browser closing triggered by word u

Computing.Net > Forums > Security and Virus > browser closing triggered by word u

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Click here to start participating now! Also, check out the New User Guide.

browser closing triggered by word u

Name: brilliantjeni
Date: April 1, 2007 at 17:01:46 Pacific
OS: XP
CPU/Ram: P4
Product: hp pavilion

Comment:

My fiance downloaded a bootleg of something and was then prompted to download the evil spylocked- not knowing it was scumware and wanting to fix it himself. Well, that obviously made it worse. I found 2 trojans, tons of adware popups, and my registry was a mess. Not to mention that f-ing blinking little "Security has found something" faux message from spylocked in the taskbar. I finally got rid of that, and zlob and a few others that were constantly repairing and reinstalling- more than 24 hours later, I'm still left with a browser that closes everytime specific words are entered for search. For instance if I search for sp yware (If I type this as a full word, my browser will close) my browser closes. If I attempt to dl hijack this (as one word) the window closes. I'd like to find these people that make this crap and do uncivilized things to their unmentionables. In the meantime, I've scanned repeatedly and manually removed related items from my registry. Avast said it found win32:QQpass-fv trojan on my computer, but I'm questioning the legitimacy. I know something is here, but scans with norton internet security 2007, spybot, windows defender, and spyhunter, have failed to find everything (only some zlob and spylocked related files- not even exe.'s.) Does anyone have any suggestions? Oh, and I've tried using different browsers, including firefox since it doesn't support activex- still closes down when I try to find anything with sp yware in it.

Google Ads

Response Number 1

Name: jabuck
Date: April 1, 2007 at 17:19:57 Pacific

Reply:

Please post the following thre scans, although you killed zlob smitfraud will help find some other baddies so post that log also.
Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified.
Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!

Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Response Number 2

Name: brilliantjeni
Date: April 1, 2007 at 18:39:02 Pacific

Reply:

As I said before- whatever this bug is, it will not let me download anything. It flashes the download window for a split second and then closes it.
Is there a way around this? Would this be caused by a file, script, change in the registry, etc?

Response Number 3

Name: jabuck
Date: April 1, 2007 at 19:05:49 Pacific

Reply:

Everything between the X"s is a normal host file:

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Only this line is needed:

127.0.0.1 localhost
Many times a virus will add many legit sites to this list blocking access to the sites.
Navigate to:
C:\Windows\System32\Drivers\ETC\hosts
double click it> choose notepad from the list to view the file>click ok. If any other item are present just place the cursor to the right of the last files on the list then backspace untill only the above mentioned line exist then click file>click save.
If that was the problem immediately try to download combofix and run it> post its log.

Response Number 4

Name: brilliantjeni
Date: April 1, 2007 at 22:23:25 Pacific

Reply:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
__________________________
Has only the above. No sites listed at all. What could be the cause of something so specific? Would it be a file in the registry that restricts sites,words,downloads with specific words?
Gracias for all your help!

Response Number 5

Name: jabuck
Date: April 2, 2007 at 03:57:06 Pacific

Reply:

Go to the host file and add this line:
127.0.0.1 localhost
Click file> click save.
Then try again to download and run combofix.

remove ads by admob kernel extensions iphone windows defender Realtek RTL8101E Family PCI-E Fast Ethernet NIC (NDIS 6.20) life without internet opengl 1.4 download amt 1.35 ms-6533e drivers ms-6541 drivers trust 120 spacecam vista	MITA DP-560 ntuser.dat F-TO-TCD-24 ms-6577 drivers f-to-tcd-24l inside tnc Sony Net MD Walkman MZ-NE410 software Intel Corporation 82801BA LAN Controller ms-6119 driver analog devices soundmax driver win7
See More

Response Number 6

Name: brilliantjeni
Date: April 2, 2007 at 07:23:55 Pacific

Reply:

Still won't let me.
I was able to dl the hjt file using netscape and changing the file name before saving, however, when I try to start it, the virus or whatever it is, closes it down almost immediately. Same with combofix.

Response Number 7

Name: jabuck
Date: April 2, 2007 at 14:39:17 Pacific

Reply:

Try running the two programs from safe mode.
Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Response Number 8

Name: brilliantjeni
Date: April 2, 2007 at 15:20:03 Pacific

Reply:

I tried this just before reading your post. It did the same as when I tried to install it in normal mode. It starts, blinks for a quick second and is shut down.
I tried to download SVG as well but it did the same thing- won't let me at any site with it. So apparently, the words spyware, SVG, hijack this, HJT immediately shut my browser down. And if I try to run any sort of HJT software, (incluindg a-squared jack-free) the install wizard blinks open and then closes- even in safe mode.
Do you think I have a virus, or that I removed the virus and this is just damage left over?

Response Number 9

Name: jabuck
Date: April 2, 2007 at 15:34:15 Pacific

Reply:

It acts like a worm or trojan, see if you can run these programs.
Please download SilentRunners from this link http://www.silentrunners.org/Silent%20Runners.zip. Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile in a reply to this post.. Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile in a reply to this post.
Download WinPFind
Right Click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet!
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Doubleclick WinPFind.exe
Click " Configure Scan Options"
Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
Now Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete
Reboot back to Normal Mode!
Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next post!. It will be too big to post so you will need to attach it to your reply

Response Number 10

Name: brilliantjeni
Date: April 2, 2007 at 21:55:50 Pacific

Reply:

