	C:\DOCUME~1\Alien\mqdmwhnt.sys
2007-07-21 13:10	4,048	--a------	C:\DOCUME~1\Alien\mqdmcr.sys
2007-07-21 12:05 d--------	C:\DOCUME~1\Alien\APPLIC~1\InstallShield
2007-07-17 15:47 d--------	C:\DOCUME~1\Guest\APPLIC~1\Notepad++
2007-07-14 23:05 d--------	C:\DOCUME~1\Alien\APPLIC~1\pdf995
2007-07-14 22:34	51,716	--a------	C:\WINDOWS\system32\pdf995mon.dll
2007-07-14 22:34	249,856	--a------	C:\WINDOWS\system32\pdfmona.dll
2007-07-14 22:34 d--------	C:\Program Files\pdf995
2007-07-14 22:34 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\pdf995
2007-07-14 22:19 d--h-----	C:\Program Files\Zero G Registry
2007-07-14 22:18 d--h-----	C:\DOCUME~1\Alien\InstallAnywhere
2007-07-14 22:17 d--------	C:\Program Files\Adobe Flex Builder
2007-07-14 10:30 d--------	C:\Program Files\Norton AntiVirus
2007-07-12 17:22	774,144	--a------	C:\Program Files\RngInterstitial.dll
2007-07-12 15:00 d--------	C:\Program Files\iDump
2007-07-11 21:26 d--------	C:\Program Files\Common Files\Apple
2007-07-11 21:26 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-11 18:38 d--------	C:\DOCUME~1\Guest\APPLIC~1\CyberLink
2007-07-10 00:37	200,704	--a------	C:\WINDOWS\system32\ssldivx.dll
2007-07-10 00:37	1,044,480	--a------	C:\WINDOWS\system32\libdivx.dll
2007-07-09 20:01 d-------- C:\AllokiPodFolder

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 20:08	---------	d--------	C:\Program Files\FlashGet
2007-08-07 19:46	---------	d--------	C:\Program Files\Common Files\Symantec Shared
2007-08-07 09:36	---------	d--------	C:\Program Files\HJT
2007-08-04 11:09	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-08-02 22:44	---------	d--------	C:\Program Files\TweakNow RegCleaner Std
2007-07-25 20:06	---------	d--------	C:\Program Files\Common Files\Real
2007-07-25 19:44	---------	d--------	C:\DOCUME~1\Alien\APPLIC~1\Real
2007-07-21 14:06	---------	d--------	C:\Program Files\Winamp
2007-07-21 13:13	---------	d--------	C:\Program Files\Motorola Phone Tools
2007-07-21 13:12	0	--ah-----	C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-21 13:12	0	--ah-----	C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-07-21 13:10	22768	--a------	C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-07-21 12:05	---------	d--------	C:\Program Files\Avanquest update
2007-07-21 00:49	---------	d--------	C:\Program Files\Yahoo!
2007-07-19 19:53	---------	d--------	C:\Program Files\Picasa2
2007-07-18 11:37	---------	d--------	C:\Program Files\QuickTime
2007-07-14 11:14	806	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-14 11:14	8014	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-07-14 11:14	48776	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-14 11:14	115000	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-14 11:14	---------	d--------	C:\Program Files\Symantec
2007-07-13 00:58	---------	d--------	C:\DOCUME~1\Alien\APPLIC~1\Apple Computer
2007-07-12 17:17	---------	d--------	C:\Program Files\Real
2007-07-11 21:26	---------	d--------	C:\Program Files\Apple Software Update
2007-06-17 23:39	---------	d--------	C:\Program Files\CCleaner
2007-06-14 11:22	---------	d--------	C:\DOCUME~1\Alien\APPLIC~1\AdobeUM
2007-06-09 14:49	---------	d--------	C:\Program Files\EditPlus 2
2007-05-24 07:40	227856	--a------	C:\WINDOWS\system32\PDBoot.exe
2007-05-16 20:42	86528	--a--c---	C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 20:42	85504	--a--c---	C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 20:42	683520	--a--c---	C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 20:42	683520	--a------	C:\WINDOWS\system32\inetcomm.dll
2007-05-16 20:42	510976	--a--c---	C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 20:42	1314816	--a--c---	C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 14:54	3583488	--a--c---	C:\WINDOWS\system32\dllcache\mshtml.dll
2006-12-18 23:27	251	--a------	C:\Program Files\wt3d.ini

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34E6F97C-34E0-4CE5-B92B-F83634BEDC01}]
C:\Program Files\Video ActiveX Access\iesplg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DA2A072-CA4A-4167-AD21-36E2E26094B8}]
C:\WINDOWS\system32\jkhfe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 18:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"NWEReboot"="" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 18:04]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 17:58]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-04-25 11:49]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 22:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 04:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2007-07-25 20:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-25 20:05]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 21:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]
"Crammer"="C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:30]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 23:38]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"AttacheTransparentClock"="C:\Program Files\Attache Transparent Clock\AttacheClock.exe" [2002-08-28 00:41]
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmqx32] 
winmqx32.dll

R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 s24trans;WLAN Transport;C:\WINDOWS\system32\DRIVERS\s24trans.sys
R3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
R3 zlportio;zlportio;\??\C:\Program Files\Attache Transparent Clock\zlportio.sys
S0 BTHidMgr;Bluetooth HID Manager Service;C:\WINDOWS\system32\Drivers\BTHidMgr.sys
S3 BlueletAudio;Bluetooth Audio Service;C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
S3 BlueletSCOAudio;Bluetooth SCO Audio Service;C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys
S3 BT;Bluetooth PAN Network Adapter;C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
S3 Btcsrusb;Bluetooth USB For Bluetooth Service;C:\WINDOWS\system32\Drivers\btcusb.sys
S3 BTHidEnum;Bluetooth HID Enumerator;C:\WINDOWS\system32\DRIVERS\vbtenum.sys
S3 CO_Mon;CO_Mon;\??\C:\WINDOWS\system32\Drivers\CO_Mon.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 nmwcd;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 nmwcdc;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 PDExchange;PDExchange;"C:\Program Files\Raxco\PerfectDisk\PDExchange.exe"
S3 sffdisk;SFF Storage Class Driver;C:\WINDOWS\system32\DRIVERS\sffdisk.sys
S3 sffp_sd;SFF Storage Protocol Driver for SDBus;C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S3 UIUSys;Conexant Setup API;C:\WINDOWS\system32\drivers\UIUSys.sys
S3 usbsermpt;Motorola USB Modem Driver for MPT;C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
S3 VComm;Virtual Serial port driver;C:\WINDOWS\system32\DRIVERS\VComm.sys
S3 VcommMgr;Bluetooth VComm Manager Service;C:\WINDOWS\system32\Drivers\VcommMgr.sys
S3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{577568ae-aeb5-11db-b5a3-00030d000001}]
Auto\command- E:\AdobeR.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7476704b-eb1b-11db-b675-0015c5beff6c}]
AutoRun\command- ie.exe
explore\Command- ie.exe
open\Command- ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b397a6c2-8eb7-11db-b51b-0015c5beff6c}]
Auto\command- MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

