Help - Search - Members
Full Version: HELP Privacy_Danger
Piriform Community Forums > Computer Help and Discussion > Spyware Hell
Glassmoon
Jun 23 2007, 07:41 PM
Hey I hope some one can help me to get rid of Privacy Danger from my comp... I have tried deleting it but it just keeps popping back.

Please help
Glassmoon
Jun 23 2007, 07:46 PM
My hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 1:35:14 AM, on 6/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Billion\ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\AntiSpyware\AntiSpyware.exe
C:\PROGRA~1\COMMON~1\AOL\115872~1\EE\AOLHOS~1.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\COMMON~1\AOL\115872~1\EE\AOLServiceHost.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O1 - Hosts: 216.177.73.139 #uto.search.msn.com
O1 - Hosts: 216.177.73.139 #earch.netscape.com
O1 - Hosts: 216.177.73.139 #eautosearch
O2 - BHO: (no name) - {0 - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {218B7D50-BC37-4FA8-A57F-6E8DE692BD79} - C:\WINNT\vpsnetwork.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56B92EE3-2DB2-4F83-93F4-E41E919F5D2B} - C:\WINNT\System32\lmj.dll (file missing)
O2 - BHO: (no name) - {65C - (no file)
O2 - BHO: (no name) - {65C8C - (no file)
O2 - BHO: (no name) - {65C8C1F - (no file)
O2 - BHO: (no name) - {65C8C1F5- - (no file)
O2 - BHO: (no name) - {65C8C1F5-23 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F31 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B6 - (no file)
O2 - BHO: (no name) - {B638 - (no file)
O2 - BHO: (no name) - {B638A0 - (no file)
O2 - BHO: (no name) - {B638A08C - (no file)
O2 - BHO: (no name) - {B638A08C-3 - (no file)
O2 - BHO: (no name) - {B638A08C-331 - (no file)
O2 - BHO: (no name) - {B638A08C-331C- - (no file)
O2 - BHO: (no name) - {B638A08C-331C-40 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-A - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B- - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F7 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73D - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73DCA - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73DCA08 - (no file)
O2 - BHO: (no name) - {C - (no file)
O2 - BHO: (no name) - {C1E - (no file)
O2 - BHO: (no name) - {C1E58 - (no file)
O2 - BHO: (no name) - {C1E58A8 - (no file)
O2 - BHO: (no name) - {C1E58A84- - (no file)
O2 - BHO: (no name) - {C1E58A84-95 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-463 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630- - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B7 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0F - (no file)
O2 - BHO: (no name) - {C8 - (no file)
O2 - BHO: (no name) - {C85F - (no file)
O2 - BHO: (no name) - {C85FD6 - (no file)
O2 - BHO: (no name) - {C85FD624 - (no file)
O2 - BHO: (no name) - {C85FD624-3 - (no file)
O2 - BHO: (no name) - {C85FD624-372 - (no file)
O2 - BHO: (no name) - {C85FD624-372E- - (no file)
O2 - BHO: (no name) - {C85FD624-372E-45 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3- - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-74 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743D - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF2A - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF2AAE - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Billion\ADSL USB Modem\CnxDslTb.exe" "Billion\ADSL USB Modem"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158722551\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Samsung Internet Keyboard.lnk = C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Reader\reader_sl.exe
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: c:\winnt\system32\winkel.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O21 - SSODL: vpssup - {DD87F481-7D8A-4723-B341-E800459C8908} - C:\WINNT\vpssup.dll
O21 - SSODL: expro - {41B58DF6-7CFA-444D-BF2E-536D4965415F} - C:\WINNT\expro.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
rridgely
Jun 23 2007, 09:02 PM
Welcome to the forum. smile.gif
Ouch this thing has taken your computer hostage. sad.gif Lets get started.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Glassmoon
Jun 23 2007, 09:27 PM

SDFix: Version 1.88

Run by Administrator on Sun 06/24/2007 at 3:10a

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\SYSTEM32\TASKMGR.EXE - Deleted
C:\WINNT\SYSTEM32\TASKKILL.EXE - Deleted
C:\WINNT\privacy_danger\index.htm - Deleted
C:\WINNT\privacy_danger\images\capt.gif - Deleted
C:\WINNT\privacy_danger\images\danger.jpg - Deleted
C:\WINNT\privacy_danger\images\down.gif - Deleted
C:\WINNT\privacy_danger\images\spacer.gif - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hd-log.txt - Deleted
C:\WINNT\dat.txt - Deleted
C:\WINNT\expro.dll - Deleted
C:\WINNT\rs.txt - Deleted
C:\WINNT\search_res.txt - Deleted
C:\WINNT\vpsnetwork.dll - Deleted
C:\WINNT\vpssup.dll - Deleted


Folder C:\WINNT\privacy_danger - Removed

Removing Temp Files...

ADS Check:

Checking C:\WINNT
C:\WINNT
No streams found.

Checking C:\WINNT\system32
C:\WINNT\system32
No streams found.

Checking C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
No streams found.

Checking C:\WINNT\system32\ntoskrnl.exe
C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\WINNT\system32\aim.exe
C:\WINNT\system32\ope6.exe
C:\WINNT\system32\ope8.exe
C:\WINNT\system32\ope10.exe
C:\WINNT\system32\opeCE.exe
C:\WINNT\system32\opeD0.exe
C:\WINNT\system32\opeDD.exe
C:\WINNT\system32\opeDF.exe
C:\WINNT\system32\opeE2.exe
C:\WINNT\system32\opeE4.exe
C:\WINNT\system32\opeB.exe
C:\WINNT\system32\opeE.exe
C:\WINNT\system32\DC3696EA89.sys
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3640.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2084.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2782.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3530.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0868.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2362.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3531.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2155.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2372.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL4001.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3649.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3417.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2928.tmp

Listing User Accounts:


Administrator Guest


Finished
Glassmoon
Jun 23 2007, 09:28 PM
Logfile of HijackThis v1.99.1
Scan saved at 3:17:15 AM, on 6/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Billion\ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\AntiSpyware\AntiSpyware.exe
C:\WINNT\system32\aim.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\COMMON~1\AOL\115872~1\EE\AOLHOS~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\AOL\115872~1\EE\AOLServiceHost.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
D:\Program Files\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {0 - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56B92EE3-2DB2-4F83-93F4-E41E919F5D2B} - C:\WINNT\System32\lmj.dll (file missing)
O2 - BHO: (no name) - {65C - (no file)
O2 - BHO: (no name) - {65C8C - (no file)
O2 - BHO: (no name) - {65C8C1F - (no file)
O2 - BHO: (no name) - {65C8C1F5- - (no file)
O2 - BHO: (no name) - {65C8C1F5-23 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F31 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B6 - (no file)
O2 - BHO: (no name) - {B638 - (no file)
O2 - BHO: (no name) - {B638A0 - (no file)
O2 - BHO: (no name) - {B638A08C - (no file)
O2 - BHO: (no name) - {B638A08C-3 - (no file)
O2 - BHO: (no name) - {B638A08C-331 - (no file)
O2 - BHO: (no name) - {B638A08C-331C- - (no file)
O2 - BHO: (no name) - {B638A08C-331C-40 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-A - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B- - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F7 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73D - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73DCA - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73DCA08 - (no file)
O2 - BHO: (no name) - {C - (no file)
O2 - BHO: (no name) - {C1E - (no file)
O2 - BHO: (no name) - {C1E58 - (no file)
O2 - BHO: (no name) - {C1E58A8 - (no file)
O2 - BHO: (no name) - {C1E58A84- - (no file)
O2 - BHO: (no name) - {C1E58A84-95 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-463 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630- - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B7 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0F - (no file)
O2 - BHO: (no name) - {C8 - (no file)
O2 - BHO: (no name) - {C85F - (no file)
O2 - BHO: (no name) - {C85FD6 - (no file)
O2 - BHO: (no name) - {C85FD624 - (no file)
O2 - BHO: (no name) - {C85FD624-3 - (no file)
O2 - BHO: (no name) - {C85FD624-372 - (no file)
O2 - BHO: (no name) - {C85FD624-372E- - (no file)
O2 - BHO: (no name) - {C85FD624-372E-45 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3- - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-74 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743D - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF2A - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF2AAE - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Billion\ADSL USB Modem\CnxDslTb.exe" "Billion\ADSL USB Modem"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158722551\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKLM\..\Run: [Microsoft lnternet Update] aim.exe
O4 - HKLM\..\RunServices: [Microsoft lnternet Update] aim.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Samsung Internet Keyboard.lnk = C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Reader\reader_sl.exe
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: c:\winnt\system32\winkel.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Glassmoon
Jun 23 2007, 09:30 PM
Thank you so much for helping me out smile.gif

