Please Help - HijackThis Log included

When i start up my computer this icon appares in the notification area at the bottom right corner of my screen, theres a link to a screenshot Here. when i click this icon internet explorer popups start to appare and i cant stop them from popping up.

Heres my HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 1:36:11 p.m., on 07/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\issearch.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ismini.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Office5\Desktop\Burn\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...7UxiLRpPcaa2aSrDRrAh3HhN8imTK9S9PF7+UYq+RZOQ=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O3 - Toolbar: Safety Bar - {18668683-731c-48fa-b1b9-ad013748fb00} - C:\Program Files\Safety Bar\SafetyBar.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvsud.dll,startup
O4 - HKLM\..\Run: [Virus-Bursters] C:\Program Files\Virus-Bursters\virus-bursters.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb030YYNZ
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456...players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://spinpalace.microgaming.com/spinpalace/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: gloomily - {9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f} - C:\WINDOWS\System32\mlraakb.dll

 

Hello and welcome to WindowsBBS Forums.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It must not be installed on the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.Move HijackThis.exe into this folder (C:\HJT\HijackThis.exe). When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

This is one of the many SmithFraud\Zlob infections. Please follow directions for the first part of the fix.

Please download SmitfraudFix (by S!Ri). Save it to your desktop.

Double-click the Smithfraud.exe and it will install a new folder to your desktop, called SmithFraudFix. Shortly after that a dos command window will appear. Once it opens, hit any key to continue.
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.

 

i have done what you have asked and the content of the SmitFraudFix 's rapport.txt file is below

SmitFraudFix v2.128

Scan done at 16:40:56.01, 07/12/2006
Run from C:\Documents and Settings\Office5\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\mlraakb.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Office5


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Office5\Application Data

C:\Documents and Settings\Office5\Application Data\Microsoft\Internet Explorer\Quick Launch\Virus-Bursters 6.3.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Office5\FAVORI~1

C:\DOCUME~1\Office5\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Safety Bar\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f} "= "gloomily "

[HKEY_CLASSES_ROOT\CLSID\{9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f}\InProcServer32]
@= "C:\WINDOWS\System32\mlraakb.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f}\InProcServer32]
@= "C:\WINDOWS\System32\mlraakb.dll "



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Very good, now for the second part of the fix.


You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!

Please download, install, and update the free version of AVG Anti-Spyware 7.5 formerly Ewido Anti-Malware:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu ".
2. When you run Ewido for the first time, you will get a warning "Database could not be found! ". Click OK. We will fix this in a moment.
3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes, the status bar at the bottom will display "Update successful "
5. Exit Ewido. DO NOT run a scan yet.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

AFTER SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)

• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop
• Close Ewido

Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido ([SIZE= "2"]please edit out all 'cookies' found, 'Recycler' and 'restore\system volume folder' references from the log[/SIZE]) report and a new HijackThis log.

 

i have done what you have asked and the following is the content of the report files you have said i should inclue in my reply


SmitFraudFix's rapport.txt file

SmitFraudFix v2.128

Scan done at 19:42:48.14, 07/12/2006
Run from C:\Documents and Settings\Office5\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f} "= "gloomily "

[HKEY_CLASSES_ROOT\CLSID\{9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f}\InProcServer32]
@= "C:\WINDOWS\System32\mlraakb.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f}\InProcServer32]
@= "C:\WINDOWS\System32\mlraakb.dll "


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\System32\mlraakb.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\System32\mlraakb.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\Documents and Settings\Office5\Application Data\Microsoft\Internet Explorer\Quick Launch\Virus-Bursters 6.3.lnk Deleted
C:\DOCUME~1\Office5\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\Safety Bar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

-----------------------------------------------------------------


Ewido's Report-Scan-20061207-205555.txt file


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:55:55 p.m. 07/12/2006

+ Scan result:



HKLM\SOFTWARE\SearchRelevancy -> Adware.SearchRelevancy : Deleted.
HKLM\SOFTWARE\SearchRelevancy\Update -> Adware.SearchRelevancy : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml.backup -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindIt.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindItHot.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\Highlight.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\HighlightHot.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\PopupBlocker.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\PopupBlockerHot.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\Reference.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\ReferenceHot.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\blocker.cur -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafe.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafeA.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\findithotxp.png -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\finditxp.png -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\games.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\gamesA.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlighthotxp.png -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlightxp.png -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\logo.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\logoxp.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\moviesA.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\popupblockerhotxp.png -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\popupblockerxp.png -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\referencehotxp.png -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\referencexp.png -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\screensaver.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\screensaverA.bmp -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\contexts -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\contexts\Travel.xml.backup -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\contexts\error.xml -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\contexts\related.xml -> Adware.Starware : Deleted.
C:\Documents and Settings\All Users\Application Data\Starware\contexts\travel.xml -> Adware.Starware : Deleted.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{D49E9D35-254C-4c6a-9D17-95018D228FF5} -> Adware.Starware : Deleted.
C:\Program Files\Windows TaskAd -> Adware.WinTaskAd : Deleted.
C:\Documents and Settings\Office5\Desktop\Burn\openpass.exe -> Not-A-Virus.PSWTool.Win32.OpenPass.11 : Deleted.
C:\WINDOWS\Temp\win46.tmp.exe -> Trojan.Dialer.qs : Deleted.
C:\WINDOWS\Temp\win57.tmp.exe -> Trojan.Dialer.qs : Deleted.
C:\WINDOWS\Temp\win58.tmp.exe -> Trojan.Dialer.qs : Deleted.