Contents of the 'Scheduled Tasks' folder
2007-08-01 04:56:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 
2007-08-08 14:58:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-08-03 15:34:02 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Alien.job - C:\PROGRA~1\NORTON~1\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 20:26:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 20:30:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 20:30

--- E O F ---


----------



## Black_Dragon (May 8, 2007)

and here is the latest HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 9:32:58 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Attache Transparent Clock\AttacheClock.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {34E6F97C-34E0-4CE5-B92B-F83634BEDC01} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6DA2A072-CA4A-4167-AD21-36E2E26094B8} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O2 - BHO: TBSB08057 Class - {75E5BE62-491C-43D1-9AA0-764A88CF2D32} - C:\PROGRA~1\VCRICK~1.COM\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AttacheTransparentClock] C:\Program Files\Attache Transparent Clock\AttacheClock.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186309914578
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


----------



## Black_Dragon (May 8, 2007)

Hi DFW, 
After running the ComboFix tool, i have run the "Panda free active scan" and got the report of the scan....

Here im posting the scan report , please check this report and advice me the next things to do...

Im waiting for u r reply....

Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D} 
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Alien\Application Data\Mozilla\Firefox\Profiles\nemzb8je.default\cookies.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Alien\Application Data\Mozilla\Firefox\Profiles\nemzb8je.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Alien\Application Data\Mozilla\Firefox\Profiles\nemzb8je.default\cookies.txt[.atdmt.com/] 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Alien\Application Data\Mozilla\Firefox\Profiles\nemzb8je.default\cookies.txt[.questionmarket.com/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Alien\Application Data\Mozilla\Firefox\Profiles\nemzb8je.default\cookies.txt[.tribalfusion.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Alien\Application Data\Mozilla\Firefox\Profiles\nemzb8je.default\cookies.txt[.com.com/] 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Alien\Application Data\Mozilla\Firefox\Profiles\nemzb8je.default\cookies.txt[.advertising.com/] 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Alien\Desktop\Malware Tools\Combo Fix\ComboFix.exe[nircmd.exe] 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Alien\My Documents\Google Talk Received Files\SmileyCentralPFSetup2.2.60.4.ZNfox000.exe 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\Trojan removal\SDFix.exe[SDFix\apps\Process.exe] 
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\catchme2007-08-08_202612.06.zip[mljge.dll] 
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\catchme2007-08-08_202612.06.zip[wvuvvur.dll] 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Softwares\Smiley\SmileyCentralPFSetup2.2.60.11-2.ZNfox000.rar[SmileyCentralPFSetup2.2.60.11-2.ZNfox000.exe] 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe


----------



## DFW (Jun 12, 2004)

*Hi Black_dragon.*

*Please download* *SmitfraudFix* (by *S!Ri*)

Double-click *SmitfraudFix.exe*. 
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present). 
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move *SmitfraudFix.exe* directly to the root of the system drive (usually *C:*), and launch from there.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. 
http://www.beyondlogic.org/consulting/proc...processutil.htm


----------



## Black_Dragon (May 8, 2007)

Hi DFW,

Here is the SmitfraudFix.exe report......

SmitFraudFix v2.210

Scan done at 8:38:03.57, Fri 08/10/2007
Run from C:\Documents and Settings\Alien\Desktop\Malware Tools\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Attache Transparent Clock\AttacheClock.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alien

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alien\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Alien\FAVORI~1

C:\DOCUME~1\Alien\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 172.30.0.1
DNS Server Search Order: 202.56.250.5

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer=202.9.145.6,202.9.145.7
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer=172.30.0.1,202.56.250.5
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer=202.9.145.6,202.9.145.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer=172.30.0.1,202.56.250.5
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer=202.9.145.6,202.9.145.7
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer=172.30.0.1,202.56.250.5

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## DFW (Jun 12, 2004)

*Hi Black_dragon.*

*I would suggest you print out or copy these instructions*

There's was two Tools we *downloaded some weeks ago*, It looks to me that you have uninstalled *AVG Antispyware*, if you have please download it again,

If you still have it update it.

Please note that there is some small changes in the AVG indtructions.

Also CCleaner, if you have uninstalled it see new download link and instructions below

*AVG Anti-Spyware *

Download the trial version of *AVG Anti-Spyware* from here and install it. When the program has been installed, and you click the *Finish* button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following: 

Click the *Update* icon at the top and under *Manual Update* click the *Start update* button. 
The program will either update or inform you that no update was available. 
It is essential that you get the update - keep trying until successful. (*Note:* If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on *avgas-signatures-full-current.exe* to install the database). 
*Please set up the program as follows*: 

Click the *Shield* icon at the top and under *Resident shield is...* click *active*. This should now 
change to *inactive*. 
Click the *Update* icon and untick the automatic update option. 
Click on *Scanner* on the toolbar. 
Click on the *Settings* tab. 
Under *How to act?* - make sure that *Quarantine* is selected. 
Under *How to scan?* - All checkboxes should be ticked. 
Under *Possibly unwanted software* - All checkboxes should be ticked. 
Under *Reports* - Select *Do not automatically generate reports*. 
Under *What to scan?* - Select *Scan every file*. 

Close *all* open windows.

