# Solved: HELP!! Infected with em.pc-on-internet/amaena and others



## Turanganui (May 23, 2007)

Alas like many others I have fallen victim to these nasty popups. I have already tried: XoftSpySE, Hoster, Winsockxpfix, removereg, Vundofix, VirtumundoBeGone, ATF Cleaner and HijackThis, to no avail. The pop-ups nearly always begin with the em.pc-on-internet.com. Any help you can give me would be greatly appreciated. Below is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:20:37 PM, on 23/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\DrWeb\SpiderNT.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Windows\system32\HpSrvUI.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\DrWeb\spidernt.exe
C:\Program Files\DrWeb\spiderml.exe
C:\Program Files\DrWeb\DRWEBSCD.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gisbornenz.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nz.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nz.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093314493015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177460353359
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\SpiderNT.exe


----------



## Turanganui (May 23, 2007)

bump


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Files Created Within* group click *30 days*
In the *Files Modified Within* group select *30 days*
In the *File String Search* group select *Non-Microsoft*

Now click the *Run Scan* button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please post the resulting log here *as an attachment*.


----------



## Turanganui (May 23, 2007)

Followed your instructions exactly - log is attached


----------



## cybertech (Apr 16, 2002)

Download the HostsXpert 4.0 - Hosts File Manager.

Unzip HostsXpert 4.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.0 - Hosts File Manager
Run HostsXpert 4.0 - Hosts File Manager from its new home
Click "Make Hosts Writable?" 
Click Restore MS Hosts and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


----------



## Turanganui (May 23, 2007)

Hi and sorry for the delay in getting back to you. Okay I followed your instructions as best I could. Upon running HostsExpert, there were no options on the right, but a list of options on the left. The top one was "Make Read Only?" which I licked on and it became "Make Write Only?" Was that right? The 4th option down on the list was "Restore MS Hosts File", which I clicked on and then okayed. Was that right? It was a little different than what you described, so I hope I got it right. Also my anti-spyware program Dr Web did not like me opening HostsExpert, objecting to several files, but I ignored it.
The popups are still very bad.


----------



## cybertech (Apr 16, 2002)

Please download *ATF Cleaner* by Atribune. 
*This program is for XP and Windows 2000 only*
 
Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.

Click *Exit* on the Main menu to close the program.

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply with a new hijackthis log.*

Click *Close* to exit the program.


----------



## Turanganui (May 23, 2007)

Done - have run both ATF Cleaner and SUPERAntispyware. Below is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/27/2007 at 11:26 AM

Application Version : 3.8.1002

Core Rules Database Version : 3245
Trace Rules Database Version: 1256

Scan type : Complete Scan
Total Scan Time : 02:35:17

Memory items scanned : 386
Memory threats detected : 0
Registry items scanned : 6505
Registry threats detected : 27
File items scanned : 81258
File threats detected : 4

Adware.MyWay
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
HKCR\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10}
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\ProgID
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\Programmable
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\TypeLib
HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Control
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus\1
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\ProgID
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Programmable
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\TypeLib
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Version
HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\0
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\0\win32
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\FLAGS
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\HELPDIR

Adware.Tracking Cookie
C:\Documents and Settings\Owner\My Documents\New Folder\WINDOWS\Cookies\ [email protected][2].txt
C:\Documents and Settings\Owner\My Documents\New Folder\WINDOWS\Cookies\ [email protected][1].txt
C:\Documents and Settings\Owner\My Documents\New Folder\WINDOWS\Cookies\ [email protected][1].txt
C:\Documents and Settings\Owner\My Documents\New Folder\WINDOWS\TEMP\Cookies\ [email protected][2].txt


----------



## cybertech (Apr 16, 2002)

How is it running now? Any problems?


----------



## Turanganui (May 23, 2007)

Had a clear day yesterday, but the pop-ups are back in force this morning.


----------



## cybertech (Apr 16, 2002)

Run *Panda ActiveScan* *here*

*Post the results from ActiveScan.*


----------



## Turanganui (May 23, 2007)

Running Activescan proved to be quite difficult, hence the delay in getting back to you. The first 2 attempts failed half way through when IE froze then closed because of popups. The 3rd attempt took a long time but has eventually completed successfully. Results are attached.