This thing has been making life hell for the last 2 days smile.gif
rridgely
Jun 23 2007, 10:32 PM
This computer is still in really bad shape.
Follow this guide here and come back with all of the logs it asks for:
http://forum.piriform.com/index.php?showtopic=6329
Glassmoon
Jun 24 2007, 06:06 PM
BitDefender Online Scanner - Real Time Virus Report

Generated at: Sun, Jun 24, 2007 - 14:10:29


Scan Info

Scanned Files - 208270

Infected Files - 14

Virus Detected

Trojan.Bat.Zapchast.Z - 1

Application.NTSniff.110 - 1

Worm.Vb.AN - 1

Backdoor.Irc.Zapchast.CX - 1

Backdoor.Irc.Cloner.BJ - 1

Trojan.Dldr.Secondth.HA - 1

Application.JS.ForcePopup.I - 3

Backdoor.Bifrose.KT - 1

Trojan.Flood.CK - 1

Dropped:Application.BHO.Ignet.A - 1

IRC-Worm.Bnc.A - 1

Backdoor.Irc.Flood.A - 1


[left][/left]
Glassmoon
Jun 24 2007, 07:49 PM
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/25/2007 at 00:40 AM

Application Version : 3.8.1002

Core Rules Database Version : 3260
Trace Rules Database Version: 1271

Scan type : Complete Scan
Total Scan Time : 00:26:49

Memory items scanned : 412
Memory threats detected : 0
Registry items scanned : 4809
Registry threats detected : 0
File items scanned : 19698
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@stats.privacyprotector[2].txt

Trace.Known Threat Sources
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FA3QKBEW\hd[2].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\93ABK9CS\line[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\93ABK9CS\cd[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\93ABK9CS\pointer[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8ZJW5RT6\logo[2].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8ZJW5RT6\dvd[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZEXVQMT9\list[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8ZJW5RT6\3[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FA3QKBEW\detector[1].htm
Glassmoon
Jun 24 2007, 07:50 PM
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:31:46 AM 6/25/2007

+ Scan result:



C:\WINNT\system32\NLNP13.dll -> Adware.IGetNet : Ignored.
C:\WINNT\system\Update_Hosts.DLL -> Adware.IGetNet : Ignored.
D:\Vai, Steve\MP3 Tools\MP3 Listmakers\ListMaker\ListMakerFull.zip/ListMaker.CAB/ListSearch.exe -> Backdoor.Bifrose.kt : Cleaned with backup (quarantined).
C:\windows\system32\drivers\tftp8675 -> Backdoor.SdBot.ry : Cleaned with backup (quarantined).
HKLM\SOFTWARE\FENX -> Dialer.Generic : Cleaned with backup (quarantined).
C:\WINNT\system32\opeE.exe -> Dropper.Agent.aaq : Cleaned with backup (quarantined).
C:\Program Files\TATAUninstall.exe -> Heuristic.Win32.Dialer : Ignored.
:mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.61:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.39:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.