*DownLoad CCleaner.*

**NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, 
back it up or move it to a permanent folder prior to running CCleaner! *

Download CCleaner to clean temp files from your computer.

http://www.ccleaner.com/download/builds/downloading-slim

Double click on the file to start the installation of the program. 
Select your language and click OK, then next. 
Read the license agreement and click I Agree. 
Click next to use the default install location. Click Install then finish to complete installation. 
Double click the CCleaner shortcut on the desktop to start the program. 
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. 
(If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit). 
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla. 
Click on the "Options" icon at the left side of the window, then click on "Advanced." 
deselect "Only delete files in Windows Temp folders older than 48 hours." 
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.

*Close Cleaner, will run it later*

INFO http://www.ccleaner.com/help/tour/

*Next, please reboot your computer in Safe Mode by doing the following :* 

Restart your computer 
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; 
Instead of Windows loading as normal, a menu with options should appear; 
Select the first option, to run Windows in Safe Mode, then press "Enter". 
Choose your usual account. 
Once in Safe Mode, double-click on *SmitfraudFix.exe* 
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it does, please restart it into NORMAL MODE. 
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. 
The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning : running option #2 on a non infected computer will remove your Desktop background.

*Restart your system into Normal mode if SmitfraudFix.exe did not restart your sytem*

Please download >>ComboFix<< by sUBs:

*NOTE: In the event you already have ComboFix, Please delete it, this is a new version that I need you to download.*
 Save it to your desktop. 
 Then, please open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:


```
File::
C:\WINDOWS\system32\jkhfe.dll 
C:\WINDOWS\system32\winmqx32.dll
C:\WINDOWS\system32\qpqss.ini2
C:\WINDOWS\system32\qpqss.bak1 

Folder::
C:\Program Files\Video ActiveX Access

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34E6F97C-34E0-4CE5-B92B-F83634BEDC01}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DA2A072-CA4A-4167-AD21-36E2E26094B8}]
```

 Save this as *CFScript.txt* and change the "*Save as type*" to "*All Files*" and place it on your desktop.










 Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe.* 
 ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. 
 When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. 

*CAUTION*: *Do not mouse-click ComboFix's window while it is running. That may cause it to stall*.

*Open up Hijackthis *
Click on do a system scan only. 
Place a checkmark next to these lines(if still present)

*O2 - BHO: (no name) - {34E6F97C-34E0-4CE5-B92B-F83634BEDC01} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: (no name) - {6DA2A072-CA4A-4167-AD21-36E2E26094B8} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file missing)
*

Then close all windows except Hijackthis and click *Fix Checked*

*In Safe Mode Run Below*

*Now Run CCleaner in safe mode*

Double click CCleaner icon on desktop 
Click on Run Cleaner 
Confirm to delete

*Now close CCleaner*

*Run AVG in safe Mode*


Click on *Scanner* on the toolbar. 
Click on *Complete System Scan* to start the scan process. 
Let the program scan your computer. 
When the scan has finished, follow the instructions below: 
Make sure that *Set all elements to:* shows *Quarantine* 
*Important:* Click on the *Apply all Actions* button * This must done before saving the report *
 When the program has finished, it will display the message *All actions have been applied*. 
Then click the *Save Scan Report* button. 
Click the *Save Report as* button. 
Save the report to your Desktop. 









Right-click the AVG Tray Icon and select *Exit*. 
*Now copy the report back to this topic.* 

*Reboot your system into normal mode and run a online scan*

*Kaspersky Online Scanner .*

*Note for Internet Explorer 7 users:* If at any time you have trouble with the accept button of the licence, 
click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Go Here http://www.kaspersky.com/virusscanner

*Read the Requirements and limitations before you click Accept*. 
Allow the ActiveX download if necessary 
Once the database has downloaded, click Next. 
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK. 
*Click on "My Computer"* and then put the kettle on! 
*When the scan has completed, click Save Report As... * 
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt) 
*Click Save *- by default the file will be saved to your Desktop, but you can change this if you wish.

*Copy and paste the Kaspersky report *into your next reply along with *combofix log, SmitfraudFix report a fresh HJT log* and a description of how your PC is behaving.

.


----------



## Black_Dragon (May 8, 2007)

Hi DFW,

I have done the required tests specified in the previous post,....

Now, im posting the reports......

Here is the ComboFix log :
ComboFix 07-08-09.3 - "Alien" 2007-08-12 17:57:54.2 - NTFSx86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1407 [GMT 5.5:30]
Command switches used :: C:\Documents and Settings\Alien\Desktop\Malware Tools\Combo Fix\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\winmqx32.dll
C:\WINDOWS\system32\qpqss.ini2
C:\WINDOWS\system32\qpqss.bak1

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.ini2

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_NPF

((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))