::Report end


-----------------------------------------------------------------



HijackThis hijackthis.log file

Logfile of HijackThis v1.99.1
Scan saved at 9:19:14 p.m., on 07/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Safety Bar - {18668683-731c-48fa-b1b9-ad013748fb00} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb030YYNZ
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456...players/english/5.0/win/PulsePlayer5AxWin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

 

Ok, good job, looking good. Just a few items to remove.

I'd also like you to run another tool, to be sure there are no 'extras' laying about your machine.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Then open Hijackthis, select the 'Do a system scan only' button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

R3 - URLSearchHook: (no name) - - (no file)


O3 - Toolbar: Safety Bar - {18668683-731c-48fa-b1b9-ad013748fb00} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)


O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZBzeb030YYNZ


O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/...ayer5AxWin.cab


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\Safety Bar<<<<---this folder

To exit Safe Mode, click the [Start] button, click Turn Off Computer, click Restart.

Post the ComboFix log along with a fresh HJT log as well, thanks.

 

this is the content of ComboFix's "ComboFix.txt" file

Office5 - 06-12-08 16:17:27.04 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Office5\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-11-08 to 2006-12-08 ))))))))))))))))))))))))))))))))))


2006-12-08 15:57 106,555 --a------ C:\WINDOWS\system32\jlbowagw.dll
2006-12-07 22:05 1,192,863 ---hs---- C:\WINDOWS\system32\iijjl.bak2
2006-12-07 21:44 <DIR> d-------- C:\Program Files\Opera
2006-12-07 21:44 <DIR> d-------- C:\Downloaded
2006-12-07 21:44 <DIR> d-------- C:\Documents and Settings\Office5\Application Data\Opera
2006-12-07 21:00 106,555 --a------ C:\WINDOWS\system32\fqhsdhia.dll
2006-12-07 19:44 106,555 --a------ C:\WINDOWS\system32\tsvibntc.dll
2006-12-07 19:43 106,555 --a------ C:\WINDOWS\system32\xshbcvgh.dll
2006-12-07 19:41 106,555 --a------ C:\WINDOWS\system32\qtjqekwq.dll
2006-12-07 19:33 106,555 --a------ C:\WINDOWS\system32\ouibkela.dll
2006-12-07 19:33 106,555 --a------ C:\WINDOWS\system32\efqwanxx.dll
2006-12-07 19:32 106,555 --a------ C:\WINDOWS\system32\lexlxqwb.dll
2006-12-07 19:32 106,555 --a------ C:\WINDOWS\system32\cvgfkrjw.dll
2006-12-07 19:30 106,555 --a------ C:\WINDOWS\system32\metibvuo.dll
2006-12-07 19:12 106,555 --a------ C:\WINDOWS\system32\dyutkecv.dll
2006-12-07 19:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-07 18:57 <DIR> d-------- C:\Soldat
2006-12-07 18:55 106,555 --a------ C:\WINDOWS\system32\crlwxswe.dll
2006-12-07 18:18 106,555 --a------ C:\WINDOWS\system32\fffvclsf.dll
2006-12-07 18:07 106,555 --a------ C:\WINDOWS\system32\ehjhukdi.dll
2006-12-07 16:40 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-07 16:40 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-07 16:40 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-07 16:40 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-07 16:40 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-07 16:40 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-07 16:39 106,555 --a------ C:\WINDOWS\system32\xvtyfkqi.dll
2006-12-07 16:38 <DIR> d-------- C:\HJT
2006-12-07 16:37 106,555 --a------ C:\WINDOWS\system32\kilwbnoo.dll
2006-12-07 15:12 106,555 --a------ C:\WINDOWS\system32\qhdaesnp.dll
2006-12-07 14:09 106,555 --a------ C:\WINDOWS\system32\uqauprex.dll
2006-12-07 14:08 106,555 --a------ C:\WINDOWS\system32\kngqlljl.dll
2006-12-07 13:14 106,555 --a------ C:\WINDOWS\system32\ubhehyff.dll
2006-12-07 13:12 106,555 --a------ C:\WINDOWS\system32\ytqwpkqs.dll
2006-12-07 13:00 106,555 --a------ C:\WINDOWS\system32\ydaoexyc.dll
2006-12-07 12:46 106,555 --a------ C:\WINDOWS\system32\hsgktimn.dll
2006-12-07 12:31 106,555 --a------ C:\WINDOWS\system32\mwlinckx.dll
2006-12-07 11:53 106,555 --a------ C:\WINDOWS\system32\riojylde.dll
2006-12-07 11:50 1,195,003 ---hs---- C:\WINDOWS\system32\iijjl.ini2
2006-12-07 10:39 88,340 --a------ C:\WINDOWS\system32\rqnofyew.exe
2006-12-07 10:39 126,996 --a------ C:\WINDOWS\system32\amrqqnbj.dll
2006-12-07 10:39 <DIR> d-------- C:\Documents and Settings\Office5\Application Data\SearchToolbarCorp
2006-12-07 10:38 42,516 --a------ C:\WINDOWS\system32\efufiigc.dll
2006-12-07 10:38 1,194,636 ---hs---- C:\WINDOWS\system32\iijjl.bak1
2006-12-07 10:37 106,555 --a------ C:\WINDOWS\system32\grtxctvg.dll
2006-12-07 10:34 309,812 ---hs---- C:\WINDOWS\system32\ljjii.dll
2006-12-07 10:29 72,704 --a------ C:\WINDOWS\system32\drvsud.dll
2006-12-04 13:24 19,456 --a------ C:\WINDOWS\system32\wincjw32.dll
2006-12-04 13:23 <DIR> d-------- C:\Ahead_Nero_7_Ultra_Edition_7_serial_number
2006-11-18 12:14 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-11-18 12:14 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-11-18 11:33 778,240 --a------ C:\WINDOWS\system32\Petz 5.scr
2006-11-18 11:33 <DIR> d-------- C:\Program Files\Ubi Soft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 19:13 -------- d-------- C:\Program Files\Grisoft
2006-12-07 11:57 -------- d-------- C:\Program Files\CASINO_G-FED200074
2006-11-18 11:44 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"POINTER "= "point32.exe "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000005