I'm not exactly sure myself, but I was able to get the following log from hijack this after applying some shananigans. I changed the name of hjt, hid it in different folders and was able to get it to load fast enough that it was done just a second before the bad bug nipped the window shut. Anyway- here it is.
Logfile of HijackThis v1.99.1
Scan saved at 8:42:32 PM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\setrysvc.exe
C:\WINDOWS\System32\semwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\a-squared Anti-Malware\a2HiJackFree.exe
C:\Program Files\a-squared Anti-Malware\a2scan.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Abexo\afrc\afrc.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeni\Application Data\Mozilla\Profiles\default\asy5afgd.slt\prefs.js)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menu...
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gm...
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0108F48-F5CE-463F-9922-E124ACE8E63C}: NameServer = 172.16.0.2,172.16.0.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pejibcnvjxrt - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winup2date - C:\WINDOWS\system32\servmswinp.dll
O20 - Winlogon Notify: yzzsbkbzgtve - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony Ericsson Wireless LAN Tray Service (setrysvc) - Unknown owner - C:\WINDOWS\System32\setrysvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Windows kernel Service (Windows kernel Serv) - Unknown owner - C:\WINDOWS\system32\servmswin.exe

Response Number 11

Name: brilliantjeni
Date: April 3, 2007 at 13:38:30 Pacific

Reply:

I was able to get Panda Activescan to work! It found 4 viruses, 1 rootkit, 24 spyware- system is running better but still closing windows when hjt is in the page or download and when I search for sp yware (as one word.) I should say, in addition to the Dropper virus, G501 virus, Agent.czz virus, and torpig.a virus, my windows defender also found several versions of the zlog virus. Ad-aware found nothing- which I really surprised at. How is it possible Norton, Ad-aware, and Spybot didn't find these?

Here is the Panda log:
Incident Status Location
Adware:Adware/Miamore Not disinfected C:\WINDOWS\system32\servmswin.exe
Virus:trj/torpig.a Disinfected Operating system
Adware:adware/cws Not disinfected C:\Documents and Settings\Jeni\Favorites\Health
Adware:adware/cydoor Not disinfected c:\windows\cdmxtras
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/morwillsearch Not disinfected Windows Registry
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Guest\Cookies\guest@c.goclick[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jeni\Application Data\Mozilla\Profiles\default\asy5afgd.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jeni\Application Data\Mozilla\Profiles\default\asy5afgd.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jeni\Application Data\Mozilla\Profiles\default\asy5afgd.slt\cookies.txt[.com.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jeni\Application Data\Mozilla\Profiles\default\asy5afgd.slt\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\LocalService\Cookies\system@ccbill[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\LocalService\Cookies\system@toplist[1].txt
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\U4IA34TS\al3[1].txt
Virus:Trj/Agent.CZZ Disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2VA1VUYJ\3[1].bin
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13C.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13D.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13E.tmp
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13F.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C0.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E4.tmp
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1EC.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F9.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB9.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBA.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBB.tmp
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBD.tmp
Virus:Bck/G501.A Disinfected C:\WINDOWS\system32\.501.dll
Virus:Trj/Dropper.WI Disinfected C:\WINDOWS\system32\nng501.exe

Response Number 12

Name: jabuck
Date: April 3, 2007 at 16:01:44 Pacific

Reply:

Very good work!
Go to start> control panel> administrative tools> services> scroll down to and double click "Windows kernel Service (Windows kernel Serv)"> click stop> on the far right of "startup type" click the drop down arrow> click disable> apply>ok. Exit services.
Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
Navigate to and delete these files if found:
C:\WINDOWS\system32\servmswin.exe
C:\WINDOWS\system32\servmswinp.dll
Next run Hijack This again, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menu...
O20 - Winlogon Notify: pejibcnvjxrt - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winup2date - C:\WINDOWS\system32\servmswinp.dll
O20 - Winlogon Notify: yzzsbkbzgtve - C:\WINDOWS\
O23 - Service: Windows kernel Service (Windows kernel Serv) - Unknown owner - C:\WINDOWS\system32\servmswin.exe
Exit Hijack This.
Try to run combofix as mentioined in response #1 and post its log and a new Hijack This log.

Response Number 13

Name: brilliantjeni
Date: April 5, 2007 at 16:51:00 Pacific

Reply:

It's getting worse. I couldn't even access the internet for the past day. I cannot run h j this- nor access any sites that have it spelled out. Nor have the word sp yware on it. I read something brief on how the zlob trojan can change browsing protocol- would this be the reason for this?

Response Number 14

Name: jabuck
Date: April 5, 2007 at 17:01:20 Pacific

Reply:

It does not appear to be zlob, guess it could be but I am doubtful of that.
Could you delete these files:
C:\WINDOWS\system32\servmswin.exe
C:\WINDOWS\system32\servmswinp.dll

Response Number 15

Name: brilliantjeni
Date: April 5, 2007 at 17:09:19 Pacific

Reply:

Smitfraudfix report:
SmitFraudFix v2.164
Scan done at 19:05:27.87, Thu 04/05/2007
Run from C:\Documents and Settings\Jeni\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\setrysvc.exe
C:\WINDOWS\System32\semwltry.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jeni