2007-08-12 12:43 d--------	C:\DOCUME~1\Guest\APPLIC~1\Windows Desktop Search
2007-08-11 23:02	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-11 14:24 d--------	C:\DOCUME~1\Alien\APPLIC~1\ABBYY
2007-08-11 12:05 d--------	C:\Rapidshare
2007-08-10 20:31 d--------	C:\Program Files\Lavasoft
2007-08-10 20:31 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-08-10 08:38	5,542	--a------	C:\WINDOWS\system32\tmp.reg
2007-08-09 01:07 d--------	C:\DOCUME~1\Alien\APPLIC~1\Windows Desktop Search
2007-08-09 01:04 d--------	C:\Program Files\Windows Desktop Search
2007-08-09 00:30 d--------	C:\WINDOWS\system32\ActiveScan
2007-08-08 23:46	32,592	--a------	C:\WINDOWS\system32\msonpmon.dll
2007-08-08 23:45 d--------	C:\Program Files\Microsoft Works
2007-08-08 23:40 d--------	C:\Program Files\Microsoft Visual Studio 8
2007-08-08 23:38 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-08 23:34 dr-h-----	C:\MSOCache
2007-08-08 20:09	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-08-06 14:02 d--------	C:\Program Files\iTunes
2007-08-06 14:02 d--------	C:\Program Files\iPod
2007-08-05 20:08 d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-05 20:06 d--------	C:\Program Files\MSBuild
2007-08-05 19:59 d--------	C:\WINDOWS\system32\XPSViewer
2007-08-05 19:56 d--------	C:\Program Files\Reference Assemblies
2007-08-05 19:54	14,048	--a------	C:\WINDOWS\system32\spmsg2.dll
2007-08-05 18:25 d--------	C:\Program Files\MSXML 6.0
2007-08-05 17:51	271,224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-08-02 20:33 d--------	C:\Program Files\Endorsor Verifier
2007-08-02 01:46 d--------	C:\Program Files\Free Desktop Clock
2007-08-01 23:59 d--------	C:\Program Files\Attache Transparent Clock
2007-08-01 23:46	278,528	--a------	C:\WINDOWS\system32\livesnth.dll
2007-08-01 23:46	203,776	--a------	C:\WINDOWS\system32\clrviddc.dll
2007-08-01 00:50 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-28 12:01 d--------	C:\Program Files\HEROSOFT
2007-07-26 08:57 d--------	C:\Program Files\RadioXpi
2007-07-25 22:03 d--------	C:\Program Files\Raxco
2007-07-25 22:03 d--------	C:\Program Files\Common Files\Raxco
2007-07-25 22:03 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Raxco
2007-07-25 20:06 d--------	C:\Program Files\Common Files\xing shared
2007-07-25 01:05 d--------	C:\WINDOWS\system32\vmm32
2007-07-25 00:08	1,795	--a------	C:\WINDOWS\mozver.dat
2007-07-25 00:08 d--------	C:\Program Files\DivX
2007-07-24 20:42 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-07-23 07:26	0	--a------	C:\WINDOWS\nsreg.dat
2007-07-22 20:20 d--------	C:\Program Files\WinAVI MP4 Converter
2007-07-22 13:24	22,112	-ra------	C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-07-21 14:05	129,784	--a------	C:\WINDOWS\system32\pxafs.dll
2007-07-21 13:11	21,504	--a------	C:\WINDOWS\system32\drivers\motmodem.sys
2007-07-21 13:11	1,419,232	--a------	C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-07-21 13:11 d--------	C:\Program Files\Common Files\Motorola Shared
2007-07-21 13:10	92,064	--a------	C:\DOCUME~1\Alien\mqdmmdm.sys
2007-07-21 13:10	9,232	--a------	C:\DOCUME~1\Alien\mqdmmdfl.sys
2007-07-21 13:10	79,328	--a------	C:\DOCUME~1\Alien\mqdmserd.sys
2007-07-21 13:10	66,656	--a------	C:\DOCUME~1\Alien\mqdmbus.sys
2007-07-21 13:10	6,208	--a------	C:\DOCUME~1\Alien\mqdmcmnt.sys
2007-07-21 13:10	5,936	--a------	C:\DOCUME~1\Alien\mqdmwhnt.sys
2007-07-21 13:10	4,048	--a------	C:\DOCUME~1\Alien\mqdmcr.sys
2007-07-21 12:05 d--------	C:\DOCUME~1\Alien\APPLIC~1\InstallShield
2007-07-17 15:47 d--------	C:\DOCUME~1\Guest\APPLIC~1\Notepad++
2007-07-14 23:05 d--------	C:\DOCUME~1\Alien\APPLIC~1\pdf995
2007-07-14 22:34	51,716	--a------	C:\WINDOWS\system32\pdf995mon.dll
2007-07-14 22:34	249,856	--a------	C:\WINDOWS\system32\pdfmona.dll
2007-07-14 22:34 d--------	C:\Program Files\pdf995
2007-07-14 22:34 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\pdf995
2007-07-14 22:19 d--h-----	C:\Program Files\Zero G Registry
2007-07-14 22:18 d--h-----	C:\DOCUME~1\Alien\InstallAnywhere
2007-07-14 22:17 d--------	C:\Program Files\Adobe Flex Builder
2007-07-14 10:30 d--------	C:\Program Files\Norton AntiVirus
2007-07-12 17:22	774,144	--a------	C:\Program Files\RngInterstitial.dll
2007-07-12 15:00 d--------	C:\Program Files\iDump

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 17:48	---------	d--------	C:\Program Files\FlashGet
2007-08-11 16:31	---------	d--------	C:\Program Files\Common Files\Symantec Shared
2007-08-10 22:45	9344	--a------	C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-10 22:45	8320	--a------	C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-09 08:35	---------	d--------	C:\Program Files\Windows Defender
2007-08-09 08:34	---------	d--------	C:\Program Files\vCricket.com Toolbar
2007-08-09 08:33	---------	d--------	C:\Program Files\QuickTime
2007-08-09 08:33	---------	d--------	C:\Program Files\Picasa2
2007-08-09 08:33	---------	d--------	C:\Program Files\PC Connectivity Solution
2007-08-09 08:33	---------	d--------	C:\Program Files\Notepad++
2007-08-09 08:32	---------	d--------	C:\Program Files\Motorola Phone Tools
2007-08-09 08:27	---------	d--------	C:\Program Files\Google
2007-08-09 08:27	---------	d--------	C:\Program Files\Dell Support
2007-08-08 21:32	---------	d--------	C:\Program Files\HJT
2007-08-04 11:09	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-08-02 22:44	---------	d--------	C:\Program Files\TweakNow RegCleaner Std
2007-07-25 20:06	---------	d--------	C:\Program Files\Common Files\Real
2007-07-25 19:44	---------	d--------	C:\DOCUME~1\Alien\APPLIC~1\Real
2007-07-21 14:06	---------	d--------	C:\Program Files\Winamp
2007-07-21 13:12	0	--ah-----	C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-21 13:12	0	--ah-----	C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-07-21 13:10	22768	--a------	C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-07-21 12:05	---------	d--------	C:\Program Files\Avanquest update
2007-07-21 00:49	---------	d--------	C:\Program Files\Yahoo!
2007-07-14 11:14	806	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-14 11:14	8014	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-07-14 11:14	48776	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-14 11:14	115000	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-14 11:14	---------	d--------	C:\Program Files\Symantec
2007-07-13 00:58	---------	d--------	C:\DOCUME~1\Alien\APPLIC~1\Apple Computer
2007-07-12 17:17	---------	d--------	C:\Program Files\Real
2007-07-11 21:26	---------	d--------	C:\Program Files\Common Files\Apple
2007-07-11 21:26	---------	d--------	C:\Program Files\Apple Software Update
2007-07-10 00:37	200704	--a------	C:\WINDOWS\system32\ssldivx.dll
2007-07-10 00:37	1044480	--a------	C:\WINDOWS\system32\libdivx.dll
2007-06-17 23:39	---------	d--------	C:\Program Files\CCleaner
2007-06-14 11:22	---------	d--------	C:\DOCUME~1\Alien\APPLIC~1\AdobeUM
2007-05-24 07:40	227856	--a------	C:\WINDOWS\system32\PDBoot.exe
2007-05-16 20:42	86528	--a--c---	C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 20:42	85504	--a--c---	C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 20:42	683520	--a--c---	C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 20:42	683520	--a------	C:\WINDOWS\system32\inetcomm.dll
2007-05-16 20:42	510976	--a--c---	C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 20:42	1314816	--a--c---	C:\WINDOWS\system32\dllcache\msoe.dll
2006-12-18 23:27	251	--a------	C:\Program Files\wt3d.ini