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\grtxctvg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjii
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincjw32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: 06-12-08 16:19:19.76
C:\ComboFix.txt ... 06-12-08 16:19


---------------------------------------------------------------------------------------------------


and this is the content of HijackThis's fresh "hijackthis.log" file

Logfile of HijackThis v1.99.1
Scan saved at 5:09:09 p.m., on 08/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

---------------------------------------------------------------------------------------------------


when i entered safe mode and logged into my profile the desktop didnt show up and i could not accsess the start button so i did the search in normal mode and i could not locate the Safety Bar folder you told me to delete

 

Ok, well it looks like you also have a Vundo infection. We need to run the VundoFix tool and make a file name change.


First thing I'd like you to do is to rename the HijackThis executable, hijackthis.exe to <anything of your choice> .exe, as long you change it's name.

Then:
Download VundoFix.exe to your desktop.

• Double-click *VundoFix.exe* to run it.
• Click the [Scan for Vundo] button.
• Once it's done scanning, click the [Remove Vundo] button.
• You will receive a prompt asking if you want to remove the files, click *YES*
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click *OK*.
• Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the [Scan for Vundo] button." when
VundoFix appears at reboot.


After running Vundo, run ComboFix again, then run HJT and post all 3 logs please.

 

This is the content of VundoFix's "VundoFix.txt" file

VundoFix V6.2.6

Checking Java version...

Scan started at 9:14:05 p.m. 08/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\ljjii.dll
C:\WINDOWS\System32\iijjl.ini
C:\WINDOWS\System32\iijjl.bak1
C:\WINDOWS\System32\iijjl.bak2
C:\WINDOWS\System32\iijjl.ini2
C:\WINDOWS\System32\iijjl.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ljjii.dll
C:\WINDOWS\System32\ljjii.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\iijjl.ini
C:\WINDOWS\System32\iijjl.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\iijjl.bak1
C:\WINDOWS\System32\iijjl.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\iijjl.bak2
C:\WINDOWS\System32\iijjl.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\iijjl.ini2
C:\WINDOWS\System32\iijjl.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\iijjl.tmp
C:\WINDOWS\System32\iijjl.tmp Has been deleted!

Performing Repairs to the registry.
Done!

--------------------------------------------------------------------------


and this is the content of ComboFix's "ComboFix.txt" file

Office5 - 06-12-08 21:30:09.39 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\ "

((((((((((((((((((((((((((((((( Files Created from 2006-11-08 to 2006-12-08 ))))))))))))))))))))))))))))))))))