----------



## cybertech (Apr 16, 2002)

Delete this file: C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.zip and the e-mail it came from.

Delete this file: C:\Program Files\DrWeb\test_txt.vir

Empty the PestPatrol Quarantine.

Open IE, go to Tools, Internet Options, Privacy, Advanced, click in the box "Override automatic cookie handling", First-party Cookies select Prompt, Third-party cookies select Block. When those cookies try to install click block.

*Click Here* and download Killbox and save it to your desktop.

Double-click on Killbox.exe to run it. 
Put a tick by *Delete on Reboot*. 
In the "Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\SYSTEM32\prodsrvs.exe

Click on the button that has the red circle with the X in the middle after you enter the file name. 
It will ask for confimation to delete the file. 
Click Yes. 
It will ask if you want to reboot now,
Click Yes.

*Note:* It is possible that Killbox will tell you that the file does not exist.

If your computer does not restart automatically then please restart it manually. 
If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


----------



## Turanganui (May 23, 2007)

The Killbox.exe link you provided takes me to a SpyNomore download - is this correct? Should I allow cookies from that site? Just want to check before I went on.


----------



## cybertech (Apr 16, 2002)

No, it should take you to majorgeeks.com
http://www.majorgeeks.com/Pocket_KillBox_d4709.html


----------



## Turanganui (May 23, 2007)

OK have done all that. Popus are still really bad.


----------



## cybertech (Apr 16, 2002)

Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## Turanganui (May 23, 2007)

Combofix and HijackThis logs follow:

"Owner" - 2007-05-31 6:46:58 Service Pack 2 
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Owner\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\WINDOWS\system32\uytywd.exe"
"C:\WINDOWS\system32\uytywd.dat"
"C:\WINDOWS\system32\uytywd_nav.dat"
"C:\WINDOWS\system32\uytywd_navps.dat"
"C:\WINDOWS\system32\nvs2.inf"

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_IPRIP

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\WINDOWS\system32\uytywd.exe"
"C:\WINDOWS\system32\uytywd.dat"
"C:\WINDOWS\system32\uytywd_nav.dat"
"C:\WINDOWS\system32\uytywd_navps.dat"
"C:\WINDOWS\system32\nvs2.inf"

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_IPRIP

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))

2007-05-30 17:12 d--------	C:\!KillBox
2007-05-30 17:12 d--------	C:\!KillBox
2007-05-28 17:53 d--------	C:\WINDOWS\SYSTEM32\ActiveScan
2007-05-28 17:53 d--------	C:\WINDOWS\SYSTEM32\ActiveScan
2007-05-27 08:44 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-27 08:44 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-27 08:42 d--------	C:\Program Files\SUPERAntiSpyware
2007-05-27 08:42 d--------	C:\Program Files\SUPERAntiSpyware
2007-05-27 08:42 d--------	C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-05-23 17:07 d--------	C:\VundoFix Backups
2007-05-23 17:07 d--------	C:\VundoFix Backups
2007-05-01 17:56 d--------	C:\Program Files\digiRAMA
2007-05-01 17:56 d--------	C:\Program Files\digiRAMA
2007-05-01 17:55 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\{77467C3A-3736-4859-A067-33F1CFBBA0C5}
2007-05-01 17:55 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\{77467C3A-3736-4859-A067-33F1CFBBA0C5}
2007-04-29 18:05	248	--a------	C:\Documents and Settings\Owner\FixSearchHooks.reg
2007-04-29 18:05	248	--a------	C:\Documents and Settings\Owner\FixSearchHooks.reg
2007-04-29 18:05	248	--a------	C:\DOCUME~1\Owner\FixSearchHooks.reg
2007-04-29 18:05	205	--a------	C:\Documents and Settings\Owner\tempReg1.reg
2007-04-29 18:05	205	--a------	C:\Documents and Settings\Owner\tempReg1.reg
2007-04-29 18:05	205	--a------	C:\DOCUME~1\Owner\tempReg1.reg
2007-04-29 18:05	2,430	--a------	C:\Documents and Settings\Owner\FixBrowser.reg
2007-04-29 18:05	2,430	--a------	C:\Documents and Settings\Owner\FixBrowser.reg
2007-04-29 18:05	2,430	--a------	C:\DOCUME~1\Owner\FixBrowser.reg
2007-04-29 18:05	113	--a------	C:\Documents and Settings\Owner\tempReg0.reg
2007-04-29 18:05	113	--a------	C:\Documents and Settings\Owner\tempReg0.reg
2007-04-29 18:05	113	--a------	C:\DOCUME~1\Owner\tempReg0.reg
2007-04-29 18:02	248	--a------	C:\DOCUME~1\ADMINI~1.KEL\FixSearchHooks.reg
2007-04-29 18:02	248	--a------	C:\DOCUME~1\ADMINI~1.KEL\FixSearchHooks.reg
2007-04-29 18:02	205	--a------	C:\DOCUME~1\ADMINI~1.KEL\tempReg1.reg
2007-04-29 18:02	205	--a------	C:\DOCUME~1\ADMINI~1.KEL\tempReg1.reg
2007-04-29 18:02	2,430	--a------	C:\DOCUME~1\ADMINI~1.KEL\FixBrowser.reg
2007-04-29 18:02	2,430	--a------	C:\DOCUME~1\ADMINI~1.KEL\FixBrowser.reg
2007-04-29 18:02	113	--a------	C:\DOCUME~1\ADMINI~1.KEL\tempReg0.reg
2007-04-29 18:02	113	--a------	C:\DOCUME~1\ADMINI~1.KEL\tempReg0.reg
2007-04-29 17:57	1,048,576	--ah-----	C:\DOCUME~1\ADMINI~1.KEL\NTUSER.DAT
2007-04-29 17:57	1,048,576	--ah-----	C:\DOCUME~1\ADMINI~1.KEL\NTUSER.DAT
2007-04-29 17:57 d--------	C:\DOCUME~1\ADMINI~1.KEL\WINDOWS
2007-04-29 17:57 d--------	C:\DOCUME~1\ADMINI~1.KEL\WINDOWS
2007-04-29 17:57 d--------	C:\DOCUME~1\ADMINI~1.KEL\APPLIC~1\InterTrust
2007-04-29 17:57 d--------	C:\DOCUME~1\ADMINI~1.KEL\APPLIC~1\InterTrust
2007-04-27 07:02 d--------	C:\DOCUME~1\Owner\APPLIC~1\SecondLife
2007-04-27 06:46 d--------	C:\Program Files\SecondLife
2007-04-27 06:46 d--------	C:\Program Files\SecondLife
2007-04-26 15:57	271,224	--a------	C:\WINDOWS\SYSTEM32\mucltui.dll
2007-04-26 15:57	271,224	--a------	C:\WINDOWS\SYSTEM32\mucltui.dll
2007-04-21 11:56 d--------	C:\Program Files\RegCure
2007-04-21 11:56 d--------	C:\Program Files\RegCure
2007-04-21 10:47 d--------	C:\Program Files\XoftSpySE
2007-04-21 10:47 d--------	C:\Program Files\XoftSpySE
2007-04-20 07:04 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-04-20 07:04 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-04-19 17:44	9,728	--a----t-	C:\WINDOWS\SYSTEM32\DRWEBSP.DLL
2007-04-19 17:44	9,728	--a----t-	C:\WINDOWS\SYSTEM32\DRWEBSP.DLL
2007-04-19 17:44	5,856	--a------	C:\WINDOWS\SYSTEM32\drivers\drwebnet.sys
2007-04-19 17:44	5,856	--a------	C:\WINDOWS\SYSTEM32\drivers\drwebnet.sys
2007-04-19 17:44 d--------	C:\Documents and Settings\Owner\DoctorWeb
2007-04-19 17:44 d--------	C:\Documents and Settings\Owner\DoctorWeb
2007-04-19 17:44 d--------	C:\DOCUME~1\Owner\DoctorWeb
2007-04-19 17:43 d--------	C:\Program Files\DrWeb
2007-04-19 17:43 d--------	C:\Program Files\DrWeb
2007-04-11 19:06 d--------	C:\Program Files\MSXML 4.0
2007-04-11 19:06 d--------	C:\Program Files\MSXML 4.0
2007-04-09 20:01 d--------	C:\Program Files\Microsoft ActiveSync
2007-04-09 20:01 d--------	C:\Program Files\Microsoft ActiveSync
2007-04-09 19:59 d--------	C:\WINDOWS\ShellNew
2007-04-09 19:59 d--------	C:\WINDOWS\ShellNew
2007-04-09 14:14 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-04-09 14:14 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-04-09 13:55 d--------	C:\Program Files\AskTBar
2007-04-09 13:55 d--------	C:\Program Files\AskTBar
2007-04-02 13:52 d--------	C:\winpay
2007-04-02 13:52 d--------	C:\winpay

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-29 18:05	248	--a------	C:\DOCUME~1\Owner\FixSearchHooks.reg
2007-04-29 18:05	205	--a------	C:\DOCUME~1\Owner\tempReg1.reg
2007-04-29 18:05	2,430	--a------	C:\DOCUME~1\Owner\FixBrowser.reg
2007-04-29 18:05	113	--a------	C:\DOCUME~1\Owner\tempReg0.reg
2007-04-19 17:44 d--------	C:\DOCUME~1\Owner\DoctorWeb

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-19 22:55]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=c:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 10:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 14:11]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 10:49]
"NvCplDaemon"="NvQTwk" []
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 08:35]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 21:56]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"SpIDerNT"="C:\PROGRA~1\DrWeb\spidernt.exe" [2006-05-02 12:07]
"SpIDerMail"="C:\Program Files\DrWeb\spiderml.exe" [2007-03-23 02:59]
"DrWebScheduler"="C:\Program Files\DrWeb\DRWEBSCD.EXE" [2007-02-28 15:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 19:56]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 10:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2007-03-12 13:49]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc	p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-05-26 09:21:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-30 18:59:31 C:\WINDOWS\tasks\RegCure Program Check.job
2007-04-20 23:56:53 C:\WINDOWS\tasks\RegCure.job
2007-05-30 18:59:31 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-05-25 19:42:08 C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 07:00:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2007-05-31 7:09:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-31 07:09

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 7:19:34 AM, on 31/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\DrWeb\SpiderNT.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ComboFix\29661.cfexe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\DrWeb\spidernt.exe
C:\Program Files\DrWeb\spiderml.exe
C:\Program Files\DrWeb\DRWEBSCD.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gisbornenz.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nz.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093314493015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177460353359
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\SpiderNT.exe


----------



## cybertech (Apr 16, 2002)

How is it now?


----------



## Turanganui (May 23, 2007)

Sorry for the delay in getting back to you - I wanted to "test" the system for a couple of days. No popups at all since my last post - I'm really pleased and very grateful to you. Will definitely be making a donation to your very worthy cause. Just a couple of loose ends: Do I need to set a restore point to return to if need be? Which of the many "fixes" that I have should I keep running (if any), and is there anything I can do to stop this from happening again?


----------



## cybertech (Apr 16, 2002)

You can remove all of the tools I requested you to download and/or folders associated with them now.

SUPERAntiSpyware is a trial version so you can keep that until the trial is over and then uninstall.

It's a good idea to Flush your System Restore after removing malware:


 On the Desktop, right-click My Computer. 
 Click Properties. 
 Click the System Restore tab. 
 Check Turn off System Restore. 
 Click Apply, and then click OK. 
 Restart the computer. 

To create a new restore point: 

On the Desktop, right-click My Computer. 
 Click Properties. 
 Click the System Restore tab. 
 Check Turn on System Restore. 
 Click Apply, and then click OK.

Here are some additional links for you to check out to help you with your computer security.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools

You're welcome!


----------