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 18:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"NWEReboot"="" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 18:04]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 17:58]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-04-25 11:49]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 22:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 04:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2007-07-25 20:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-25 20:05]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 21:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]
"Crammer"="C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:30]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 23:38]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"AttacheTransparentClock"="C:\Program Files\Attache Transparent Clock\AttacheClock.exe" [2002-08-28 00:41]
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmqx32] 
winmqx32.dll

R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 WSearch;Windows Search;C:\WINDOWS\system32\SearchIndexer.exe /Embedding
R3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 zlportio;zlportio;\??\C:\Program Files\Attache Transparent Clock\zlportio.sys
S3 CO_Mon;CO_Mon;\??\C:\WINDOWS\system32\Drivers\CO_Mon.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 nmwcd;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 nmwcdc;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 PDExchange;PDExchange;"C:\Program Files\Raxco\PerfectDisk\PDExchange.exe"
S3 sffdisk;SFF Storage Class Driver;C:\WINDOWS\system32\DRIVERS\sffdisk.sys
S3 sffp_sd;SFF Storage Protocol Driver for SDBus;C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S3 UIUSys;Conexant Setup API;C:\WINDOWS\system32\drivers\UIUSys.sys
S3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{577568ae-aeb5-11db-b5a3-00030d000001}]
Auto\command- E:\AdobeR.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7476704b-eb1b-11db-b675-0015c5beff6c}]
AutoRun\command- ie.exe
explore\Command- ie.exe
open\Command- ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b397a6c2-8eb7-11db-b51b-0015c5beff6c}]
Auto\command- MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

*Newly Created Service* - ZLPORTIO

Contents of the 'Scheduled Tasks' folder
2007-08-01 04:56:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 
2007-08-12 12:36:26 C:\WINDOWS\Tasks\MP Scheduled Scan.job 
2007-08-10 14:31:08 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Alien.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 18:04:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000024b
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex]
"LogName"="C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy10.gthr"
"LogNumber"=dword:0000000a

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-12 18:10:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-12 18:09

--- E O F ---

and here is the SmitfraudFix log :

SmitFraudFix v2.210

Scan done at 17:40:02.68, Sun 08/12/2007
Run from C:\Documents and Settings\Alien\Desktop\Malware Tools\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer=202.9.145.6,202.9.145.7
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer=172.30.0.1,202.56.250.5
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer=202.9.145.6,202.9.145.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer=172.30.0.1,202.56.250.5
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer=202.9.145.6,202.9.145.7
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer=172.30.0.1,202.56.250.5

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

and here is the AVG anti spy ware report.......

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	9:42:49 PM 8/12/2007

+ Scan result:

C:\System Volume Information\_restore{C75D9FD5-F6F4-47EF-85BE-87CE5A421673}\RP204\A0054977.exe -> Backdoor.Rbot.adf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C75D9FD5-F6F4-47EF-85BE-87CE5A421673}\RP215\A0062933.exe/crack.exe -> Backdoor.Rbot.adf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C75D9FD5-F6F4-47EF-85BE-87CE5A421673}\RP199\A0043478.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C75D9FD5-F6F4-47EF-85BE-87CE5A421673}\RP196\A0042128.dll -> Downloader.Agent.bkd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C75D9FD5-F6F4-47EF-85BE-87CE5A421673}\RP199\A0044492.exe/keygen.exe -> Downloader.LoadAdv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C75D9FD5-F6F4-47EF-85BE-87CE5A421673}\RP199\A0044494.exe -> Downloader.LoadAdv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C75D9FD5-F6F4-47EF-85BE-87CE5A421673}\RP214\A0061883.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C75D9FD5-F6F4-47EF-85BE-87CE5A421673}\RP195\A0039964.exe -> Downloader.Zlob.btq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C75D9FD5-F6F4-47EF-85BE-87CE5A421673}\RP196\A0040023.exe -> Downloader.Zlob.bvj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C75D9FD5-F6F4-47EF-85BE-87CE5A421673}\RP199\A0044496.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).

::Report end


----------



## Black_Dragon (May 8, 2007)

Here is the latest HijackThis Report......

Logfile of HijackThis v1.99.1
Scan saved at 10:35:13 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Attache Transparent Clock\AttacheClock.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: TBSB08057 Class - {75E5BE62-491C-43D1-9AA0-764A88CF2D32} - C:\PROGRA~1\VCRICK~1.COM\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AttacheTransparentClock] C:\Program Files\Attache Transparent Clock\AttacheClock.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186309914578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


----------



## Black_Dragon (May 8, 2007)

Here is the latest HijackThis Report......

Logfile of HijackThis v1.99.1
Scan saved at 10:35:13 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Attache Transparent Clock\AttacheClock.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: TBSB08057 Class - {75E5BE62-491C-43D1-9AA0-764A88CF2D32} - C:\PROGRA~1\VCRICK~1.COM\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AttacheTransparentClock] C:\Program Files\Attache Transparent Clock\AttacheClock.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186309914578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


----------



## DFW (Jun 12, 2004)

Thanks for those, any luck this time with the Kaspersky Online Scanner .


----------



## Black_Dragon (May 8, 2007)

Hi DFW,
I will run the Kaspersky Online Scanner now and I will update you.


----------



## Black_Dragon (May 8, 2007)

Hi DFW,

Here is the Kaspersky Online Scanner report......

Due to space constraint, im attaching the report file with this post.

Please have a look on this report....


----------



## DFW (Jun 12, 2004)

*Hi Black Dragon*

Please make sure hidden files are still set to be seen

*Reconfigure Windows XP to show hidden files:* 
Double-click the My Computer icon on the Windows desktop.  
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".  
Uncheck the "Hide protected operating system files (recommended)" option. 
Uncheck the "Hide file extensions for known file types" option. 
Click Yes to confirm. Click OK.

Restart into safe mode

*Delete suspect files/folders* 
Using Windows Explorer, browse for the following files/folders and delete as instructed 
NB Some files may have already been deleted by earlier actions so don't worry if you do not see them:

C\WINDOWS\system32\rfbcauql.dll.vir

C:\Documents and Settings\Guest\Local Settings\Temp\fgbdxxqa.exe

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\JKRSWP1V <<<<Folder

C:\Softwares\Media Players\Cyberlink.PowerDVD.Ultra.Deluxe.v7.4.Multilingual.Incl.Keygen-ViRiLiTY.rar	RAR

*Restart back into normal mode and post a new HJT Log, and confirm that you were able to find and delete 
the above files.*
.


----------



## Black_Dragon (May 8, 2007)

Hi DFW,
Here is the latest HJT log.....

Logfile of HijackThis v1.99.1
Scan saved at 9:25:36 AM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Attache Transparent Clock\AttacheClock.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: TBSB08057 Class - {75E5BE62-491C-43D1-9AA0-764A88CF2D32} - C:\PROGRA~1\VCRICK~1.COM\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AttacheTransparentClock] C:\Program Files\Attache Transparent Clock\AttacheClock.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186309914578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


----------



## DFW (Jun 12, 2004)

*Thanks for the log. *

But can you confirm that* you deleted the files in my last post*, and how is you system running now??.


----------



## Black_Dragon (May 8, 2007)

Hi,
Thanks for the help....

I have deleted the files which you have specified....

And now the system is running fine.....

But i have some problems with booting.... my system is taking too much time to boot/startup.

Can u do any help regarding boosting my system startup ?


----------



## DFW (Jun 12, 2004)

*Hi Black_dragon.*

*You have a vCricket.com Toolbar installed*, at present this toolbar is *open to debate *to whether it is Malware or not, Info below.

http://www.siteadvisor.com/sites/vc...client_ver=ie_2.4.6066.0&client_type=IEPlugin

If you what to uninstall it, look in Add/Remove programs for it's uninstaller, and run it, then fix these lines in HJT.

*O2 - BHO: TBSB08057 Class - {75E5BE62-491C-43D1-9AA0-764A88CF2D32} - C:\PROGRA~1\VCRICK~1.COM\toolbar.dll
O3 - Toolbar: vCricket.com Toolbar - {CA2BD8B5-70EA-4190-AB73-78E58D5311CD} - C:\Program Files\vCricket.com Toolbar\toolbar.dll*

*If you decided to remove this program, also remove the following folder*

C:\Program Files\vCricket.com Toolbar

*With regards to your slow boot,* you do have a lot of programs loading at start up, the more you have the longer it's going
to take, Here are some start up that you dont need, *please read and decide which one's to go or keep.*
*The Free Desktop Clock is one, do you really need it?, if not then uninstall it*

Go to Add/Remove programs in the Control Panel,Look for Free Desktop Clock or DesktopClock, and run the uninstaller

Now go to C Drive, Program Files and remove it's folder.

C:\Program Files\Free Desktop Clock

*Here is a list of programs you have running at startup, removing them from starting up with your system would help with your boot time.*

*quickset.exe (Dell QuickSet)* process can be removed to free up resources without compromising system performance. 
quickset.exe (Dell QuickSet) is the Dell taskbar icon allowing you to quickly change settings. This program is not required to start automatically as 
you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. 
Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. 
This is the item to fix in HijackThis:

*O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe*

*nerocheck.exe* is a process associated with the Nero CD writing or Nero CD/DVD software. 
It is used to install or control the Nero driver nerocd2k.sys application. This process should not be removed while using the Nero CD Writing software. 
This program constantly checks for known drivers that can conflict with our Nero/Nero Express/NeroVision Express software. 
This program is not required to start automatically as you can start it manually if you need it. 
It is advised that you disable this program so that it does not take up necessary resources. 
It may be worthwhile to fix it with HijackThis. 
Item(s) to fix in HijackThis:

*O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe*

*apdproxy.exe (adobe photo downloader)* process can be removed to free up resources without compromising system performance.
From Adobe_Photoshop_Album: not to be terminated unless suspected to be causing problems. 
This program is not required to start automatically as you can start it manually if you need it. 
It is advised that you disable this program so that it does not take up necessary resources. 
Many users have reported this process slows their boot time. 
It may be worthwhile to fix it with HijackThis. 
Item(s) to fix in HijackThis:

*O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" *

You have *reader_sl.exe* running at Startup. This is a process associated with the Adobe Reader. 
It is used to decrease the load time for the reader when a PDF document is selected. This is a non-essential process. 
You will still be able to start it manually if you need it. You can fix this with HijackThis. 
Item(s) to fix in HijackThis:

*O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe*

You have *QuickTime* running at Startup. This is QuickTime's system tray icon and not necessary for the program to function properly. 
It is considered to be a resource hog. You will still be able to start it manually if you need it. You can fix this with HijackThis, 
but you will need to change the setting in QuickTime Player itself to keep it from resetting itself.. 
This is the item to fix in HijackThis:

*O4 ‑ HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" ‑atboottime*

There is a small program that will prevent QuickTime from resetting itself. 
Please download *Engraph-QuickTime-Killer* 
This is a free utility from EnGraph software. For more information about EnGraph, go to www.engraph.com. This application is intended for people that use or consume Sprint Video Mail,
as Sprint uses QuickTime for viewing thier movies. (or anybody that hates QuickTime) Of course, as soon as QuickTime is ran, it adds itself to startup, which is very annoying to me. 
This application will remove QuickTime from start up and kill any running QuickTime processes. This application runs silently at start up and closes itself as soon as it takes care of QuickTime.

*PicasaMediaDetector.exe* process can be removed to free up resources without compromising system performance. This is the Media detector for Picasa's automatic photo organizer. 
This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources.
Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. 
This is the item to fix in HijackThis:

*O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"*

You have *jusched.exe* running at Startup. It checks with Sun's Java updates site to see if newer Java versions are available. 
This program is not required to start automatically. You can do this manually by visiting http://java.sun.com or just run the Java Plug-In Control Panel. 
It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. 
This is the item to fix in HijackThis:

*O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"*

You have RealPlayer running at Startup. This is RealPlayer's autoupdate program and is not necessary for the program to function properly. It is considered to be a resource hog. 
You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in RealPlayer itself to keep it from resetting itself.. 
This is the item to fix in HijackThis:

O4 ‑ HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" ‑osboot

You could also go into Real player settings and turn off RealOneMessageCenter.

You have *iTunesHelper.exe* running at Startup. iTunesHelper.exe is a process belonging to Itunes MP3 streaming tool by Apple which allows you to play MP3's. 
This process speeds up iTunes when it starts, and the program also monitors for connected iPod devices. This program is not required to start automatically as you can start it manually if you need it. 
It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. 
Item(s) to fix in HijackThis:

*O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe*

*DSAgnt.exe (Dell Support Agent )* process can be removed to free up resources without compromising system performance. Dell Support Agent offers additional support and 
update features for your Dell computer or laptop. Whether or not you need to run this program on startup must be decided by you. 
If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it.
This program is not required to start automatically as you can start it manually if you need it. 
It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time.
It may be worthwhile to fix it with HijackThis. 
This is the item to fix in HijackThis:

*O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup*

*googletoolbarnotifier or googletoolbarnotifier.exe * process can be removed to free up resources without compromising system performance. googletoolbarnotifier or googletoolbarnotifier.exe is a 
process associated with the GoogleToolbarNotifier from Google Inc.. Disabling or enabling it is down to user preference. This program is not required to start automatically as you can start it 
manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time.
It may be worthwhile to fix it with HijackThis. 
This is the item to fix in HijackThis:

*O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe*

*yahoomessenger.exe (Yahoo! Messenger* process can be removed to free up resources without compromising system performance. 
yahoomessenger.exe is the executable for Yahoo! Messenger, a free instant messenging software from Yahoo! Inc.. It allows you to send and receive messages from online contacts. 
Other features include LAUNCHcast radio, Yahoo! Weather and Yahoo! Games. Disabling or enabling it is down to user preference. This program is not required to start automatically as you can 
start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time.
It may be worthwhile to fix it with HijackThis. 
Item(s) to fix in HijackThis:

*O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (filesize 4662776 bytes, MD5 3A756D4066CC3BB8426EB08ABB6B5B10)*

*Now please post a new HJT Log and a description of how your PC is behaving now*
.


----------



## Black_Dragon (May 8, 2007)

Hi DFW, Thanks for u r valuable help.......

I have removed those things you have specified, except those two ..... desktop clocks..... actually i have installed those two intentionally, so i want to not to remove those... for now, if this effects system performance badly, then i'll remove them....

I have removed them through HJT, and restarted my system, it took around 2-3 mins to get all set desktop.... somewat better than before.....

And one more thing, i have found some other startups from the HJT log, ......
I think, these are also, not mandatory .....
Please check these and suggest me whether these can be removed or not ??

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe

and here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:37:03 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Attache Transparent Clock\AttacheClock.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Notepad++\notepad++.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.30.0.1/24online/webpages/client.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AttacheTransparentClock] C:\Program Files\Attache Transparent Clock\AttacheClock.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186309914578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


----------



## DFW (Jun 12, 2004)

*There's the info on the extra startups you requested*

* ehtray.exe (Windows XP Media Center Edition 2005) * process can be removed to free up resources without compromising system performance. 
Enables the user to access Windows Messenger from within Media Center. This program is not required to start automatically as you can start it
manually if you need it. It is advised that you disable this program so that it does not take up necessary resources.
Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. 
This is the item to fix in HijackThis:

* O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe *

*cli.exe - cli (ATI Catalyst Control Centre)* process can be removed to free up resources without compromising system performance. 
cli.exe is installed alongside ATI's range of graphics cards with the Catalyst hardware driver range. Installs a easy-to-access taskbar icon for access
to diagnostics features. This is a non-essential process. Disabling or enabling it is down to user preference. 
This program is not required to start automatically as you can start it manually if you need it. 
It is advised that you disable this program so that it does not take up necessary resources. 
Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. 
Item(s) to fix in HijackThis:

*O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay*

With Nokia PC Suite 6 go into the settings and remove the setting to auto start, Not Needed Your choice

*O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup *

You have RealPlayer running at Startup. This is RealPlayer's autoupdate program and is not necessary for the program to function properly. 
It is considered to be a resource hog. You will still be able to start it manually if you need it. You can fix this with HijackThis, 
but you will need to change the setting in RealPlayer itself to keep it from resetting itself.. 
This is the item to fix in HijackThis:

*O4 ‑ HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" ‑osboot *

*PDVDServ.exe* process can be removed to free up resources without compromising system performance. 
PDVDServ.exe is the Remote Control background application for CyberLink's PowerDVD version 5 and above. 
It enables you to use a remote control with your DVD drive if your drive came with one.
Not required if you don't have a remote control, or don't wish to use one. 
Whether or not you need to run this program on startup must be decided by you. 
If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. 
This program is not required to start automatically as you can start it manually if you need it. 
It is advised that you disable this program so that it does not take up necessary resources. 
Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. 
This is the item to fix in HijackThis:

*O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"*

*You could fix this one as well*

*O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"*

*What is this one, can find no refence to malware, do you know what it is, and do you use it.

O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\All Users\Documents\Naresh\Vamsi\Vamsi\Mails\Dictionary\Dictionary\Dictionary\D ictionary\Crammer.exe*

*These are Needed*

*O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide 
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" 
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized *

*Here is a great tool to control what starts up on your system*

http://www.mlin.net/StartupCPL.shtml

*The good news is your log is now clean, we just need to tidy up and remove Malware from Sytem restore and Backups.* :up:

*Delete this tools,from your desktop as they are not needed now*

*VundoFix
AVZ4en
SDFIX
Safeboot Repair Key
Sysclean
Combofix
Smitfraudfix*

*Now delete there folders*

C:\Documents and Settings\Alien\Desktop\Malware Tools\SmitfraudFix

C:\QooBox

C:\VundoFix Backups

*We need to clean out all the malware in your system restore, 
to make sure there are no infected files found in a restore point. *


Go to Start > All Programs > Accessories > System Tools > System Restore

Select *Create a restore point*, and Ok it.

Next, go to Start > Run and type in *cleanmgr*

Select the *More options* tab

Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

* We Need to Unhide Hidden files*

*Set correct settings for files that should be hidden in Windows XP* 

Click *Start* > *My Computer* > *Tools* menu (at top of page) > *Folder Options* > *View* tab. 
Under "Hidden files and folders" if necessary select *Do not show hidden files and folders*. 
If unchecked please check*Hide protected operating system files (Recommended)* 
If necessary check "Display content of system folders" 
If necessary Uncheck *Hide file extensions for known file types*. 
Click *OK*

*Now your clean here's some information on staying clean, and some tools that may help you*

*I don't see any indication of a Firewall in your HijackThis log. This may be because: *

(a.) You are using Windows Firewall or a hardware Firewall. 
(b.) You are using a Firewall of an unknown vendor. 
(c.) You are using a Firewall, but it is disabled for unknown reasons

*In the case you don't have a Firewall, or using the Windows Firewall or just a Hardware Fire, that do not have out going protection.
please download a free one from below, you need incoming and outgoing protection* 
Outbound Protection plays just as an important role as inbound for securing your computer.
*You may unknowingly have had malware installed on your computer*, if that malware then tries to send any information out the firewall will stop it; this is done by the firewall 
creating rules for programs that need outbound like Internet Explorer or Outlook, when an unknown program tries to send data out the firewall will stop it and alert you.

*FREE FIREWALLS* 

Outpost 
Kerio 
Zone Alarm 

*A nice firewall tutorial*: http://www.bleepingcomputer.com/tutorials/tutorial60.html


*Make your Internet Explorer more secure* - This can be done by following these simple instructions: 
From within Internet Explorer click on the *Tools* menu and then click on *Options*. 
Click once on the *Security* tab 
Click once on the *Internet* icon so it becomes highlighted. 
Click once on the *Custom Level* button. 
Change the *Download signed ActiveX controls* to *Prompt*

Change the *Download unsigned ActiveX controls* to *Disable*

Change the *Initialize and script ActiveX controls not marked as safe* to *Disable*

Change the *Installation of desktop items* to *Prompt*

Change the *Launching programs and files in an IFRAME* to *Prompt*

Change the *Navigate sub-frames across different domains* to *Prompt*

When all these settings have been made, click on the *OK* button.

If it prompts you as to whether or not you want to save the settings, press the *Yes* button. 
Next press the *Apply* button and then the *OK* to exit the Internet Properties page.



*Visit Microsoft's Windows Update Site Frequently* - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

*Install Ad-Aware* - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

*Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer*

*Install Spybot - Search and Destroy* - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

*Instructions for - Spybot S & D and Ad-aware*

*Install SpywareBlaster* - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

*Using SpywareBlaster to protect your computer from Spyware and Malware*

*Update all these programs regularly* - Make sure you update all the programs I have listed regularly. Without regular updates you *WILL NOT* be protected when new malicious programs are released. 
Follow this list and your potential for being infected again will reduce dramatically.

Please have a look at the link below, it gives good advice on Internet security

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

*Do you have any more questions*


----------



## Black_Dragon (May 8, 2007)

Hi DFW,

Thanks a lot for your valuable help.....
I have done the appropriate actions you have specified above.....

i think, you have asked me about "Crammer".....
You can find the required information about *Crammer* here....

Now please tell me what i have to do next .......


----------



## DFW (Jun 12, 2004)

Ok thanks for the info on Crammer http://software.korzh.com/crammer/

That's looks fine

*You are clean now, so there's nothing else left to do*, just follow the advice in my last post, 
keep away from P2P sofware and downloads, and the chance of getting reinfected again will reduce dramatically
*
Safe Surfing.*


----------



## Black_Dragon (May 8, 2007)

Thanks a lot for your help, DFW....


----------



## DFW (Jun 12, 2004)

Your Welcome :up:


----------



## Black_Dragon (May 8, 2007)

Hi DFW,

Nice to meet you again.....

How are you ? How is life going on ??

And sorry to message you, actually my system got affected with a "*browser hijacker*" again.

Here im attaching my HijackThis Log with this post, please check and help me in resolving this issue...

Thanks in advance.

Here is my HijackThis Log ..

Logfile of HijackThis v1.99.1
Scan saved at 7:26:39 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Attache Transparent Clock\AttacheClock.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: MSVPS System - {A477EBE4-ABE9-4A9D-B1B4-0EB1D0D025CE} - C:\WINDOWS\werbetdqw.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: The hdtip - {85B2F289-7128-4C5A-A330-F9FC01432D3A} - C:\WINDOWS\hdtip.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [AttacheTransparentClock] C:\Program Files\Attache Transparent Clock\AttacheClock.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - https://chat.tcs.com/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.19/uploader2.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://chat.tcs.com/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170392131505
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186309914578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EAC91CA-735E-49B5-A5EA-0A113573D813}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CE6430-139E-4228-9C57-2B7B98DB4DA0}: NameServer = 172.30.0.1,202.56.250.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: gormet - {56A33B06-E19C-4236-8C8D-883B665E002C} - C:\WINDOWS\gormet.dll
O21 - SSODL: pmkret - {EEE9B305-24E2-412D-B2AF-C42446F3ABD2} - C:\WINDOWS\pmkret.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Logfile


----------



## DFW (Jun 12, 2004)

Hi Black_Dragon

Should you be posting in 06 room at home base, or am I mistaken????


----------



## Black_Dragon (May 8, 2007)

you want me to post in another forum ?

Can u post me the link to that *room* so that i can post there...


----------