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jeni\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jeni\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00403}"="z"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}"="z"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"="Master Browseui"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{DDEC2387-6435-46B6-AF8C-1075F6EBF08B}"="Master Browseui"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D4C5947D-16E3-462F-A93D-FB718E100406}"="z"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B0099233-1FF5-4326-A3E8-24AE1DF18D57}"="google service"
[HKEY_CLASSES_ROOT\CLSID\{B0099233-1FF5-4326-A3E8-24AE1DF18D57}\InProcServer32]
@="C:\WINDOWS\system32\hjthis101.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B0099233-1FF5-4326-A3E8-24AE1DF18D57}\InProcServer32]
@="C:\WINDOWS\system32\hjthis101.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CEDE2188-484C-B239-A68E-DC1B84001001}"="yzzsbkbzgtve"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2188CEDE-B239-484C-8EA6-B84DC1001001}"="pejibcnvjxrt"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\KASPER~1\\KASPER~1.0\\adialhk.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 172.16.0.2
DNS Server Search Order: 172.16.0.3
Description: Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{020594B6-8B30-4023-8D3D-919EB9AA378A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C0108F48-F5CE-463F-9922-E124ACE8E63C}: NameServer=172.16.0.2,172.16.0.3
HKLM\SYSTEM\CS1\Services\Tcpip\..\{020594B6-8B30-4023-8D3D-919EB9AA378A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C0108F48-F5CE-463F-9922-E124ACE8E63C}: NameServer=172.16.0.2,172.16.0.3
HKLM\SYSTEM\CS3\Services\Tcpip\..\{020594B6-8B30-4023-8D3D-919EB9AA378A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C0108F48-F5CE-463F-9922-E124ACE8E63C}: NameServer=172.16.0.2,172.16.0.3
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Response Number 16

Name: brilliantjeni
Date: April 5, 2007 at 17:10:25 Pacific

Reply:

Silent Runners Log:
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
----
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpyHunter" = "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" ["Enigma Software Group Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi2005010104.dll" ["Yahoo! Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt"
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Context Menu Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~2\A2FREE~1.DLL" ["Emsi Software GmbH"]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"
-> {HKLM...CLSID} = "Web Anti-Virus statistics"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{B0099233-1FF5-4326-A3E8-24AE1DF18D57}" = "google service"
-> {HKLM...CLSID} = "C:\WINDOWS\system32\hjthis101.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hjthis101.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi2005010104.dll" ["Yahoo! Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~2\A2FREE~1.DLL" ["Emsi Software GmbH"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~2\A2FREE~1.DLL" ["Emsi Software GmbH"]

Group Policies {policy setting}:
---
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoFolderOptions" = (REG_DWORD) hex:0x00000000
{Removes the Folder Options menu item from the Tools menu}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableCMD" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Jeni\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmarque.scr" [MS]

Winsock2 Service Provider DLLs:
--
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 27
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
-------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided)
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\CLSID\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = "Real.com"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{A349A035-E26F-454B-ABB4-5208E50E1BE7}\
"ButtonText" = "ToolbarCop"
"MenuText" = "ToolbarCop"
"Exec" = "C:\Program Files\Toolbar\Toolbarcop.exe" [null data]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_11"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_11"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus statistics"

Running Services (Display Name, Service Name, Path {Service DLL}):
--------
Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe"" ["Lavasoft AB"]
Kaspersky Internet Security 6.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r" ["Kaspersky Lab"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe"" [MS]
Sony Ericsson Wireless LAN Tray Service, setrysvc, "C:\WINDOWS\System32\setrysvc.exe C:\WINDOWS\System32\semwltry.exe" [null data]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]

Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDFConverter\Driver = "prnmnt.dll" [null data]

----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 80 seconds, including 18 seconds for message boxes)

Response Number 17

Name: jabuck
Date: April 5, 2007 at 17:47:40 Pacific

Reply:

Please download Win32delfkil.exe from this link win32delfkil.exe
Save it on your desktop.

Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.

Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automatically.

Post the contents of the logfile c:\windelf.txt, along with a new HijackThis log if possible.

Response Number 18

Name: brilliantjeni
Date: April 5, 2007 at 20:11:37 Pacific

Reply:

It's not letting me download this one either. And similar to hj this, it closes the browser window immediately when I search for it, or access any main sites that have the dl.

Response Number 19

Name: jabuck
Date: April 5, 2007 at 20:27:41 Pacific

Reply:

Can you download it to a floppy or disk from another computer then run it on the infected computer?

Response Number 20

Name: brilliantjeni
Date: April 5, 2007 at 20:39:01 Pacific

Reply:

Unfortunately no! I'm actually in a rather remote location in Mexico for several more months. Is there any other way around such a thing? I've gotten the occasional virus before, but never had this much difficulty getting rid of it. Are there other programs that can do the same sort of reading as h j this?

Response Number 21

Name: jabuck
Date: April 5, 2007 at 21:24:52 Pacific

Reply:

We can try to do it manually.
Reboot into safe mode. To do so restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Make sure you can view hidden file as suggested in response #12.
Navigate to and delete these files if found:
C:\WINDOWS\system32\servmswin.exe
C:\WINDOWS\system32\servmswinp.dll
C:\WINDOWS\system32\hjthis101.dll
Reboot to normal mode.
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00403}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{DDEC2387-6435-46B6-AF8C-1075F6EBF08B}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D4C5947D-16E3-462F-A93D-FB718E100406}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B0099233-1FF5-4326-A3E8-24AE1DF18D57}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B0099233-1FF5-4326-A3E8-24AE1DF18D57}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B0099233-1FF5-4326-A3E8-24AE1DF18D57}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CEDE2188-484C-B239-A68E-DC1B84001001}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2188CEDE-B239-484C-8EA6-B84DC1001001}"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Try to download and run Win32delfkil.exe
Then download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Download and install AVG Anti-Spyware We will need this later in safe mode
Be sure to update AVG Anti- Spyware
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Reboot your computer into Safe Mode again.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop). Post the AVG report.