2006-12-08 21:21 9,216 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-12-08 21:14 <DIR> d-------- C:\VundoFix Backups
2006-12-08 20:29 106,555 --a------ C:\WINDOWS\system32\hivencnf.dll
2006-12-08 16:43 106,555 --a------ C:\WINDOWS\system32\rcyggcma.dll
2006-12-08 16:40 106,555 --a------ C:\WINDOWS\system32\abbrhlik.dll
2006-12-08 16:14 381,398 --a------ C:\combofix.exe
2006-12-08 15:57 106,555 --a------ C:\WINDOWS\system32\jlbowagw.dll
2006-12-07 21:44 <DIR> d-------- C:\Program Files\Opera
2006-12-07 21:44 <DIR> d-------- C:\Downloaded
2006-12-07 21:44 <DIR> d-------- C:\Documents and Settings\Office5\Application Data\Opera
2006-12-07 21:00 106,555 --a------ C:\WINDOWS\system32\fqhsdhia.dll
2006-12-07 19:44 106,555 --a------ C:\WINDOWS\system32\tsvibntc.dll
2006-12-07 19:43 106,555 --a------ C:\WINDOWS\system32\xshbcvgh.dll
2006-12-07 19:41 106,555 --a------ C:\WINDOWS\system32\qtjqekwq.dll
2006-12-07 19:33 106,555 --a------ C:\WINDOWS\system32\ouibkela.dll
2006-12-07 19:33 106,555 --a------ C:\WINDOWS\system32\efqwanxx.dll
2006-12-07 19:32 106,555 --a------ C:\WINDOWS\system32\lexlxqwb.dll
2006-12-07 19:32 106,555 --a------ C:\WINDOWS\system32\cvgfkrjw.dll
2006-12-07 19:30 106,555 --a------ C:\WINDOWS\system32\metibvuo.dll
2006-12-07 19:12 106,555 --a------ C:\WINDOWS\system32\dyutkecv.dll
2006-12-07 19:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-07 18:57 <DIR> d-------- C:\Soldat
2006-12-07 18:55 106,555 --a------ C:\WINDOWS\system32\crlwxswe.dll
2006-12-07 18:18 106,555 --a------ C:\WINDOWS\system32\fffvclsf.dll
2006-12-07 18:07 106,555 --a------ C:\WINDOWS\system32\ehjhukdi.dll
2006-12-07 16:40 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-07 16:40 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-07 16:40 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-07 16:40 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-07 16:40 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-07 16:40 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-07 16:39 106,555 --a------ C:\WINDOWS\system32\xvtyfkqi.dll
2006-12-07 16:38 <DIR> d-------- C:\HJT
2006-12-07 16:37 106,555 --a------ C:\WINDOWS\system32\kilwbnoo.dll
2006-12-07 15:12 106,555 --a------ C:\WINDOWS\system32\qhdaesnp.dll
2006-12-07 14:09 106,555 --a------ C:\WINDOWS\system32\uqauprex.dll
2006-12-07 14:08 106,555 --a------ C:\WINDOWS\system32\kngqlljl.dll
2006-12-07 13:14 106,555 --a------ C:\WINDOWS\system32\ubhehyff.dll
2006-12-07 13:12 106,555 --a------ C:\WINDOWS\system32\ytqwpkqs.dll
2006-12-07 13:00 106,555 --a------ C:\WINDOWS\system32\ydaoexyc.dll
2006-12-07 12:46 106,555 --a------ C:\WINDOWS\system32\hsgktimn.dll
2006-12-07 12:31 106,555 --a------ C:\WINDOWS\system32\mwlinckx.dll
2006-12-07 11:53 106,555 --a------ C:\WINDOWS\system32\riojylde.dll
2006-12-07 10:39 88,340 --a------ C:\WINDOWS\system32\rqnofyew.exe
2006-12-07 10:39 126,996 --a------ C:\WINDOWS\system32\amrqqnbj.dll
2006-12-07 10:39 <DIR> d-------- C:\Documents and Settings\Office5\Application Data\SearchToolbarCorp
2006-12-07 10:38 42,516 --a------ C:\WINDOWS\system32\efufiigc.dll
2006-12-07 10:37 106,555 --a------ C:\WINDOWS\system32\grtxctvg.dll
2006-12-07 10:29 72,704 --a------ C:\WINDOWS\system32\drvsud.dll
2006-12-04 13:24 19,456 --a------ C:\WINDOWS\system32\wincjw32.dll
2006-11-18 12:14 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-11-18 12:14 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-11-18 11:33 778,240 --a------ C:\WINDOWS\system32\Petz 5.scr
2006-11-18 11:33 <DIR> d-------- C:\Program Files\Ubi Soft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 19:13 -------- d-------- C:\Program Files\Grisoft
2006-12-07 11:57 -------- d-------- C:\Program Files\CASINO_G-FED200074
2006-11-18 11:44 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"POINTER "= "point32.exe "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\grtxctvg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincjw32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: 06-12-08 21:31:02.64
C:\ComboFix.txt ... 06-12-08 21:31
C:\ComboFix2.txt ... 06-12-08 16:52

--------------------------------------------------------------------------


and this is the content of HijackThis's "hijackthis.log" file

Logfile of HijackThis v1.99.1
Scan saved at 9:35:25 p.m., on 08/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\System32\efufiigc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5886398C-0109-4C6D-BC68-EDF421BE00DD} - C:\WINDOWS\System32\ljjii.dll (file missing)
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\System32\ixt0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: grtxctvg - c:\windows\system32\grtxctvg.dll
O20 - Winlogon Notify: wincjw32 - C:\WINDOWS\SYSTEM32\wincjw32.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

 

You forgot to do this.

Also, are you running HJt in safe mode? If so please create all HJT logs in normal mode unless specified other wise, thanks


Boy there sure looks to be more Vundo files there, lets try another Vundo tool.

Download VirtumundoBegone and save it to your desktop.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Then double click VirtumundoBeGone.exe you just downloaded and follow the instructions.

Exit when it has finished.

 

Heres the VirtumundoBeGone log

[12/09/2006, 17:11:00] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Office5\Desktop\VirtumundoBeGone.exe" )
[12/09/2006, 17:11:06] - Detected System Information:
[12/09/2006, 17:11:06] - Windows Version: 5.1.2600, Service Pack 1
[12/09/2006, 17:11:06] - Current Username: Office5 (Admin)
[12/09/2006, 17:11:06] - Windows is in NORMAL mode.
[12/09/2006, 17:11:06] - Searching for Browser Helper Objects:
[12/09/2006, 17:11:06] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/09/2006, 17:11:06] - BHO 2: {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} ()
[12/09/2006, 17:11:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:11:06] - Checking for HKLM\...\Winlogon\Notify\efufiigc
[12/09/2006, 17:11:06] - Key not found: HKLM\...\Winlogon\Notify\efufiigc, continuing.
[12/09/2006, 17:11:06] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/09/2006, 17:11:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:11:06] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/09/2006, 17:11:06] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/09/2006, 17:11:06] - BHO 4: {5886398C-0109-4C6D-BC68-EDF421BE00DD} ()
[12/09/2006, 17:11:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:11:06] - Checking for HKLM\...\Winlogon\Notify\ljjii
[12/09/2006, 17:11:06] - Key not found: HKLM\...\Winlogon\Notify\ljjii, continuing.
[12/09/2006, 17:11:06] - BHO 5: {f4d74aaa-a178-4463-846b-b4bc87a024e0} ()
[12/09/2006, 17:11:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:11:06] - Checking for HKLM\...\Winlogon\Notify\ixt0
[12/09/2006, 17:11:06] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[12/09/2006, 17:11:06] - Finished Searching Browser Helper Objects
[12/09/2006, 17:11:06] - Finishing up...
[12/09/2006, 17:11:06] - Nothing found! Exiting...

[12/09/2006, 17:25:42] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Office5\Desktop\VirtumundoBeGone.exe" )
[12/09/2006, 17:25:44] - Detected System Information:
[12/09/2006, 17:25:44] - Windows Version: 5.1.2600, Service Pack 1
[12/09/2006, 17:25:44] - Current Username: Office5 (Admin)
[12/09/2006, 17:25:44] - Windows is in SAFE mode with Networking.
[12/09/2006, 17:25:44] - Searching for Browser Helper Objects:
[12/09/2006, 17:25:44] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/09/2006, 17:25:44] - BHO 2: {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} ()
[12/09/2006, 17:25:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:25:44] - Checking for HKLM\...\Winlogon\Notify\efufiigc
[12/09/2006, 17:25:44] - Key not found: HKLM\...\Winlogon\Notify\efufiigc, continuing.
[12/09/2006, 17:25:44] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/09/2006, 17:25:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:25:44] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/09/2006, 17:25:44] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/09/2006, 17:25:44] - BHO 4: {5886398C-0109-4C6D-BC68-EDF421BE00DD} ()
[12/09/2006, 17:25:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:25:44] - Checking for HKLM\...\Winlogon\Notify\ljjii
[12/09/2006, 17:25:44] - Key not found: HKLM\...\Winlogon\Notify\ljjii, continuing.
[12/09/2006, 17:25:44] - BHO 5: {f4d74aaa-a178-4463-846b-b4bc87a024e0} ()
[12/09/2006, 17:25:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:25:44] - Checking for HKLM\...\Winlogon\Notify\ixt0
[12/09/2006, 17:25:44] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[12/09/2006, 17:25:44] - Finished Searching Browser Helper Objects
[12/09/2006, 17:25:44] - Finishing up...
[12/09/2006, 17:25:45] - Nothing found! Exiting...

[12/09/2006, 17:31:28] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Office5\Desktop\VirtumundoBeGone.exe" )
[12/09/2006, 17:31:30] - Detected System Information:
[12/09/2006, 17:31:30] - Windows Version: 5.1.2600, Service Pack 1
[12/09/2006, 17:31:30] - Current Username: Office5 (Admin)
[12/09/2006, 17:31:30] - Windows is in SAFE mode with Networking.
[12/09/2006, 17:31:30] - Searching for Browser Helper Objects:
[12/09/2006, 17:31:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/09/2006, 17:31:30] - BHO 2: {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} ()
[12/09/2006, 17:31:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:31:30] - Checking for HKLM\...\Winlogon\Notify\efufiigc
[12/09/2006, 17:31:30] - Key not found: HKLM\...\Winlogon\Notify\efufiigc, continuing.
[12/09/2006, 17:31:30] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/09/2006, 17:31:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:31:30] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/09/2006, 17:31:30] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/09/2006, 17:31:30] - BHO 4: {5886398C-0109-4C6D-BC68-EDF421BE00DD} ()
[12/09/2006, 17:31:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:31:30] - Checking for HKLM\...\Winlogon\Notify\ljjii
[12/09/2006, 17:31:30] - Key not found: HKLM\...\Winlogon\Notify\ljjii, continuing.
[12/09/2006, 17:31:30] - BHO 5: {f4d74aaa-a178-4463-846b-b4bc87a024e0} ()
[12/09/2006, 17:31:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/09/2006, 17:31:30] - Checking for HKLM\...\Winlogon\Notify\ixt0
[12/09/2006, 17:31:30] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[12/09/2006, 17:31:30] - Finished Searching Browser Helper Objects
[12/09/2006, 17:31:30] - Finishing up...
[12/09/2006, 17:31:30] - Nothing found! Exiting...

 

Ok, run ComboFix first, then HJT and post both logs, we'll work to remove what's left.

 

ComboFix

Office5 - 06-12-10 16:15:06.76 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\ComboFix "

((((((((((((((((((((((((((((((( Files Created from 2006-11-10 to 2006-12-10 ))))))))))))))))))))))))))))))))))


2006-12-10 16:14 <DIR> d-------- C:\ComboFix
2006-12-09 17:01 <DIR> d-------- C:\Cyanide and Happiness
2006-12-08 23:04 <DIR> d-------- C:\Program Files\SwiftSwitch
2006-12-08 21:21 9,216 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-12-08 21:14 <DIR> d-------- C:\VundoFix Backups
2006-12-08 21:12 88,576 --a------ C:\VundoFix.exe
2006-12-08 20:29 106,555 --a------ C:\WINDOWS\system32\hivencnf.dll
2006-12-08 16:43 106,555 --a------ C:\WINDOWS\system32\rcyggcma.dll
2006-12-08 16:40 106,555 --a------ C:\WINDOWS\system32\abbrhlik.dll
2006-12-08 15:57 106,555 --a------ C:\WINDOWS\system32\jlbowagw.dll
2006-12-07 21:44 <DIR> d-------- C:\Program Files\Opera
2006-12-07 21:44 <DIR> d-------- C:\Downloaded
2006-12-07 21:44 <DIR> d-------- C:\Documents and Settings\Office5\Application Data\Opera
2006-12-07 21:00 106,555 --a------ C:\WINDOWS\system32\fqhsdhia.dll
2006-12-07 19:44 106,555 --a------ C:\WINDOWS\system32\tsvibntc.dll
2006-12-07 19:43 106,555 --a------ C:\WINDOWS\system32\xshbcvgh.dll
2006-12-07 19:41 106,555 --a------ C:\WINDOWS\system32\qtjqekwq.dll
2006-12-07 19:33 106,555 --a------ C:\WINDOWS\system32\ouibkela.dll
2006-12-07 19:33 106,555 --a------ C:\WINDOWS\system32\efqwanxx.dll
2006-12-07 19:32 106,555 --a------ C:\WINDOWS\system32\lexlxqwb.dll
2006-12-07 19:32 106,555 --a------ C:\WINDOWS\system32\cvgfkrjw.dll
2006-12-07 19:30 106,555 --a------ C:\WINDOWS\system32\metibvuo.dll
2006-12-07 19:12 106,555 --a------ C:\WINDOWS\system32\dyutkecv.dll
2006-12-07 19:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-07 18:57 <DIR> d-------- C:\Soldat
2006-12-07 18:55 106,555 --a------ C:\WINDOWS\system32\crlwxswe.dll
2006-12-07 18:18 106,555 --a------ C:\WINDOWS\system32\fffvclsf.dll
2006-12-07 18:07 106,555 --a------ C:\WINDOWS\system32\ehjhukdi.dll
2006-12-07 16:40 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-07 16:40 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-07 16:40 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-07 16:40 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-07 16:40 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-07 16:40 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-07 16:39 106,555 --a------ C:\WINDOWS\system32\xvtyfkqi.dll
2006-12-07 16:38 <DIR> d-------- C:\HJT
2006-12-07 16:37 106,555 --a------ C:\WINDOWS\system32\kilwbnoo.dll
2006-12-07 15:12 106,555 --a------ C:\WINDOWS\system32\qhdaesnp.dll
2006-12-07 14:09 106,555 --a------ C:\WINDOWS\system32\uqauprex.dll
2006-12-07 14:08 106,555 --a------ C:\WINDOWS\system32\kngqlljl.dll
2006-12-07 13:14 106,555 --a------ C:\WINDOWS\system32\ubhehyff.dll
2006-12-07 13:12 106,555 --a------ C:\WINDOWS\system32\ytqwpkqs.dll
2006-12-07 13:00 106,555 --a------ C:\WINDOWS\system32\ydaoexyc.dll
2006-12-07 12:46 106,555 --a------ C:\WINDOWS\system32\hsgktimn.dll
2006-12-07 12:31 106,555 --a------ C:\WINDOWS\system32\mwlinckx.dll
2006-12-07 11:53 106,555 --a------ C:\WINDOWS\system32\riojylde.dll
2006-12-07 10:39 88,340 --a------ C:\WINDOWS\system32\rqnofyew.exe
2006-12-07 10:39 126,996 --a------ C:\WINDOWS\system32\amrqqnbj.dll
2006-12-07 10:39 <DIR> d-------- C:\Documents and Settings\Office5\Application Data\SearchToolbarCorp
2006-12-07 10:38 42,516 --a------ C:\WINDOWS\system32\efufiigc.dll
2006-12-07 10:37 106,555 --a------ C:\WINDOWS\system32\grtxctvg.dll
2006-12-07 10:29 72,704 --a------ C:\WINDOWS\system32\drvsud.dll
2006-12-04 13:24 19,456 --a------ C:\WINDOWS\system32\wincjw32.dll
2006-11-18 12:14 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-11-18 12:14 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-11-18 11:33 778,240 --a------ C:\WINDOWS\system32\Petz 5.scr
2006-11-18 11:33 <DIR> d-------- C:\Program Files\Ubi Soft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 19:13 -------- d-------- C:\Program Files\Grisoft
2006-12-07 11:57 -------- d-------- C:\Program Files\CASINO_G-FED200074
2006-11-18 11:44 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"POINTER "= "point32.exe "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\grtxctvg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincjw32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: 06-12-10 16:16:13.70
C:\ComboFix.txt ... 06-12-10 16:16
C:\ComboFix2.txt ... 06-12-08 21:31
C:\ComboFix3.txt ... 06-12-08 16:52

--------------------------------------------------------------------------

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 4:17:07 p.m., on 10/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\HJT\HyjackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.airforcespecialops.co.nz/index.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\System32\efufiigc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5886398C-0109-4C6D-BC68-EDF421BE00DD} - C:\WINDOWS\System32\ljjii.dll (file missing)
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\System32\ixt0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: grtxctvg - c:\windows\system32\grtxctvg.dll
O20 - Winlogon Notify: wincjw32 - C:\WINDOWS\SYSTEM32\wincjw32.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

 

Ok, lets kill some nasties.

Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\hivencnf.dll
C:\WINDOWS\system32\rcyggcma.dll
C:\WINDOWS\system32\abbrhlik.dll
C:\WINDOWS\system32\jlbowagw.dll
C:\WINDOWS\system32\fqhsdhia.dll
C:\WINDOWS\system32\tsvibntc.dll
C:\WINDOWS\system32\xshbcvgh.dll
C:\WINDOWS\system32\qtjqekwq.dll
C:\WINDOWS\system32\ouibkela.dll
C:\WINDOWS\system32\efqwanxx.dll
C:\WINDOWS\system32\lexlxqwb.dll
C:\WINDOWS\system32\cvgfkrjw.dll
C:\WINDOWS\system32\metibvuo.dll
C:\WINDOWS\system32\dyutkecv.dll
C:\WINDOWS\system32\crlwxswe.dll
C:\WINDOWS\system32\fffvclsf.dll
C:\WINDOWS\system32\ehjhukdi.dll
C:\WINDOWS\system32\xvtyfkqi.dll
C:\WINDOWS\system32\kilwbnoo.dll
C:\WINDOWS\system32\qhdaesnp.dll
C:\WINDOWS\system32\uqauprex.dll
C:\WINDOWS\system32\kngqlljl.dll
C:\WINDOWS\system32\ubhehyff.dll
C:\WINDOWS\system32\ytqwpkqs.dll
C:\WINDOWS\system32\ydaoexyc.dll
C:\WINDOWS\system32\hsgktimn.dll
C:\WINDOWS\system32\mwlinckx.dll
C:\WINDOWS\system32\riojylde.dll
C:\WINDOWS\system32\rqnofyew.exe
C:\WINDOWS\system32\amrqqnbj.dll
C:\Documents and Settings\Office5\Application Data\SearchToolbarCorp
C:\WINDOWS\system32\efufiigc.dll
C:\WINDOWS\system32\grtxctvg.dll
C:\WINDOWS\system32\drvsud.dll
C:\WINDOWS\system32\wincjw32.dll

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white [Delete File] button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations prompt.

Do not reboot yet.

Open Hijackthis, select the 'Do a system scan only' button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\System32\efufiigc.dll

O2 - BHO: (no name) - {5886398C-0109-4C6D-BC68-EDF421BE00DD} - C:\WINDOWS\System32\ljjii.dll (file missing)

O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\System32\ixt0.dll (file missing)


O20 - Winlogon Notify: grtxctvg - c:\windows\system32\grtxctvg.dll

O20 - Winlogon Notify: wincjw32 - C:\WINDOWS\SYSTEM32\wincjw32.dll


Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

ComboFix

Office5 - 06-12-10 19:20:08.52 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\ComboFix "

((((((((((((((((((((((((((((((( Files Created from 2006-11-10 to 2006-12-10 ))))))))))))))))))))))))))))))))))


2006-12-10 19:05 <DIR> d-------- C:\!KillBox
2006-12-10 19:04 92,672 --a------ C:\KillBox.exe
2006-12-10 16:14 <DIR> d-------- C:\ComboFix
2006-12-09 17:01 <DIR> d-------- C:\Cyanide and Happiness
2006-12-08 23:04 <DIR> d-------- C:\Program Files\SwiftSwitch
2006-12-08 21:21 9,216 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-12-08 21:14 <DIR> d-------- C:\VundoFix Backups
2006-12-08 21:12 88,576 --a------ C:\VundoFix.exe
2006-12-07 21:44 <DIR> d-------- C:\Program Files\Opera
2006-12-07 21:44 <DIR> d-------- C:\Downloaded
2006-12-07 21:44 <DIR> d-------- C:\Documents and Settings\Office5\Application Data\Opera
2006-12-07 19:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-07 18:57 <DIR> d-------- C:\Soldat
2006-12-07 16:40 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-07 16:40 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-07 16:40 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-07 16:40 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-07 16:40 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-07 16:40 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-07 16:38 <DIR> d-------- C:\HJT
2006-12-07 10:39 <DIR> d-------- C:\Documents and Settings\Office5\Application Data\SearchToolbarCorp
2006-11-18 12:14 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-11-18 12:14 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-11-18 11:33 778,240 --a------ C:\WINDOWS\system32\Petz 5.scr
2006-11-18 11:33 <DIR> d-------- C:\Program Files\Ubi Soft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 19:13 -------- d-------- C:\Program Files\Grisoft
2006-12-07 11:57 -------- d-------- C:\Program Files\CASINO_G-FED200074
2006-11-18 11:44 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"POINTER "= "point32.exe "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: 06-12-10 19:21:12.84
C:\ComboFix.txt ... 06-12-10 19:21
C:\ComboFix2.txt ... 06-12-10 16:16
C:\ComboFix3.txt ... 06-12-08 21:31

--------------------------------------------------------------------------

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 7:23:03 p.m., on 10/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HyjackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.airforcespecialops.co.nz/index.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1052AAFC-9065-40AF-A5E6-1534B7304DCF}: NameServer = 202.27.184.3,202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

 

Wow, that was quick!!

Looks like we got one to rid, I forgot to have you delete it. And there is one left over. Both folders.

Search for, and delete, if found, the following files/folders:
C:\Documents and Settings\Office5\Application Data\SearchToolbarCorp<<<<---this folder
C:\Program Files\CASINO_G-FED200074<<<<---this folder

Let me know how the machine is now operating.

Everything appears ok with the logs.

 

i have deleted the folders on my computer and it is running fine now thanks for all the help, is it ok if i delete the killbox and all the other programs i have downloaded?

and wile im here can you check this HijackThis log from my other computer

Logfile of HijackThis v1.99.1
Scan saved at 22:21:46, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\windows\system32\igfxtray.exe
C:\windows\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\OldC\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\SwiftSwitch\SwiftSwitch.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Opera\Opera.exe
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.airforcespecialops.co.nz/index.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Colej_uk Design Toolbar Helper - {F5A59502-1D46-4a2b-941A-22D5AB2A5AC9} - C:\Program Files\Colej_uk Design Toolbar\v2.0.0.5\Colej_uk_Design_Toolbar.dll
O3 - Toolbar: Colej_uk Design Toolbar - {584AAC83-CDBD-4016-9518-96B5016BB0D3} - C:\Program Files\Colej_uk Design Toolbar\v2.0.0.5\Colej_uk_Design_Toolbar.dll
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [msnmsgr] "E:\OldC\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DeskSlide] d:\Program Files\DeskSlide\DeskSlide.exe -hide
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\EruNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak\PopUp Blocker.exe
O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak\PopUp Blocker.exe
O15 - Trusted Zone: http://www.habbo.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{21104E81-B038-4C99-9B5F-346414C0B4AD}: NameServer = 202.27.184.3,202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{21104E81-B038-4C99-9B5F-346414C0B4AD}: NameServer = 202.27.184.3,202.27.184.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{21104E81-B038-4C99-9B5F-346414C0B4AD}: NameServer = 202.27.184.3,202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\GHOSTS~2.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Outpost Firewall\outpost.exe

 

OK, Killbox files can be deleted.

I have a couple of questions about the items below, can't find anything conclusive on them:
O2 - BHO: Colej_uk Design Toolbar Helper - {F5A59502-1D46-4a2b-941A-22D5AB2A5AC9} - C:\Program Files\Colej_uk Design Toolbar\v2.0.0.5\Colej_uk_Design_Toolbar.dll

O3 - Toolbar: Colej_uk Design Toolbar - {584AAC83-CDBD-4016-9518-96B5016BB0D3} - C:\Program Files\Colej_uk Design Toolbar\v2.0.0.5\Colej_uk_Design_Toolbar.dll


O4 - HKCU\..\Run: [DeskSlide] d:\Program Files\DeskSlide\DeskSlide.exe -hide

If you know what they are, then you can leave them. If not fix them.

 

thank you for all your help

 

We have 3 more things to do, mostly maintenance and then our recommendations:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom