Please help me - Free Antivirus Forum

Please help me

BullGuard Antivirus Forum > Virus Removal > Removal Tools > Please help me

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

DIJ Metal
New Member

Date Joined Jun 2006
Total Posts : 27

Posted 6-29-2006 7:42 (GMT +1)

Here is my log, I just got Conhook and it seems to be gone but my internet is connecting at a slower speed. It was connecting at 115kbps now it's connecting at 49.2 or lower (last night it was 28.8):

Logfile of HijackThis v1.99.1
Scan saved at 11:36:48 PM, on 06/28/06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\LeEtta Clark\Desktop\Patches\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3212BCA5-DFC1-4587-AD42-A4462C1D417E} - (no file)
O2 - BHO: (no name) - {58F07DD3-924D-4141-BC74-299F523A95F1} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {b85d74aa-e350-4b12-8067-b814a5702459} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SSK Service] C:\Documents and Settings\LeEtta Clark\Local Settings\Temp\Temporary Directory 1 for UNKNOWN%order.zip\details.pif
O4 - HKLM\..\Run: [vlmovuxw] C:\WINDOWS\System32\rmhiqiiv.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\LEETTA~1\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
O4 - HKCU\..\Run: [SSK Service] C:\Documents and Settings\LeEtta Clark\Local Settings\Temp\Temporary Directory 1 for UNKNOWN%order.zip\details.pif
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [vernn16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\vernn16.dll
O4 - HKCU\..\Run: [kvern16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\kvern16.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with TrueSpeed Download Manager - C:\Program Files\TrueSpeed\DBooster.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.dijmetal.com
O15 - Trusted Zone: www.rockdaily.com
O16 - DPF: ConferenceRoom Java Client -
O16 - DPF: DigiChat Applet -
O16 - DPF: Yahoo! Chat -
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) -
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/28db69eb8270fa233102/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Jgmmgr - Jgmmgr.dll (file missing)
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 6-29-2006 9:09 (GMT +1)

Hey

Please download Ewido Anti-Malware

Install Ewido Anti-Malware
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download Brute Force Uninstaller.
Unzip it to its own folder (c:\BFU)

Next, http://metallica.geekstogo.com/alcanshorty.bfu and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Do not run the Uninstaller and the Remover yet.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

*Click on Ewido>Scanner
Then select "Settings"
Under the bottom section "What to Scan?" make sure "Scan every file" is checked.
Select "OK" and you will return to scanning options.
*Click on Complete System Scan and the scan will begin.

This scan can take quite a while to run, so please be patient .
While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose Clean. Then put a check next to 'Perform action on all infections' . Doing this, enables the scan to proceed automatically until its completion. Click OK

When the scan finishes, click on "Save Report". This will create a text file.
** Make sure you know where to find this file again. The best place to save it would probably be your Desktop.
Now close Ewido Anti Malware.

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Regards - Touch idea

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

Before posting a log

DIJ Metal
New Member

Date Joined Jun 2006
Total Posts : 27

Posted 6-29-2006 12:48 (GMT +1)

My internet is still running slow even though I deleted all the viruses. I'm connected at 52kbps right now....weird

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:37:12 AM 06/29/06

+ Scan result:

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP424\A0092351.exe -> Adware.AdURL : Cleaned.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP424\A0092353.exe -> Adware.AdURL : Cleaned.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP424\A0092349.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP418\A0089796.exe -> Adware.SaveNow : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58F07DD3-924D-4141-BC74-299F523A95F1} -> Adware.WebDir : Cleaned.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned.
C:\WINDOWS\SYSTEM32\ddcyvst.dll -> Downloader.Agent.anm : Cleaned.
C:\WINDOWS\SYSTEM32\pmnli.exe -> Downloader.ConHook.ac : Cleaned.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP424\A0092350.dll -> Downloader.Miewer.a : Cleaned.
C:\WINDOWS\SYSTEM32\booknew.dlltmp -> Downloader.Miewer.a : Cleaned.
C:\WINDOWS\SYSTEM32\scopenr.dll -> Downloader.Miewer.a : Cleaned.
C:\WINDOWS\SYSTEM32\tv2.dll -> Downloader.Miewer.a : Cleaned.
C:\WINDOWS\SYSTEM32\tv3.dlltmp -> Downloader.Miewer.a : Cleaned.
C:\WINDOWS\SYSTEM32\vern16.dll -> Downloader.Miewer.d : Cleaned.
C:\WINDOWS\SYSTEM32\geebx.exe -> Dropper.Agent.amr : Cleaned.
C:\WINDOWS\ibi-xs.exe -> Heuristic.Win32.Dialer : Cleaned.
C:\WINDOWS\SYSTEM32\qahhxsqf.exe -> Not-A-Virus.Downloader.Win32.Casino : Cleaned.
C:\WINDOWS\SYSTEM32\rmhiqiiv.exe -> Not-A-Virus.Downloader.Win32.Casino : Cleaned.
C:\WINDOWS\SYSTEM32\winmfu32.dll -> Trojan.Agent.vg : Cleaned.

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 4:42:46 AM, on 06/29/06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\LeEtta Clark\Desktop\Patches\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3212BCA5-DFC1-4587-AD42-A4462C1D417E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {b85d74aa-e350-4b12-8067-b814a5702459} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SSK Service] C:\Documents and Settings\LeEtta Clark\Local Settings\Temp\Temporary Directory 1 for UNKNOWN%order.zip\details.pif
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\LEETTA~1\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
O4 - HKCU\..\Run: [SSK Service] C:\Documents and Settings\LeEtta Clark\Local Settings\Temp\Temporary Directory 1 for UNKNOWN%order.zip\details.pif
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [vernn16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\vernn16.dll
O4 - HKCU\..\Run: [kvern16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\kvern16.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with TrueSpeed Download Manager - C:\Program Files\TrueSpeed\DBooster.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.dijmetal.com
O15 - Trusted Zone: www.rockdaily.com
O16 - DPF: ConferenceRoom Java Client -
O16 - DPF: DigiChat Applet -
O16 - DPF: Yahoo! Chat -
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) -
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/28db69eb8270fa233102/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Jgmmgr - Jgmmgr.dll (file missing)
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 6-29-2006 1:02 (GMT +1)

You still have a large number of infections, I therefore suggest You proceed as follows -

Please download free Trial of Superantispyware
http://www.superantispyware.com/superantispywarefreevspro.html

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.

close the program

Download Free Trial of Spysweeper
http://www.spywarefri.dk/downloads1/ssf...793616.exe
http://www.spywarefri.dk/downloads1/ssfsetup972_1837793616.exe

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot into Safe Mode by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Run Spysweeper:
Click on "Options > Sweep Options" and check "Sweep all Folders on Selected drives". Check "Local Disc C".
Under What to Sweep: check all of the boxes except Sweep Contents of Compressed Files and do not Sweep Systemrestore Folder.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click "Remove". Click "Select All" and then "Next".
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Start Superantispyware/rightclick on the black/yellow bug in tray.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, let it Reboot

Next go to Start- Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
And Find:
superantispyware log

Post this log along with fresh hijackthis log and tell how things are running

Regards - Touch idea

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

Before posting a log

DIJ Metal
New Member

Date Joined Jun 2006
Total Posts : 27

Posted 6-29-2006 5:08 (GMT +1)

Isn't there one program and will take care of everything? lol current connection = 50.6kbps

SUPERAntiSpyware Scan Log
Generated 06/29/2006 at 08:58 AM

Core Rules Database Version : 2997
Trace Rules Database Version: 1079

Memory threats detected : 0
Registry threats detected : 1
File threats detected : 9

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{7916f057-223f-4612-ac84-e882cbe043d4}

Adware.Tracking Cookie
C:\Documents and Settings\LeEtta Clark\Cookies\leetta clark@serving-sys[2].txt
C:\Documents and Settings\LeEtta Clark\Cookies\leetta clark@indextools[1].txt
C:\Documents and Settings\LeEtta Clark\Cookies\leetta clark@realmedia[2].txt
C:\Documents and Settings\LeEtta Clark\Cookies\leetta clark@fixionmedia[1].txt
C:\Documents and Settings\LeEtta Clark\Cookies\leetta clark@atwola[1].txt

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Dialer.DialerPlatformLimited
C:\WINDOWS\Downloaded Program Files\gdnUS2339.exe

Trojan.RegPerf
C:\WINDOWS\SYSTEM32\regperf.exe
____________________________________________________________________________
********
6:42 AM: |       Start of Session, Thursday, June 29, 2006       |
6:42 AM: Spy Sweeper started
6:42 AM: Sweep initiated using definitions version 709
6:42 AM: Starting Memory Sweep
6:45 AM: Memory Sweep Complete, Elapsed Time: 00:02:26
6:45 AM: Starting Registry Sweep
6:45 AM:   Found Adware: mindset interactive - favoriteman
6:45 AM:   HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/mmview_101.dll\ (2 subtraces) (ID = 135025)
6:45 AM:   Found Adware: websearch toolbar
6:45 AM:   HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (7 subtraces) (ID = 146518)
6:45 AM:   Found Adware: winad
6:45 AM:   HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/winadtoolsx.dll\ || .owner (ID = 147196)
6:45 AM:   HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/winadtoolsx.dll\ || {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} (ID = 147197)
6:45 AM:   Found Trojan Horse: trojan agent winlogonhook
6:45 AM:   HKLM\software\microsoft\mssmgr\ (13 subtraces) (ID = 937101)
6:45 AM:   Found Adware: daily toolbar
6:45 AM:   HKU\S-1-5-21-2939561921-2035789119-2382750585-1006\software\microsoft\windows\currentversion\run\ || kvern16.dll (ID = 124612)
6:45 AM:   HKU\S-1-5-21-2939561921-2035789119-2382750585-1006\software\microsoft\windows\currentversion\run\ || vernn16.dll (ID = 124613)
6:45 AM:   Found Adware: ibi-xs dialer
6:45 AM:   HKU\S-1-5-21-2939561921-2035789119-2382750585-1006\software\ibi-tec\ (357 subtraces) (ID = 127871)
6:45 AM:   Found Adware: limeshop
6:45 AM:   HKU\S-1-5-21-2939561921-2035789119-2382750585-1006\software\microsoft\internet explorer\menuext\limeshop preferences\ (2 subtraces) (ID = 129724)
6:45 AM:   Found Adware: systemprocess
6:45 AM:   HKU\S-1-5-21-2939561921-2035789119-2382750585-1006\software\system process\ (1 subtraces) (ID = 860389)
6:45 AM:   HKU\S-1-5-21-2939561921-2035789119-2382750585-1006\software\system process\ || lastptime (ID = 860390)
6:45 AM: Registry Sweep Complete, Elapsed Time:00:00:27
6:45 AM: Starting Cookie Sweep
6:45 AM:   Found Spy Cookie: atwola cookie
6:45 AM:   leetta clark@atwola[1].txt (ID = 2255)
6:45 AM:   Found Spy Cookie: realmedia cookie
6:45 AM:   leetta clark@realmedia[2].txt (ID = 3235)
6:45 AM:   Found Spy Cookie: serving-sys cookie
6:45 AM:   leetta clark@serving-sys[2].txt (ID = 3343)
6:45 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:45 AM: Starting File Sweep
6:50 AM:   ustart.exe (ID = 242836)
7:22 AM:   a0092387.dll (ID = 57401)
7:29 AM:   Found Trojan Horse: trojan-downloader-miewer
7:29 AM:   a0092383.dll (ID = 80753)
7:33 AM:   Found Adware: accoona toolbar
7:33 AM:   a0089795.exe (ID = 257155)
7:48 AM:   Found Adware: my daily horoscope
7:48 AM:   a0092382.dll (ID = 70235)
8:15 AM:   Found Adware: directrevenue-abetterinternet
8:15 AM:   biini.inf (ID = 83199)
8:15 AM:   Found Adware: ezsearchbar
8:15 AM:   states.ini (ID = 60360)
8:15 AM:   addr_var.ini (ID = 60329)
8:15 AM:   name_var.ini (ID = 60352)
8:15 AM:   birth_var.ini (ID = 60332)
8:15 AM:   city_var.ini (ID = 60333)
8:15 AM:   zip_var.ini (ID = 60362)
8:15 AM:   phone_var.ini (ID = 60353)
8:15 AM:   satmat.ini (ID = 83499)
8:15 AM:   satmat.inf (ID = 83498)
8:16 AM: File Sweep Complete, Elapsed Time: 01:30:23
8:16 AM: Full Sweep has completed. Elapsed time 01:33:25
8:16 AM: Traces Found: 411
8:17 AM: Removal process initiated
8:17 AM:   Quarantining All Traces: directrevenue-abetterinternet
8:17 AM:   Quarantining All Traces: trojan agent winlogonhook
8:17 AM:   Quarantining All Traces: websearch toolbar
8:17 AM:   Quarantining All Traces: daily toolbar
8:17 AM:   Quarantining All Traces: mindset interactive - favoriteman
8:17 AM:   Quarantining All Traces: trojan-downloader-miewer
8:17 AM:   Quarantining All Traces: winad
8:17 AM:   Quarantining All Traces: accoona toolbar
8:17 AM:   Quarantining All Traces: ezsearchbar
8:17 AM:   Quarantining All Traces: ibi-xs dialer
8:17 AM:   Quarantining All Traces: limeshop
8:17 AM:   Quarantining All Traces: my daily horoscope
8:17 AM:   Quarantining All Traces: systemprocess
8:17 AM:   Quarantining All Traces: atwola cookie
8:17 AM:   Quarantining All Traces: realmedia cookie
8:17 AM:   Quarantining All Traces: serving-sys cookie
8:17 AM: Removal process completed. Elapsed time 00:00:26
********
6:29 AM: |       Start of Session, Thursday, June 29, 2006       |
6:29 AM: Spy Sweeper started
6:29 AM: Messenger service has been disabled.
6:37 AM: Your spyware definitions have been updated.
_______________________________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 9:06:22 AM, on 06/29/06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\LeEtta Clark\Desktop\Patches\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3212BCA5-DFC1-4587-AD42-A4462C1D417E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {b85d74aa-e350-4b12-8067-b814a5702459} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SSK Service] C:\Documents and Settings\LeEtta Clark\Local Settings\Temp\Temporary Directory 1 for UNKNOWN%order.zip\details.pif
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\LEETTA~1\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
O4 - HKCU\..\Run: [SSK Service] C:\Documents and Settings\LeEtta Clark\Local Settings\Temp\Temporary Directory 1 for UNKNOWN%order.zip\details.pif
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.dijmetal.com
O15 - Trusted Zone: www.rockdaily.com
O16 - DPF: ConferenceRoom Java Client -
O16 - DPF: DigiChat Applet -
O16 - DPF: Yahoo! Chat -
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) -
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/28db69eb8270fa233102/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Jgmmgr - Jgmmgr.dll (file missing)
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 6-30-2006 6:48 (GMT +1)

It would be easy with one "multi" program smilewinkgrin

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked.

O2 - BHO: (no name) - {3212BCA5-DFC1-4587-AD42-A4462C1D417E} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {b85d74aa-e350-4b12-8067-b814a5702459} - (no file)
O4 - HKLM\..\Run: [SSK Service] C:\Documents and Settings\LeEtta Clark\Local Settings\Temp\Temporary Directory 1 for UNKNOWN%order.zip\details.pif
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\LEETTA~1\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
O4 - HKCU\..\Run: [SSK Service] C:\Documents and Settings\LeEtta Clark\Local Settings\Temp\Temporary Directory 1 for UNKNOWN%order.zip\details.pif
O16 - DPF: ConferenceRoom Java Client -
O16 - DPF: DigiChat Applet -
O16 - DPF: Yahoo! Chat -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Jgmmgr - Jgmmgr.dll (file missing)
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)

Reboot into Safe Mode by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.

Open Folder Options in Controlpanel >view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files

Delete:

Files:

C:\DOCUME~1\LEETTA~1\LOCALS~1\Temp\MiniBug.exe 1
C:\Documents and Settings\LeEtta Clark\Local Settings\Temp\Temporary Directory 1 for UNKNOWN%order.zip\details.pif

Folders:

And delete:
scvhost.exe
Msrv32.exe

Reboot normally, post new log and tell how your speed are now

Regards - Touch idea

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

Before posting a log

DIJ Metal
New Member

Date Joined Jun 2006
Total Posts : 27

Posted 7-1-2006 4:48 (GMT +1)

EDIT: I just put in a init string and my internet is connected at 115kbps again :) I think that was the problem in the first place but thanks for helping me get rid of all the spyware from my computer, I appreciate it. I need to fix the safe mode thing though, in case I have to go into that sometime.
_________________________________________________________________________

I tried getting rid of this:

O4 - HKLM\..\Run: [SSK Service] C:\Documents and Settings\LeEtta Clark\Local Settings\Temp\Temporary Directory 1 for UNKNOWN%order.zip\details.pif

But when I clicked Fix Checked HiJackThis closed and then when I reopened it that ^ was still there also after I did what you said in HJT I tried to go into Safe Mode and it had a bunch of numbers and it said "System shut down". I'm thinking it could be that I don't have a init string entered where it should be, back when it was connecting at 115kbps there was a init string entered in and I think the virus got rid of it because the spot is blank now. I'll try to enter in a bunch of codes and see if I can find the one that makes it 115kbps again.

Logfile of HijackThis v1.99.1
Scan saved at 8:39:35 PM, on 06/30/06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Documents and Settings\LeEtta Clark\Desktop\Patches\HijackThis.exe

Post Edited (DIJ Metal) : 7/1/2006 3:51:43 AM GMT

terresa
New Member

Date Joined Dec 2006
Total Posts : 2

Posted 12-4-2006 1:14 (GMT +1)

I'm new to this an don't know if I'm asking the question in the right place, but I'm having a problem with my computer. I think I have a worm or a virus. When I try to open my IE program, I'm often redirected to webhelper.dll/dnserror.htm#http://messengersite.net/forum/portal.htm. I ran a virus scan and was told I have qhosts.apd on three files. I had to uninstall my norton antivirus because it wasn't allowing me to use it and my ip admin. thought there was a conflict with it. I also have spybot and and asquare-free installed. My norton and spybot are incompatible. Can anyone help me?

Forum Information

Currently it is Saturday, November 21, 2009 12:00 PM (GMT +1)
There are a total of 73.031 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 70 reply posts. View Active Threads