Response Number 22

Name: brilliantjeni
Date: April 5, 2007 at 23:16:06 Pacific

Reply:

Obviously, much better already- allowed me to open and dl all files that I couldn't before. Just one thing tho- now it won't let me restart in safe mode and tries to scan in blue before starting in normal mode, getting hung up during that scan. I checked in my CCleaner for obvious issues- Only one issue came up- it says "missing startup software = HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"

Response Number 23

Name: brilliantjeni
Date: April 5, 2007 at 23:30:14 Pacific

Reply:

I ran hjt in case that helps...
Logfile of HijackThis v1.99.1
Scan saved at 12:59:05 AM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\setrysvc.exe
C:\WINDOWS\System32\semwltry.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.savewealth.com/support/i...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.savewealth.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeni\Application Data\Mozilla\Profiles\default\asy5afgd.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Program Files\Toolbar\Toolbarcop.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Program Files\Toolbar\Toolbarcop.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gm...
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0108F48-F5CE-463F-9922-E124ACE8E63C}: NameServer = 172.16.0.2,172.16.0.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: pejibcnvjxrt - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: yzzsbkbzgtve - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony Ericsson Wireless LAN Tray Service (setrysvc) - Unknown owner - C:\WINDOWS\System32\setrysvc.exe

Response Number 24

Name: jabuck
Date: April 6, 2007 at 08:59:39 Pacific

Reply:

Can you run Win32delfkil.exe

Response Number 25

Name: brilliantjeni
Date: April 6, 2007 at 13:06:09 Pacific

Reply:

Got it!
WIN32DELFKIL LOGFILE - by Marckie

version 3.125
Fri 04/06/2007 14:55:23.01
running from: "C:\Documents and Settings\Jeni\Desktop"

--- File(s) found in Windows directory ---
gc403.cnf
gc404.cnf
gc405.cnf
gsc405.cnf
gc_406.cnf
gsc_406.cnf
gc_407.cnf
gsc_407.cnf
ztaskmen32.pif

--- File(s) found in system32 folder ---

--- Services ---
service Windows kernel Serv is present!
[SWSC] DeleteService SUCCESS

--- Export SharedTaskScheduler key ---
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

--- Notify key ---

--- rebooting the computer ---

--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskSchedulerkey ---
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

--- Notify key ---

Finished!

Response Number 26

Name: jabuck
Date: April 6, 2007 at 14:32:22 Pacific

Reply:

Great!
Please post a new Hijack This log and see if you can post a combofix log.

Response Number 27

Name: brilliantjeni
Date: April 6, 2007 at 14:59:31 Pacific

Reply:

New HJT log- will post combofix log in a few mins. Thank you!
Logfile of HijackThis v1.99.1
Scan saved at 4:57:26 PM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\setrysvc.exe
C:\WINDOWS\System32\semwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.savewealth.com/support/i...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.savewealth.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and
Settings\Jeni\Application Data\Mozilla\Profiles\default\asy5afgd.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt
8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
6.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program
Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Program
Files\Toolbar\Toolbarcop.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Program
Files\Toolbar\Toolbarcop.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) -
http://h20270.www2.hp.com/ediags/gm...
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program
Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windows...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/active...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) -
https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0108F48-F5CE-463F-9922-E124ACE8E63C}: NameServer =
172.16.0.2,172.16.0.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: pejibcnvjxrt - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: yzzsbkbzgtve - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware
Pro\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky
Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia
Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony Ericsson Wireless LAN Tray Service (setrysvc) - Unknown owner -
C:\WINDOWS\System32\setrysvc.exe

Response Number 28

Name: brilliantjeni
Date: April 6, 2007 at 15:35:00 Pacific

Reply:

ComboFix Log-
"Jeni" - 07-04-06 17:08:13 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Jeni\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Jeni\Desktop.\internet explorer.lnk
C:\Program Files\autorun.inf
C:\WINDOWS\system32\ldinfo.ldr
C:\Program Files\Common Files\{BC525~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_MCHINJDRV

((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))