::Report end

Glassmoon
Jun 24 2007, 07:51 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:37:43 AM, on 6/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Billion\ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\AOL\115872~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\115872~1\EE\AOLServiceHost.exe
C:\Program Files\AntiSpyware\AntiSpyware.exe
C:\WINNT\system32\aim.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
D:\Program Files\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {0 - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56B92EE3-2DB2-4F83-93F4-E41E919F5D2B} - C:\WINNT\System32\lmj.dll (file missing)
O2 - BHO: (no name) - {65C - (no file)
O2 - BHO: (no name) - {65C8C - (no file)
O2 - BHO: (no name) - {65C8C1F - (no file)
O2 - BHO: (no name) - {65C8C1F5- - (no file)
O2 - BHO: (no name) - {65C8C1F5-23 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F31 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B6 - (no file)
O2 - BHO: (no name) - {B638 - (no file)
O2 - BHO: (no name) - {B638A0 - (no file)
O2 - BHO: (no name) - {B638A08C - (no file)
O2 - BHO: (no name) - {B638A08C-3 - (no file)
O2 - BHO: (no name) - {B638A08C-331 - (no file)
O2 - BHO: (no name) - {B638A08C-331C- - (no file)
O2 - BHO: (no name) - {B638A08C-331C-40 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-A - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B- - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F7 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73D - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73DCA - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73DCA08 - (no file)
O2 - BHO: (no name) - {C - (no file)
O2 - BHO: (no name) - {C1E - (no file)
O2 - BHO: (no name) - {C1E58 - (no file)
O2 - BHO: (no name) - {C1E58A8 - (no file)
O2 - BHO: (no name) - {C1E58A84- - (no file)
O2 - BHO: (no name) - {C1E58A84-95 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-463 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630- - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B7 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0F - (no file)
O2 - BHO: (no name) - {C8 - (no file)
O2 - BHO: (no name) - {C85F - (no file)
O2 - BHO: (no name) - {C85FD6 - (no file)
O2 - BHO: (no name) - {C85FD624 - (no file)
O2 - BHO: (no name) - {C85FD624-3 - (no file)
O2 - BHO: (no name) - {C85FD624-372 - (no file)
O2 - BHO: (no name) - {C85FD624-372E- - (no file)
O2 - BHO: (no name) - {C85FD624-372E-45 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3- - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-74 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743D - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF2A - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF2AAE - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Billion\ADSL USB Modem\CnxDslTb.exe" "Billion\ADSL USB Modem"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158722551\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKLM\..\Run: [Microsoft lnternet Update] aim.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Microsoft lnternet Update] aim.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Samsung Internet Keyboard.lnk = C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Reader\reader_sl.exe
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: c:\winnt\system32\winkel.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Glassmoon
Jun 24 2007, 07:51 PM
Have posted all reports as asked...
rridgely
Jun 25 2007, 01:38 AM
Copy all of the below instructions into notepad because you will have to close your browser.

Open hijackthis and run a system scan only. Then check off the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {0 - (no file)
O2 - BHO: (no name) - {56B92EE3-2DB2-4F83-93F4-E41E919F5D2B} - C:\WINNT\System32\lmj.dll (file missing)
O2 - BHO: (no name) - {65C - (no file)
O2 - BHO: (no name) - {65C8C - (no file)
O2 - BHO: (no name) - {65C8C1F - (no file)
O2 - BHO: (no name) - {65C8C1F5- - (no file)
O2 - BHO: (no name) - {65C8C1F5-23 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F31 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: (no name) - {B6 - (no file)
O2 - BHO: (no name) - {B638 - (no file)
O2 - BHO: (no name) - {B638A0 - (no file)
O2 - BHO: (no name) - {B638A08C - (no file)
O2 - BHO: (no name) - {B638A08C-3 - (no file)
O2 - BHO: (no name) - {B638A08C-331 - (no file)
O2 - BHO: (no name) - {B638A08C-331C- - (no file)
O2 - BHO: (no name) - {B638A08C-331C-40 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-A - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B- - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F7 - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73D - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73DCA - (no file)
O2 - BHO: (no name) - {B638A08C-331C-4098-AE9B-B7F73DCA08 - (no file)
O2 - BHO: (no name) - {C - (no file)
O2 - BHO: (no name) - {C1E - (no file)
O2 - BHO: (no name) - {C1E58 - (no file)
O2 - BHO: (no name) - {C1E58A8 - (no file)
O2 - BHO: (no name) - {C1E58A84- - (no file)
O2 - BHO: (no name) - {C1E58A84-95 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-463 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630- - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B7 - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A - (no file)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0F - (no file)
O2 - BHO: (no name) - {C8 - (no file)
O2 - BHO: (no name) - {C85F - (no file)
O2 - BHO: (no name) - {C85FD6 - (no file)
O2 - BHO: (no name) - {C85FD624 - (no file)
O2 - BHO: (no name) - {C85FD624-3 - (no file)
O2 - BHO: (no name) - {C85FD624-372 - (no file)
O2 - BHO: (no name) - {C85FD624-372E- - (no file)
O2 - BHO: (no name) - {C85FD624-372E-45 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3- - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-74 - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743D - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF2A - (no file)
O2 - BHO: (no name) - {C85FD624-372E-459E-8EB3-743DAF2AAE - (no file)
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Microsoft lnternet Update] aim.exe
O4 - HKLM\..\RunServices: [Microsoft lnternet Update] aim.exe
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: c:\winnt\system32\winkel.dll

Now press "fix checked" and close hijackthis.

------------

Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINNT\system32\aim.exe
C:\WINNT\system32\ope6.exe
C:\WINNT\system32\ope8.exe
C:\WINNT\system32\ope10.exe
C:\WINNT\system32\opeCE.exe
C:\WINNT\system32\opeD0.exe
C:\WINNT\system32\opeDD.exe
C:\WINNT\system32\opeDF.exe
C:\WINNT\system32\opeE2.exe
C:\WINNT\system32\opeE4.exe
C:\WINNT\system32\opeB.exe
C:\WINNT\system32\opeE.exe
c:\winnt\system32\winkel.dll
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\AntiSpyware\AntiSpyware.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please then visit the below link

http://www.bleepingcomputer.com/submit-mal....php?channel=27

Type files from Ccleaners forum in the link area and then click Browse and located the requested-files.cab archive on your desktop then click Send File

-----------------

Download Killbox from Here

Click killbox.exe

Select the option "Delete on reboot".

Click the button: All Files (Important!)
Now it should flash green.

Next copy the contents of the code box to clipboard by left clicking and covering the text then right click inside the highlighted area and choose Copy:

CODE
C:\WINNT\system32\aim.exe
C:\WINNT\system32\ope6.exe
C:\WINNT\system32\ope8.exe
C:\WINNT\system32\ope10.exe
C:\WINNT\system32\opeCE.exe
C:\WINNT\system32\opeD0.exe
C:\WINNT\system32\opeDD.exe
C:\WINNT\system32\opeDF.exe
C:\WINNT\system32\opeE2.exe
C:\WINNT\system32\opeE4.exe
C:\WINNT\system32\opeB.exe
C:\WINNT\system32\opeE.exe
c:\winnt\system32\winkel.dll
C:\Program Files\winupdates\winupdates.exe


After copying the above text to Clipboard click File on the killbox menu bar and choose Paste From Clipboard

Then press the Delete File button (Red Circle with a White X).
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

--------------------------


Visit VirusTotal and have this file scanned:

C:\Program Files\AntiSpyware\AntiSpyware.exe

Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, copy and paste the Virus scan results back and let us know if you have any problems finding the file.
Glassmoon
Jun 25 2007, 08:00 AM
antispyware.exe is a 18 MB file so Virus total is not able to process it...

System is working fine now... will post the hijackthis log
Glassmoon
Jun 25 2007, 08:01 AM
Logfile of HijackThis v1.99.1
Scan saved at 1:50:27 PM, on 6/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Billion\ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\AOL\115872~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\115872~1\EE\AOLServiceHost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\AntiSpyware\AntiSpyware.exe
C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {56B92EE3-2DB2-4F83-93F4-E41E919F5D2B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Billion\ADSL USB Modem\CnxDslTb.exe" "Billion\ADSL USB Modem"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158722551\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Samsung Internet Keyboard.lnk = C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

rridgely
Jun 25 2007, 06:42 PM
Delete these with hijackthis:

O2 - BHO: (no name) - {56B92EE3-2DB2-4F83-93F4-E41E919F5D2B} - (no file)
O13 - WWW. Prefix: http://ehttp.cc/?

---------

The Antispyware.exe file you submitted has been tested and although it does detect malware it also detects genuine items such as the genuine WinPcap programs registry entries as a Password Stealer, the program also doesnt remove anything that it detects unless you pay them and that part is not made clear on their homepage, because of that Id recommend removing the program if you havent payed for it by removing 'Antispyware 1.5' from the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs) , If you have payed for the program then its really up to you if you wish to keep it installed.

http://www.symantec.com/en/uk/smb/security...-99&tabid=2
----------

Run Kaspersky WebScanner
  • Please go HERE and click Kaspersky Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
  • Paste kaspersky log onto forum.
Glassmoon
Jun 26 2007, 03:24 AM
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 26, 2007 9:10:42 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/06/2007
Kaspersky Anti-Virus database records: 353421
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 60114
Number of viruses found: 13
Number of infected objects: 18 / 0
Number of suspicious objects: 1
Duration of the scan process: 00:56:05

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\NLNP13.dll Infected: not-a-virus:AdWare.Win32.IGetNet skipped
C:\WINNT\system32\Perflib_Perfdata_2c4.dat Object is locked skipped
C:\WINNT\system\Update_Hosts.DLL Infected: not-a-virus:AdWare.Win32.IGetNet.g skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC�000001 Object is locked skipped
C:\WINNT\AStart.exe Infected: Trojan-Downloader.Win32.VB.ah skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine3880000.VBN Infected: Trojan-Downloader.Win32.Tooncom.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine3940000.VBN Infected: Backdoor.Win32.Jeemp.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine38C0000.VBN Infected: Trojan.Java.ClassLoader.Dummy.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine3980000.VBN Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine39C0000.VBN Infected: Backdoor.Win32.Jeemp.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine3A40000.VBN Infected: Backdoor.Win32.Jeemp.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine6780000.VBN Infected: Trojan-Downloader.Win32.Tooncom.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine6780001.VBN Infected: Trojan-Downloader.Win32.Tooncom.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine3600000.VBN Infected: Virus.VBS.Redlof.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine34C0000.VBN Infected: Virus.Win32.Xorala skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine3500000.VBN Infected: Virus.Win32.Xorala skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine34C0001.VBN Infected: Virus.Win32.Xorala skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine3B80000.VBN Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine4CC0000.VBN Infected: Backdoor.Win32.Rbot.aeu skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF179D.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF87A1.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nfqdpihm.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\AntiSpyware\Log\log_2007_06_25_11_22_14.log Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\windows\system32\drivers\spsexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
D:\Audio Convertors\Audio Conversion Wizard\acw [cracked].exe Suspicious: Packed.Win32.PePatch.dk skipped


Scan process completed.
rridgely
Jun 27 2007, 02:40 PM
Download Killbox from Here

Click killbox.exe

Select the option "Delete on reboot".

Click the button: All Files (Important!)
Now it should flash green.

Next copy the contents of the code box to clipboard by left clicking and covering the text then right click inside the highlighted area and choose Copy:

CODE
C:\WINNT\system32\NLNP13.dll
C:\WINNT\system\Update_Hosts.DLL
C:\WINNT\AStart.exe
C:\windows\system32\drivers\spsexec.exe


after copying the above text to Clipboard click File on the killbox menu bar and choose Paste From Clipboard

Then press the Delete File button (Red Circle with a White X).
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

-------------

Please then check what is in the C:\windows\ folder, let us know if there is any files in there, if there is only folders please open them and see what they contain and post back the details.


--------------

Remove the items in Nortons Quarantine as described here:
http://service1.symantec.com/SUPPORT/nav.n...ment&seg=hm

--------

QUOTE
D:\Audio Convertors\Audio Conversion Wizard\acw [cracked].exe

Running any cracked software on your system is a risk as they are often bundled with trojans and running those sort of files will be the reason your machine was infected, if you continue to use them its very likely the machine will be infected again so Id recommend removing it from the system.
Glassmoon
Jun 30 2007, 12:33 PM
There is no folder called 'folder' in C:\Windows

C:\Windows - has a folder called System32
C:\Windows\System32\Drivers

Files in Drivers Folder

394839.reg
kill.exe
ntinstall.ini
RAP-ALBUMS.jpg
smnt.scr
SYNFUL.nfo
WinDVD82.exe

Glassmoon
Jun 30 2007, 12:34 PM
Logfile of HijackThis v1.99.1
Scan saved at 6:23:15 PM, on 6/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Billion\ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\COMMON~1\AOL\115872~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\AOL\115872~1\EE\AOLServiceHost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Billion\ADSL USB Modem\CnxDslTb.exe" "Billion\ADSL USB Modem"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158722551\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Samsung Internet Keyboard.lnk = C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{CB87EFE9-3B2E-41A4-97B7-AC3811CF303D}: NameServer = 125.22.47.125,202.56.250.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

rridgely
Jun 30 2007, 06:27 PM
Delete this folder:
C:\Windows

Its not real. Windows 2000 isn't supposed to have this folder.

-----------

Let us know if everything seems back to normal on this computer.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.