2007-04-06 14:55 90,112 --a--c--- C:\WINDOWS\system32\regdacl.exe
2007-04-06 14:55 4,096 --a--c--- C:\WINDOWS\system32\reboot.exe
2007-04-06 14:55 278,902 --a--c--- C:\win32delfkil.exe
2007-04-06 14:55 16,384 --a--c--- C:\WINDOWS\system32\restart.exe
2007-04-06 14:55 <DIR> d----c--- C:\WINDOWS\system32\regdacl
2007-04-06 14:55 <DIR> d----c--- C:\_backupD
2007-04-06 00:17 3,968 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-06 00:16 6,469,352 --a--c--- C:\Program Files\avgas-setup-7.5.0.50.exe
2007-04-06 00:14 50,688 --a--c--- C:\Program Files\ATF-Cleaner.exe
2007-04-06 00:11 278,902 --a--c--- C:\Program Files\win32delfkil.exe
2007-04-05 19:17 <DIR> d----c--- C:\Program Files\CCleaner
2007-04-05 19:15 460,320 --a--c--- C:\Program Files\ccsetup138_slim.exe
2007-04-05 19:06 1,598 --a--c--- C:\WINDOWS\system32\tmp.reg
2007-04-05 19:04 79,360 --a--c--- C:\WINDOWS\system32\swxcacls.exe
2007-04-05 19:04 53,248 --a--c--- C:\WINDOWS\system32\Process.exe
2007-04-05 19:04 51,200 --a--c--- C:\WINDOWS\system32\dumphive.exe
2007-04-05 19:04 42,496 --a--c--- C:\WINDOWS\system32\swreg.exe
2007-04-05 19:04 40,960 --a--c--- C:\WINDOWS\system32\swsc.exe
2007-04-05 19:04 288,417 --a--c--- C:\WINDOWS\system32\SrchSTS.exe
2007-04-05 18:56 <DIR> d----c--- C:\Program Files\sff
2007-04-05 07:13 <DIR> d--h-c--- C:\WINDOWS\PIF
2007-04-04 04:26 75,932 --a--c--- C:\WINDOWS\system32\drivers\klick.dat
2007-04-04 04:26 74,396 --a--c--- C:\WINDOWS\system32\drivers\klin.dat
2007-04-04 04:26 5,548,064 --ahsc--- C:\WINDOWS\system32\drivers\fidbox.dat
2007-04-04 04:26 28,448 --ahsc--- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-04-04 04:26 <DIR> d----c--- C:\Program Files\Kaspersky Lab
2007-04-04 04:26 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-04-04 04:24 <DIR> d----c--- C:\kav
2007-04-04 04:17 816,736 --a--c--- C:\Program Files\Norton_Removal_Tool.exe
2007-04-04 04:01 <DIR> d----c--- C:\Program Files\kris
2007-04-04 02:52 <DIR> d----c--- C:\Program Files\doc
2007-04-03 22:44 <DIR> d----c--- C:\DOCUME~1\Jeni\APPLIC~1\WholeSecurity
2007-04-03 22:35 15,533,600 --a--c--- C:\Program Files\20070403-021-i32.exe
2007-04-03 21:37 <DIR> d----c--- C:\WINDOWS\system32\New Folder
2007-04-03 20:36 831,648 --a--c--- C:\Program Files\rr-free-setup.exe
2007-04-03 19:53 <DIR> d--h-c--- C:\WINDOWS\msdownld.tmp
2007-04-03 19:53 <DIR> d----c--- C:\WINDOWS\Windows Update Setup Files
2007-04-03 17:03 <DIR> d----c--- C:\Program Files\Common Files\Java
2007-04-03 16:42 <DIR> d----c--- C:\DOCUME~1\Jeni\APPLIC~1\Sun
2007-04-03 03:11 <DIR> d----c--- C:\WINDOWS\system32\ActiveScan
2007-04-02 18:29 <DIR> d----c--- C:\Program Files\AAAAAAAAA
2007-04-02 13:03 <DIR> d----c--- C:\Program Files\a-squared Free
2007-04-02 12:20 13,829,120 --a--c--- C:\Program Files\a2FreeSetup.exe
2007-04-02 12:17 <DIR> d----c--- C:\Program Files\a-squared Anti-Malware
2007-04-02 01:05 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-01 22:35 15,505,200 --a--c--- C:\Program Files\IE7-WindowsXP-x86-enu.exe
2007-04-01 22:08 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-04-01 16:49 <DIR> d----c--- C:\Program Files\Alwil Software
2007-04-01 16:47 13,569,768 --a--c--- C:\Program Files\setupengpro.exe
2007-04-01 16:19 258,560 --a--c--- C:\Program Files\ie-spyad.exe
2007-04-01 16:13 21,312 --a--c--- C:\WINDOWS\choice.exe
2007-04-01 16:12 <DIR> d----c--- C:\Program Files\ie-spyad
2007-04-01 16:11 <DIR> d----c--- C:\ie-spyad
2007-04-01 15:24 <DIR> d----c--- C:\Program Files\BHODemon 2
2007-04-01 15:23 2,002,066 --a--c--- C:\Program Files\bhodemon20setup_2023.exe
2007-04-01 14:54 6,006,832 --a--c--- C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-04-01 02:53 <DIR> d----c--- C:\Program Files\Enigma Software Group
2007-04-01 01:18 5,037,072 --a--c--- C:\Program Files\spybotsd14.exe
2007-04-01 00:51 740,770 --a--c--- C:\Program Files\afrcfree.exe
2007-04-01 00:51 <DIR> d----c--- C:\Program Files\Abexo
2007-04-01 00:16 5,954,520 --a--c--- C:\Program Files\Windows-KB890830-V1.27.exe
2007-03-31 22:56 <DIR> d----c--- C:\Program Files\Registry Clean Expert
2007-03-31 21:00 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-03-31 12:31 <DIR> d-a--c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-24 16:39 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TechSmith
2007-03-24 16:38 <DIR> d----c--- C:\Program Files\TechSmith
2007-03-24 16:36 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-24 15:45 4,084,637 --a--c--- C:\Program Files\tntsetup.exe
2007-03-24 13:28 <DIR> d----c--- C:\Program Files\IESnap
2007-03-15 15:17 29,776 --a--c--- C:\Program Files\setup.exe
2007-03-15 12:23 497,496 --a--c--- C:\WINDOWS\system32\XceedZip.dll
2007-03-15 12:19 526,184 --a--c--- C:\WINDOWS\system32\XceedCry.dll
2007-03-12 21:39 221,184 --a--c--- C:\WINDOWS\system32\wmpns.dll
2007-03-12 21:39 <DIR> d----c--- C:\Program Files\Windows Media Connect 2
2007-03-12 21:34 <DIR> d----c--- C:\WINDOWS\system32\drivers\UMDF
2007-03-09 19:58 25,734 --a--c--- C:\WINDOWS\system32\drivers\klop.dat
2007-03-09 19:52 200,768 --a--c--- C:\WINDOWS\system32\klogon.dll
2007-03-06 16:51 1,410,680 --a--c--- C:\Program Files\install_flash_player.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-04 04:21 -------- d----c--- C:\Program Files\Common Files\symantec shared
2007-04-04 04:19 -------- d----c--- C:\Program Files\symantec
2007-04-04 04:19 -------- d----c--- C:\Program Files\norton antivirus
2007-04-04 02:40 5934472 --a--c--- C:\Program Files\windows-kb890830-v1.27.zip
2007-04-03 20:45 -------- d----c--- C:\Program Files\windows defender
2007-04-03 20:43 -------- d----c--- C:\Program Files\google
2007-04-03 18:11 -------- d----c--- C:\Program Files\java
2007-04-03 16:39 -------- d--h-c--- C:\Program Files\installshield installation information
2007-04-03 04:42 -------- d----c--- C:\Program Files\magiciso
2007-04-02 23:55 16288 --a--c--- C:\Program Files\startup runners.txt
2007-04-02 23:45 86155 --a--c--- C:\Program Files\silent runners.zip
2007-04-02 00:46 488144 --a--c--- C:\Program Files\hijackthis setup.exe
2007-04-02 00:42 488144 --a--c--- C:\Program Files\hjk setup.exe.jpg
2007-04-01 22:08 -------- d----c--- C:\Program Files\lavasoft
2007-04-01 22:06 13571584 --a--c--- C:\Program Files\aaw2007beta.msi
2007-03-31 21:02 -------- d----c--- C:\Program Files\yahoo!
2007-03-31 20:41 4905032 --a--c--- C:\Program Files\opera_9.10_eng_setup.exe
2007-03-28 18:49 2620 --ahsc--- C:\WINDOWS\system32\kgygaavl.sys
2007-03-16 17:31 23304 --a--c--- C:\Program Files\release_notes_en.html
2007-03-15 15:16 22427648 --a--c--- C:\Program Files\kis6.en.msi
2007-03-08 10:36 577536 --a--c--- C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 40960 --a--c--- C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36 281600 --a--c--- C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47 1843584 --a--c--- C:\WINDOWS\system32\win32k.sys
2007-03-05 22:38 5632 --a--c--- C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-03-03 20:39 110360 --a--c--- C:\WINDOWS\system32\drivers\kl1.sys
2007-02-23 18:38 415784 --a--c--- C:\Program Files\msgr8us.exe
2007-02-17 12:40 -------- d----c--- C:\DOCUME~1\Jeni\APPLIC~1\utorrent
2007-02-16 18:01 11264 --ahsc--- C:\Program Files\thumbs.db
2007-02-09 12:19 -------- d----c--- C:\DOCUME~1\Jeni\APPLIC~1\symantec
2007-02-09 12:07 38072144 --a--c--- C:\Program Files\nis_10.0_build_86_29_oem30_yahoo.exe
2007-02-09 01:27 10344 --a--c--- C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-02-09 01:13 -------- d----c--- C:\DOCUME~1\Jeni\APPLIC~1\yahoo!
2007-02-09 01:03 467536 --a--c--- C:\Program Files\ycomp_setup_nis_us.exe
2007-02-07 01:13 -------- d----c--- C:\Program Files\msn messenger
2007-01-24 11:47 7 ---hsc--- C:\AUTOEXEC.BAT
2007-01-19 13:53 51056 --a--c--- C:\WINDOWS\system32\sirenacm.dll
2007-01-08 19:01 17408 --a--c--- C:\WINDOWS\system32\corpol.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SpyHunter"=""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
"backup"="C:\\WINDOWS\\pss\\DVD Check.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\DVDCHE~1\\DVDCheck.exe "
"item"="DVD Check"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOL Fast Start"
"hkey"="HKCU"
"inimapping"="0"
"64bititem"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BitComet"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitLord\\BitLord.exe\""
"inimapping"="0"
"64bititem"="2"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"inimapping"="0"
"64bititem"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon.exe"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"
"64bititem"="2"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EabServr"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GCXX-Manager-Class]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GCXXManager"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Sony Ericsson\\Wireless Manager\\GCXXManager.exe\" -startup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISUSPM Startup"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"inimapping"="0"
"64bititem"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISUSScheduler"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"inimapping"="0"
"64bititem"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"
"64bititem"="2"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="osCheck"
"hkey"="HKLM"
"inimapping"="0"
"64bititem"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="P2P Networking"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickTime Task"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
"64bititem"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegClean Expert Scheduler"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Registry Clean Expert\\RCHelper.exe\" /startup"
"inimapping"="0"
"64bititem"="2"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SemanticInsight"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson Wireless Manager UI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="semwltray"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Smax4"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SMax4PNP"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareLocked]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpywareLocked"
"hkey"="HKLM"
"inimapping"="0"
"64bititem"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swg"
"hkey"="HKCU"
"inimapping"="0"
"64bititem"="2"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Windows Defender"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"
"64bititem"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Yahoo! Pager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"
"64bititem"="2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pejibcnvjxrt
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yzzsbkbzgtve
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{836cd0f2-ae25-11db-9bbb-001500001409}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f9761c46-7cf8-11db-9b68-001500001409}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-06 17:19:02
C:\ComboFix-quarantined-files.txt ... 07-04-06 17:19

Response Number 29

Name: jabuck
Date: April 6, 2007 at 21:52:01 Pacific

Reply:

Open notepad by going to start> run> type in notepad> format> uncheck "word wrap"> close notepad.
Go to start > controlpanel > add/remove programs and uninstall next if present:
SpywareLocked
Think-Adz Search Assistant
Enhanced Ads by Think-Adz
Surfsidekick
ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX by OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Snowball Wars by OIN
Yazzle Sudoku by OIN
Zolero Translator
or anything similar with Oin in it
888 toolbar
anything with 888 in it
If OIN not listed, download and run this uninstaller OiUninstaller.exe
Reboot when done! Really important!
let me know if you find any of these.
Run Hijack This from normal mode and remove these items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.savewealth.com/support/i...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.savewealth.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O20 - Winlogon Notify: pejibcnvjxrt - C:\WINDOWS\

O20 - Winlogon Notify: yzzsbkbzgtve - C:\WINDOWS\
Exit Hijack This.
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareLocked]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pejibcnvjxrt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yzzsbkbzgtve]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Post a new Hijack This log and a new Combofix log please.

Response Number 30

Name: brilliantjeni
Date: April 6, 2007 at 22:24:20 Pacific

Reply:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:12 AM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\setrysvc.exe
C:\WINDOWS\System32\semwltry.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeni\Application Data\Mozilla\Profiles\default\asy5afgd.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Program Files\Toolbar\Toolbarcop.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Program Files\Toolbar\Toolbarcop.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gm...
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0108F48-F5CE-463F-9922-E124ACE8E63C}: NameServer = 172.16.0.2,172.16.0.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony Ericsson Wireless LAN Tray Service (setrysvc) - Unknown owner - C:\WINDOWS\System32\setrysvc.exe

Response Number 31

Name: jabuck
Date: April 6, 2007 at 22:36:36 Pacific

Reply:

Looking much better.
I turned off your windows genuine advantage with Hijack This, to restore it run Hijack this> view the list of backups> place a check to the left of this item:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
then click "restore".
Exit Hijack This.
You need to update your java as soon as possible as it is out of date and will cause you to get infected. Download the latest version of http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
. Then from your desktop double-click on jre-1_6_0-windowsi586-p.exe to install the newest version.

Response Number 32

Name: brilliantjeni
Date: April 7, 2007 at 00:00:07 Pacific

Reply:

This file doesn't show in the restore on hjt. Is there another way to turn it on?
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
Updated Java. New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:59:16 AM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\setrysvc.exe
C:\WINDOWS\System32\semwltry.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeni\Application Data\Mozilla\Profiles\default\asy5afgd.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Program Files\Toolbar\Toolbarcop.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Program Files\Toolbar\Toolbarcop.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gm...
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1....
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0108F48-F5CE-463F-9922-E124ACE8E63C}: NameServer = 172.16.0.2,172.16.0.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony Ericsson Wireless LAN Tray Service (setrysvc) - Unknown owner - C:\WINDOWS\System32\setrysvc.exe

Response Number 33

Name: jabuck
Date: April 7, 2007 at 08:25:09 Pacific

Reply:

No, there should be a backup of everything we removed with Hijack This.
It should reinstall on the next windows update. Or you could click the link in this Hijack This item:
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
And see if it will download.
Everything else looks good.
How is the computer operating?

Response Number 34

Name: brilliantjeni
Date: April 7, 2007 at 14:33:39 Pacific

Reply:

Well, it's running super fast once it's started- like new. But it's taking about 5 minutes to start up and keeps prompting for a scan during startup but hanging if I let it scan.
Also, I've lost my wireless. It says dns error? I'm connected through the isp router now. I called the company and had them restart it just in case but no change.

Response Number 35

Name: brilliantjeni
Date: April 7, 2007 at 16:47:26 Pacific

Reply:

res://ieframe.dll/dnserrordiagoff.htm#http://www.google.com/
I'm getting this error- if that helps.

Response Number 36

Name: jabuck
Date: April 7, 2007 at 17:04:41 Pacific

Reply:

I don't know about the dns error, sounds like IE7.
What kind of scan begins when you start the computer?

Response Number 37

Name: brilliantjeni
Date: April 7, 2007 at 20:38:53 Pacific

Reply:

I ran windows update and that replaced whatever startup files were out of order. The CHDSK windows scan completed and now the computer is starting a little faster but still taking a while.
I also disabled my WEP on my router and now have wireless again. Re-enabling it doesn't let me connect anymore though and I'm not sure why.
So I guess two final questions-
1- What do I look at to see what's slowing my computer at startup?
2- Is there some known issue that disables/corrupts WEP wireless connections?
I really can't thank you enough for all your help. I depend on my computer for work and communication (Vonage just doesn't work without internet) while being here in third world country for the next few months!

Response Number 38

Name: jabuck
Date: April 7, 2007 at 21:13:09 Pacific

Reply:

Your java is out of date and needs to be updated as soon as possible.
Download the latest version of http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
. Then from your desktop double-click on jre-1_6_0-windowsi586-p.exe to install the newest version.
I have a router (Linksis G) and have never used WEP.
The slow startup could be scans from Adaware or Kaspersky.
You can remove these items with Hijack This:
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Program Files\Toolbar\Toolbarcop.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Program Files\Toolbar\Toolbarcop.exe (file missing) (HKCU)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1....
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
You might try uninstalling the google toolbar and see if that helps.
Mine doesn't start up fast but does fine once it is running.

Response Number 39

Name: zidan19
Date: April 10, 2007 at 19:36:10 Pacific

Reply:

hi...i just got myself a new virus not 30 minutes ago...
everytime i typed t/rojan(note that / is not in the name...hav to if not it'll close my browser) in net browsers it'll automatically close my browser...
my symantec antivirus programme detected this virus but the action taken was 'left alone'...i tried deleting it manually but the reply from the antivirus programme is 'files not found/deleted,computers infected off,trying to clean a file in email message,trying to clean a compressed file in a container'

the name of the virus is T/rojan.Exploits.131...i got it from a manga fan website www.bleachportal.net where the mangas n animes of bleach can be download...the virus rite now is in my temporary internet folder...i tried deleting the temporary internet folder using the tools>delete browsing history>delete temporary internet file...but the delete box process was terminated/close just a while after it started...
i also started a scan in temporary internet folder the moment i can't delete it using antivirus programme symantec but it's still scanning despite the fact that my temp internet file is not that big...
i also try using ctrl+f to find it but the search return none no matter what category i searched in...the file name is wxp[1].ani...b4 it is temp internet files\content.IE5\DNC6OCKV...then i tried typing only wxp n came up wit my antivirus log...
25030B08160D,46,1,2,ADIS,Adi Tan,Trojan.Exploit.131,C:\Documents and Settings\Adi Tan\Local Settings\Temporary Internet Files\Content.IE5\DNC6OCKV\wxp0[1].ani,5,3,4,256,33554436,"",0,,0,101 {1FCCDC79-9AF5-4A8A-9CDB-D6B72B02C917} 0 0 Trojan.Exploit.131 2;0;13 0 0 ,0,19040,0,0,0,,,0,,0,0,0,0,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,999,,25baa7b2-07cb-4e63-b208-2bc72d009961,0,ADIS
25030B08160D,51,1,2,ADIS,Adi Tan,Trojan.Exploit.131,C:\Documents and Settings\Adi Tan\Local Settings\Temporary Internet Files\Content.IE5\DNC6OCKV\wxp0[1].ani,5,3,4,256,37748804,"",0,,0,101 {1FCCDC79-9AF5-4A8A-9CDB-D6B72B02C917} 0 1 Trojan.Exploit.131 2;0;13 0 0 ,0,19040,0,0,0,,,0,,0,0,0,0,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,999,,25baa7b2-07cb-4e63-b208-2bc72d009961,0,ADIS
25030B081A2F,3,2,1,ADIS,Adi Tan,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1176251208,,0,,,,,0,,,,,,,,,,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,0,,,,ADIS
25030B082A36,6,2,1,ADIS,Adi Tan,,,,,,,16777216,"Could not scan 1 files inside C:\I386\SOFTBAR.IN_ due to extraction errors encountered by the Decomposer Engines.",0,,0,,,,,0,,,,,,,,,,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,0,,,,ADIS
25030B090421,2,2,1,ADIS,Adi Tan,,,,,,,16777216,"Scan Complete: Threats: 0 Scanned: 147684 Files/Folders/Drives Omitted: 1",1176251208,,0,0:0:147684:1,,,,0,,,,,,,,,,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,0,,,,ADIS
25030B090422,3,2,1,ADIS,Adi Tan,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1176251326,,0,,,,,0,,,,,,,,,,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,0,,,,ADIS
25030B091407,6,2,1,ADIS,Adi Tan,,,,,,,16777216,"Could not scan 1 files inside C:\I386\SOFTBAR.IN_ due to extraction errors encountered by the Decomposer Engines.",0,,0,,,,,0,,,,,,,,,,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,0,,,,ADIS
25030B0A061A,2,2,1,ADIS,Adi Tan,,,,,,,16777216,"Scan Complete: Threats: 0 Scanned: 147838 Files/Folders/Drives Omitted: 1",1176251326,,0,0:0:147838:1,,,,0,,,,,,,,,,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,0,,,,ADIS
25030B0A061B,3,2,11,ADIS,Adi Tan,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1176251441,,0,,,,,0,,,,,,,,,,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,0,,,,ADIS
25030B0A0809,2,2,11,ADIS,Adi Tan,,,,,,,16777216,"Scan Complete: Threats: 0 Scanned: 416 Files/Folders/Drives Omitted: 0",1176251441,,0,0:0:416:0,,,,0,,,,,,,,,,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,0,,,,ADIS
25030B0A0809,3,2,1,ADIS,Adi Tan,,,,,,,16777216,"Scan started on all drives and all extensions.",1176251904,,0,,,,,0,,,,,,,,,,SSC10,{4CC24BEE-83F0-47F6-8DE5-628D383A5ED0},,(IP)-192.168.1.2,,MIP,00:0F:1F:AF:F9:01,10.0.1.1000,,,,,,,,,,,,,,,,0,,,,ADIS

ah...just remember...i find that my antivirus virus definition update cannot update till 11/4/2007...the latest only 11/4/2007...it is strange because i updated it today 11 april but the virus definition keep on displaying 10 april...
please help me...
A student using his father's computer n get baddies.

Response Number 40

Name: zidan19
Date: April 10, 2007 at 19:46:53 Pacific

Reply:

sorry but i hav to post again...i forgot my log file contains the full virus name...now i can't access to the page where my msg is...please notify through my email zidan1989@hotmail.com...i dunno if this reply will appear in the same post page...n i hope not...if yes then i'll need to repost under new title...
A student using his father's computer n get baddies.

Response Number 41

Name: brilliantjeni
Date: April 13, 2007 at 13:12:42 Pacific

Reply:

That did the trick- it was Kaspersky scanning on startup that was slowing everything down so much. Strange- I have it set not to scan on startup but it does anyway. I think I'm just going to switch anti-viruses. This one has a mind of its own.
Anyway- much much much thanks for all your help and especially your time.

Response Number 42

Name: jabuck
Date: April 13, 2007 at 19:59:12 Pacific

Reply:

Glad we could help.

Google Ads

spamspam from china youtv

Win Fixer & WinAntivi...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Google Ads

Results for: browser closing triggered by word u

more virus info ...

Summary

www.computing.net/answers/security/more-virus-info-/3501.html

Browser Issues (caused by a virus).

Summary

www.computing.net/answers/security/browser-issues-caused-by-a-virus/22075.html

Strange 'Micorsoft' Pop-up Windows

Summary

www.computing.net/answers/security/strange-micorsoft-popup-windows/5894.html

Explore Similar Topics

c:\i386\softbar.in

virus browser closes

browser closes when i search for specific word

regedit4 disablecmd

browser closes when i search the word antivirus

Ask a Question!

From the Geek Dictionary
Annoyance - Not quite the same as a bug, but equally as frustrating. Typically descri...

Weekly Poll
Would you play for PlayStation Network?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
system won't boot after battery replacement

Choosing the right computer

can't open Device Manager

Install Mac OS X Leopard on HP with Windows 7

New ethernet card / old network?

All Awaiting Reply

Tom's News
Our Top 11 Favorite Super Bowl TV Commercials

Artist Uses Floppy Disks to Create Paintings

VIDEO: An HD Tour of the Space Station

Samsung Launching AMOLED Phone Next Week?

Man Fined $1.5M for Leaked Mario Game Upload

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE