1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Trojan Horse BHO.BQ

Discussion in 'Malware and Virus Removal Archive' started by Mashi, 2007/09/05.

  1. 2007/09/05
    Mashi

    Mashi Inactive Thread Starter

    Joined:
    2007/09/05
    Messages:
    12
    Likes Received:
    0
    [Resolved]Trojan Horse BHO.BQ

    This trojan is starting to get on my nerves!!! :mad: AVG keeps popping up everytime I decide to go on the internet telling me if I want to heal this trojan. Then when I restart the comp the Trojan is still there! someone please help me get rid of this pest once and for all!!!.

    Heres the HiJack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:26:03 PM, on 9/5/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Robert\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Robert\Application Data\Mozilla\Profiles\default\v4vnlko4.slt\prefs.js)
    O2 - BHO: (no name) - {C9294C38-F3D7-4DBE-851E-B00C5BD20B99} - c:\windows\system32\mjfnmjf.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robert\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...tonmartin.com/configurator/db9coupe_load.html
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
    O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} -
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: juqphdze - C:\WINDOWS\SYSTEM32\mjfnmjf.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - - (file missing)
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName= "VAIO Media Music Server (file missing)
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot= "Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "Applications\MusicServer\HTTP (file missing)
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe (file missing)
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Applications\PhotoServer\HTTP (file missing)
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName= "VAIO Media Video Server (file missing)
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Applications\VideoServer\HTTP (file missing)
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
     
    Mashi,
    #1
  2. 2007/09/05
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Mashi
    Welcome to Windowsbbs

    First you have 2 anti-virus programs running, this is not a good idea.
    Please uninstall one of them.
    AVG7
    Norton AntiVirus

    Then do this next please.

    Please download VundoFix.exe to your desktop
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

    Then this next.

    Download FindAWF from the link below, saving to the desktop.

    http://noahdfear.geekstogo.com/FindAWF.exe

    Double click it to run. Choose option 1 press enter.

    Let the program run, a notepad will open after it has finished.

    Please copy and paste the results back here.

    Please post the Vundo log and the FindAWF log.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2007/09/06
    Mashi

    Mashi Inactive Thread Starter

    Joined:
    2007/09/05
    Messages:
    12
    Likes Received:
    0
    Hi Geri,

    The vundo fix found nothing. I also forgot to mention that the virus is apparently in C:\windows\system32\mjfnmjf.dll according to AVG.

    heres the HiJack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:21:52 PM, on 9/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Robert\Desktop\VundoFix.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Robert\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Robert\Application Data\Mozilla\Profiles\default\v4vnlko4.slt\prefs.js)
    O2 - BHO: (no name) - {C9294C38-F3D7-4DBE-851E-B00C5BD20B99} - c:\windows\system32\mjfnmjf.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robert\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...tonmartin.com/configurator/db9coupe_load.html
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
    O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} -
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: juqphdze - C:\WINDOWS\SYSTEM32\mjfnmjf.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
    O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName= "VAIO Media Music Server (file missing)
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot= "Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "Applications\MusicServer\HTTP (file missing)
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe (file missing)
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Applications\PhotoServer\HTTP (file missing)
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName= "VAIO Media Video Server (file missing)
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Applications\VideoServer\HTTP (file missing)
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)


    and heres the awf log:


    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: Thu 09/06/2007
    The current time is: 16:12:47.51


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\MESSEN~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    04/21/2006 10:17 PM 155,648 qttask.exe
    1 File(s) 155,648 bytes

    Directory of C:\PROGRA~1\SYMNET~1\BAK

    06/04/2006 02:43 AM 100,056 SNDMon.exe
    1 File(s) 100,056 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 03:56 AM 15,360 ctfmon.exe
    1 File(s) 15,360 bytes

    Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

    03/22/2005 10:05 PM 339,968 atiptaxx.exe
    1 File(s) 339,968 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    02/17/2006 10:05 AM 59,040 ccApp.exe
    1 File(s) 59,040 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    155648 Apr 21 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
    100056 Aug 7 2007 "C:\Program Files\SymNetDrv\SNDMon.exe "
    100056 Jun 4 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe "
    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe "
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe "
    339968 Mar 22 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe "
    59040 Feb 17 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe "
    84640 Sep 3 2006 "C:\Documents and Settings\Robert\Local Settings\Temp\NIS10.0\Support\ccCommon\ccCommon\ccApp.exe "


    end of report
     
    Mashi,
    #3
  5. 2007/09/06
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Mashi

    OK
    Please Delete VundoFix.

    Download ComboFix from Here or [color= "Red"]Here[/color] to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


    Now please do this,

    You have some legitmate files that need to be restored. We'll use FindAWF to do the task.

    Highlight and copy the bolded list of files below.

    "C:\Program Files\QuickTime\bak\qttask.exe "
    "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe "
    "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe "

    • Run FindAWF again and select option 2.
    • Press any key to continue at the Thank you screen.
    • A text file will open named files.txt.
    • Click below the line in files.txt, then right click and paste the list of files.
    • Close files.txt and save the changes.
    • FindAWF will restore the files to their original location and automatically do another scan.
    • When complete, awf.txt will open.
    • Please post it's contents.

    Please post the combofix log and the new FindAWF log.

    Thanks
    Geri
     
    Geri,
    #4
  6. 2007/09/06
    Mashi

    Mashi Inactive Thread Starter

    Joined:
    2007/09/05
    Messages:
    12
    Likes Received:
    0
    Hi, thanks for the response Geri
    The symptom seems to have stopped =D

    Heres the Hijackthis log:
    Logfile of HijackThis v1.99.1
    Scan saved at 12:37:46 AM, on 9/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\Robert\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Robert\Application Data\Mozilla\Profiles\default\v4vnlko4.slt\prefs.js)
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robert\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...tonmartin.com/configurator/db9coupe_load.html
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
    O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} -
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
    O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName= "VAIO Media Music Server (file missing)
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot= "Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "Applications\MusicServer\HTTP (file missing)
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe (file missing)
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Applications\PhotoServer\HTTP (file missing)
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName= "VAIO Media Video Server (file missing)
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Applications\VideoServer\HTTP (file missing)
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)




    This is the combo fix log:
    ComboFix 07-08-30.3 - "Robert" 2007-09-07 0:29:10.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.525 [GMT -4:00]
    * Created a new restore point


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\as.txt
    C:\DOCUME~1\Robert\APPLIC~1\install.dat
    C:\DOCUME~1\Robert\Desktop\internet explorer.lnk
    C:\DOCUME~1\Robert\FAVORI~1\.url
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\Terms.rtf
    C:\WINDOWS\keyboard1.dat
    C:\WINDOWS\system32\2_exception.nls
    C:\WINDOWS\system32\drivers\hd_dirs.cfg
    C:\WINDOWS\system32\drivers\hd_rkeys.cfg
    C:\WINDOWS\system32\drivers\hd_rvals.cfg
    C:\WINDOWS\system32\drivers\hflt_ipf.sys
    C:\WINDOWS\system32\drivers\jhzvcsro.sys
    C:\WINDOWS\system32\drivers\npf.sys
    C:\WINDOWS\system32\mjfnmjf.dll
    C:\WINDOWS\system32\mjfnmjf.dll.bak
    C:\WINDOWS\system32\packet.dll
    C:\WINDOWS\system32\pthreadVC.dll
    C:\WINDOWS\system32\unsvchosts.lzma
    C:\WINDOWS\system32\wanpacket.dll
    C:\WINDOWS\system32\wpcap.dll


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_BSLZMNOQ
    -------\LEGACY_NPF
    -------\LEGACY_RKDUQPCE
    -------\bslzmnoq
    -------\NPF
    -------\rkduqpce


    ((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))


    2007-09-07 00:27 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-09-05 03:54 <DIR> d-------- C:\Program Files\IMVU
    2007-09-05 03:54 <DIR> d-------- C:\DOCUME~1\Robert\APPLIC~1\IMVU
    2007-08-31 01:08 <DIR> d----c--- C:\!KillBox
    2007-08-31 01:02 <DIR> d----c--- C:\VundoFix Backups
    2007-08-20 16:51 <DIR> d-------- C:\DOCUME~1\Robert\APPLIC~1\Atari
    2007-08-20 16:50 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2007-08-20 16:49 <DIR> d-------- C:\DOCUME~1\Robert\APPLIC~1\Leadertech


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-09-07 00:33 --------- d-------- C:\Program Files\SymNetDrv
    2007-09-06 16:08 --------- d-------- C:\Program Files\Common Files\Symantec Shared
    2007-09-06 16:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
    2007-09-06 15:59 --------- d-------- C:\Program Files\Symantec
    2007-09-05 02:51 --------- d-------- C:\Program Files\Warcraft III
    2007-08-28 12:38 --------- d-------- C:\DOCUME~1\Robert\APPLIC~1\AdobeUM
    2007-08-20 16:45 --------- d--h----- C:\Program Files\InstallShield Installation Information
    2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
    2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
    2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
    2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
    2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
    2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
    2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
    2007-07-22 19:34 82944 --a------ C:\WINDOWS\system32\ws2_32(2)(2).dll
    2007-07-22 19:34 --------- d-------- C:\Program Files\QuickTime
    2007-07-17 11:53 --------- d-------- C:\Program Files\Yahoo!
    2007-07-17 02:09 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
    2007-07-07 14:55 684567 --a------ C:\WINDOWS\system32\libeay32.dll
    2007-07-07 14:55 147729 --a------ C:\WINDOWS\system32\libssl32.dll
    2007-07-07 14:49 12416 --a------ C:\WINDOWS\system32\drivers\jhzvcsro(2).sys
    2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
    2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
    2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
    2006-06-07 13:55 3753 --a--c--- C:\Program Files\Common Files\pofo.html


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
    "AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 14:47]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
    "FreeRAM XP "= "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 01:13]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "RunNarrator "=Narrator.exe

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    AGRSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    "C:\Program Files\America Online 9.0a\AOL.EXE" -b

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLCC]
    "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
    " /C

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
    C:\WINDOWS\System32\ezSP_Px.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    C:\WINDOWS\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    C:\WINDOWS\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
    "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
    C:\Program Files\Norton Internet Security\UrlLstCk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
    C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
    "c:\program files\support.com\client\bin\tgcmd.exe" /server

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SNDSrvc "=3 (0x3)
    "SAVScan "=2 (0x2)
    "navapsvc "=2 (0x2)
    "ccSetMgr "=2 (0x2)
    "ccPwdSvc "=3 (0x3)
    "ccProxy "=2 (0x2)
    "ccEvtMgr "=2 (0x2)

    R1 NPPTNT;NPPTNT;\??\C:\WINDOWS\System32\npptNT.sys
    S3 smrt;Sony MPEG RealTime encoder board;C:\WINDOWS\system32\DRIVERS\smrt.sys
    S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys
    S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys
    S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys
    S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys
    S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys


    Contents of the 'Scheduled Tasks' folder
    2004-04-15 02:13:20 C:\WINDOWS\Tasks\Registration reminder 2.job - C:\WINDOWS\System32\OOBE\oobebaln.exe

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-09-07 00:33:41
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-09-07 0:34:51 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-09-07 00:34

    --- E O F ---

    and heres the awf.txt log:

    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 2 run successfully

    The current date is: Fri 09/07/2007
    The current time is: 0:42:08.40


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\MESSEN~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    04/21/2006 10:17 PM 155,648 qttask.exe
    1 File(s) 155,648 bytes

    Directory of C:\PROGRA~1\SYMNET~1\BAK

    06/04/2006 02:43 AM 100,056 SNDMon.exe
    1 File(s) 100,056 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 03:56 AM 15,360 ctfmon.exe
    1 File(s) 15,360 bytes

    Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

    03/22/2005 10:05 PM 339,968 atiptaxx.exe
    1 File(s) 339,968 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    02/17/2006 10:05 AM 59,040 ccApp.exe
    1 File(s) 59,040 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    155648 Apr 21 2006 "C:\Program Files\QuickTime\qttask.exe "
    155648 Apr 21 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
    100056 Jun 4 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe "
    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe "
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe "
    339968 Mar 22 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    339968 Mar 22 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe "
    59040 Feb 17 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    59040 Feb 17 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe "


    end of report
     
    Mashi,
    #5
  7. 2007/09/08
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Mashi

    Please do this next.

    Highlight and copy the bolded list of folders below.

    C:\PROGRA~1\MESSEN~1\BAK
    C:\Program Files\QuickTime\bak
    C:\Program Files\ATI Technologies\ATI Control Panel\bak
    C:\Program Files\Common Files\Symantec Shared\bak
    C:\Program Files\SymNetDrv\bak
    C:\WINDOWS\system32\bak

    • Run FindAWF again and select option 3.
    • A text file will open named folders.txt.
    • Click below the line in folders.txt, then right click and paste the list of folders.
    • Close folders.txt and save the changes.
    • FindAWF will delete the folders and automatically do another scan.
    • When complete, awf.txt will open.
    • Please post it's contents.

    Then please post a uninstall list. Here is how.

    To get an Uninstall List from HijackThis:
    • Open HijackThis, click Config, click Misc Tools
    • Click "Open Uninstall Manager "
    • Click "Save List" (generates uninstall_list.txt)
    • Click Save, copy and paste the results in your next post.

    Please post these two logs, FindAWF and the Uninstall list.

    Thanks
    Geri
     
    Geri,
    #6
  8. 2007/09/08
    Mashi

    Mashi Inactive Thread Starter

    Joined:
    2007/09/05
    Messages:
    12
    Likes Received:
    0
    Hi, Geri

    heres the AWF log:

    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 3 run successfully

    The current date is: Sat 09/08/2007
    The current time is: 23:00:53.84


    bak folders found
    ~~~~~~~~~~~



    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~



    end of report


    And heres the uninstall log form HiJack this:

    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Flash Player 9 ActiveX
    Adobe Reader 6.0
    Adobe Shockwave Player
    Agere Systems AC'97 Modem
    AOL Instant Messenger
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    AVG 7.5
    Battlefield 2(TM)
    Carom3D
    CDR Tools Front End v1.3 final
    Click to DVD 1.3
    DivX Player
    DivX Pro Codec Adware
    HijackThis 1.99.1
    hp officejet d series - 1
    hp officejet d series corporate driver
    Intel(R) Extreme Graphics Driver
    Intel(R) PRO Network Adapters and Drivers
    InterVideo WinDVD 5 for VAIO
    iTunes
    Memory Stick Formatter
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft Data Access Components KB870669
    Microsoft Flight Simulator X
    Microsoft Office Standard Edition 2003
    Microsoft Office XP Professional
    Microsoft Office XP Professional with FrontPage
    Microsoft Visual C++ 2005 Redistributable
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 Parser and SDK
    Music Visualizer Library 1.4.00
    Netscape (7.02)
    OpenMG Secure Module 3.3.01
    Quicken 2004
    QuickTime
    RealOne Player
    RollerCoaster Tycoon 3
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB903235)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911280)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938829)
    SkyChart III Student Version
    SonicStage 1.6.00
    Sony Certificate PCH
    Sony Video Shared Library
    Spybot - Search & Destroy 1.4
    Symantec
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    VAIO BrightColor Wallpaper
    VAIO Help and Support
    VAIO Media 2.6
    VAIO Media Integrated Server 2.6
    VAIO Media Redistribution 2.6
    VAIO Registration
    VAIO Support
    VAIO Survey Standalone
    VAIO System Information
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    WC3Banlist
    WinAce Archiver
    Windows Installer 3.1 (KB893803)
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Hotfix - KB867282
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885626
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890047
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB890923
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893066
    Windows XP Hotfix - KB893086
    Windows XP Service Pack 2
    WinPcap 3.1 beta4
    WinRAR archiver
    Zilla CD-DVD Rip N' Burn 5.0.0.2

    thanks
     
    Mashi,
    #7
  9. 2007/09/08
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Mashi
    OK Things are looking better. we're almost done.

    Please do this next.

    Run FindAWF again and select option 4. it Returns to the main menu when complete.
    Close FindAWF by typing E and hitting enter.

    Please Run HJT again and post the new log.

    Thanks
    Geri
     
    Geri,
    #8
  10. 2007/09/09
    Mashi

    Mashi Inactive Thread Starter

    Joined:
    2007/09/05
    Messages:
    12
    Likes Received:
    0
    hi Geri,

    heres the hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:35:13 AM, on 9/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\Robert\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Robert\Application Data\Mozilla\Profiles\default\v4vnlko4.slt\prefs.js)
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robert\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...tonmartin.com/configurator/db9coupe_load.html
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
    O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} -
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
    O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName= "VAIO Media Music Server (file missing)
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot= "Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "Applications\MusicServer\HTTP (file missing)
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe (file missing)
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Applications\PhotoServer\HTTP (file missing)
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName= "VAIO Media Video Server (file missing)
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Applications\VideoServer\HTTP (file missing)
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)

    thanks for all your help :)
     
    Mashi,
    #9
  11. 2007/09/09
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Mashi

    Please do the following.

    Please go to Start > Control Panel > Add/Remove Programs and remove the following.

    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    WinAce Archiver <<If you don't use this, Web site is flagged by Site Advisor

    Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...oupe_load.html
    O20 - AppInit_DLLs: <<Note: You will get a warning when removing this, OK the removal.

    Now close all windows other than HiJackThis, then click Fix Checked.

    Close HJT.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

    C:\WINDOWS\system32\drivers\jhzvcsro(2).sys


    Reboot your computer.

    Now Please...

    Download ATF Cleaner by Atribune and save it to your Desktop.
    Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
    Recycle bin

    The rest are optional - if you want it to remove everything check "Select All ".
    Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

    Then lets run a on-line scan to make sure nothing is lurking.

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.

    Please post the Kaspersky results and one more New HJT log.

    Thanks
    Geri
     
    Geri,
    #10
  12. 2007/09/09
    Mashi

    Mashi Inactive Thread Starter

    Joined:
    2007/09/05
    Messages:
    12
    Likes Received:
    0
    Hi Geri,

    It seems I still have some virus's lurking about according to kaspersky although some of them seem to be from the other anti virus software:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, September 09, 2007 2:07:10 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.93.1
    Kaspersky Anti-Virus database last update: 9/09/2007
    Kaspersky Anti-Virus database records: 410500
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 113996
    Number of viruses found: 8
    Number of infected objects: 17
    Number of suspicious objects: 6
    Duration of the scan process: 02:05:54

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9a8ad017c487a431d9183e3d0604e353_08ea4d40-3147-4edc-b5d6-44c33a5f3100 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz28.zip/sfjpxlt.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz28.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz42.zip/sfjpxlt.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz42.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff1.zip/Uninstall.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff1.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Robert\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Robert\Desktop\backups\backup-20070831-005504-609.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
    C:\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\History\History.IE5\MSHist012007090920070910\index.dat Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\Temp\Perflib_Perfdata_80.dat Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002 Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0003/data0139 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0003 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe Inno: infected - 8 skipped
    C:\Documents and Settings\Robert\ntuser.dat Object is locked skipped
    C:\Documents and Settings\Robert\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Common Files\pofo.html Infected: Trojan-Clicker.Win32.Small.jf skipped
    C:\Program Files\IMVU\DirectConnect_Guest_nad850.log Object is locked skipped
    C:\Program Files\WindowsUpdate\mecewe.html Infected: Trojan-Clicker.Win32.Small.jf skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP55\A0007324.exe Infected: Trojan-Downloader.Win32.Intexp.c skipped
    C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP55\A0007325.exe Infected: Trojan-Downloader.Win32.Intexp.c skipped
    C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP55\A0007326.dll Infected: Trojan.Win32.Revop.c skipped
    C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP55\A0007327.exe Infected: Trojan-Downloader.Win32.Intexp.c skipped
    C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP58\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\jhzvcsro(2).sys Infected: Rootkit.Win32.Podnuha.a skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    D:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP58\change.log Object is locked skipped

    Scan process completed.

    heres the Hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:09:51 PM, on 9/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Robert\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Robert\Application Data\Mozilla\Profiles\default\v4vnlko4.slt\prefs.js)
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robert\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
    O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} -
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
    O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName= "VAIO Media Music Server (file missing)
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot= "Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "Applications\MusicServer\HTTP (file missing)
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe (file missing)
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Applications\PhotoServer\HTTP (file missing)
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName= "VAIO Media Video Server (file missing)
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Applications\VideoServer\HTTP (file missing)
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
     
    Last edited: 2007/09/09
    Mashi,
    #11
  13. 2007/09/09
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Mashi

    Download
    OTMoveIt by OldTimer to your Desktop.
    • Double click OTMoveIt.exe to launch it.
    • Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.
    • Click the Move It button.
    • The list will be processed and the results will appear in the right hand pane.
    • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    • When finished click Exit to exit the programme.
    • A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

    Please post the C:\_OTMoveIt\MovedFiles Log here

    Thanks
    Geri
     
    Geri,
    #12
  14. 2007/09/09
    Mashi

    Mashi Inactive Thread Starter

    Joined:
    2007/09/05
    Messages:
    12
    Likes Received:
    0
    hi heres the OT moveit log:

    C:\Program Files\Common Files\pofo.html moved successfully.
    C:\Program Files\WindowsUpdate\mecewe.html moved successfully.
    C:\WINDOWS\system32\drivers\jhzvcsro(2).sys moved successfully.
    File/Folder C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/v2.0.2.cab/NHUninstaller.exe not found.
    C:\Documents and Settings\Robert\Desktop\backups\backup-20070831-005504-609.dll unregistered successfully.
    C:\Documents and Settings\Robert\Desktop\backups\backup-20070831-005504-609.dll moved successfully.

    Created on 09/09/2007 16:11:10
     
    Mashi,
    #13
  15. 2007/09/09
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Mashi
    OK very good.

    Please run OTMoveIt again and add this.

    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe

    Please run a Kaspersky scan again and post the log.

    Thanks
    Geri
     
    Geri,
    #14
  16. 2007/09/09
    Mashi

    Mashi Inactive Thread Starter

    Joined:
    2007/09/05
    Messages:
    12
    Likes Received:
    0
    Hi Geri,

    heres the scan results:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, September 09, 2007 8:35:41 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.93.1
    Kaspersky Anti-Virus database last update: 10/09/2007
    Kaspersky Anti-Virus database records: 410635
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 114398
    Number of viruses found: 8
    Number of infected objects: 17
    Number of suspicious objects: 6
    Duration of the scan process: 01:35:19

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9a8ad017c487a431d9183e3d0604e353_08ea4d40-3147-4edc-b5d6-44c33a5f3100 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz28.zip/sfjpxlt.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz28.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz42.zip/sfjpxlt.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz42.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff1.zip/Uninstall.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff1.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Robert\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\History\History.IE5\MSHist012007090920070910\index.dat Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\Temp\fla55F9.tmp Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\Temp\Perflib_Perfdata_80.dat Object is locked skipped
    C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0002 Infected: not-a-virus:AdWare.Win32.NavExcel skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0003/data0139 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe/data0003 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe Inno: infected - 8 skipped
    C:\Documents and Settings\Robert\ntuser.dat Object is locked skipped
    C:\Documents and Settings\Robert\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Robert\UserData\index.dat Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP55\A0007324.exe Infected: Trojan-Downloader.Win32.Intexp.c skipped
    C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP55\A0007325.exe Infected: Trojan-Downloader.Win32.Intexp.c skipped
    C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP55\A0007326.dll Infected: Trojan.Win32.Revop.c skipped
    C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP55\A0007327.exe Infected: Trojan-Downloader.Win32.Intexp.c skipped
    C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP59\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\_OTMoveIt\MovedFiles\Documents and Settings\Robert\Desktop\backups\backup-20070831-005504-609.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
    C:\_OTMoveIt\MovedFiles\Program Files\Common Files\pofo.html Infected: Trojan-Clicker.Win32.Small.jf skipped
    C:\_OTMoveIt\MovedFiles\Program Files\WindowsUpdate\mecewe.html Infected: Trojan-Clicker.Win32.Small.jf skipped
    C:\_OTMoveIt\MovedFiles\WINDOWS\system32\drivers\jhzvcsro(2).sys Infected: Rootkit.Win32.Podnuha.a skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    Scan process completed.
     
    Mashi,
    #15
  17. 2007/09/09
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Mashi

    Sorry you might have missed this.
    Did you try OTMoveIt on this?

    C:\Documents and Settings\Robert\My Documents\My eBooks\burner.exe

    If this is some kind of burner program you have and wish to keep it, then skip it. please let me know though.

    OK evrything else looks good.
    How are things running?

    You can delete any tools you were asked to download and the files/folders or logs they created, There will be newer versions if ever needed again any way.
    These tools.
    Vundo fix
    Combofix
    OTMoveIt

    These folders/files.
    C:\VundoFix Backups
    C:\WINDOWS\nircmd.exe <<This File
    C:\QOOBOX
    C:\Combofix quarantine files.txt
    C:\_OTMoveIt\MovedFiles
    C:\!Killbox

    Please open SpyBot Search and Destroy
    Click on Recovery.
    Put a check mark next to all listed items.
    Click Purge selected items.
    Click yes at the prompt.
    Close SpyBot.

    Please run ATF cleaner I asked you to download, to clean up the deletions.

    We need to turn off and on system restore. There are infections in it and by using system restore you would reinfect yourself.

    You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
    Turning off System Restore will clear out all previous restore points.

    To turn off Windows XP System Restore:
    NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    8. Restart the computer and follow the instructions in the next section to turn on System Restore.

    To turn on Windows XP System Restore:
    1. Click Start.
    2. Right-click My Computer, and then click Properties.
    3. Click the System Restore tab.
    4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
    5. Click Apply, and then click OK
    Make a new restore point.


    The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
    1. Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

    2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

    3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

    4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

    5. IE-SpyAd - puts over 23,000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all,
      and MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

    6. Install WinPatrol to prevent unknown applications from being inserted to start up on your machine

      Now just because you have security apps installed, they are useless unless updated regularly.

    7. Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

    8. ATF Cleaner by Atribune.
      This program is for XP and Windows 2000 only, Cleans out temporary files all the garbage you collect while surfing the web.

    9. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

    10. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    11. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
    To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

    Surf Safely
    Geri
     
    Geri,
    #16
  18. 2007/09/10
    Mashi

    Mashi Inactive Thread Starter

    Joined:
    2007/09/05
    Messages:
    12
    Likes Received:
    0
    Hi Geri, I already got rid of the burner.exe file. Overall the computer is running well but this whole experience has been a huge wake up call for me. I will definitely install all the software you suggested and thanks again for getting this pest outta my comp.

    regards
    -Rob
     
    Mashi,
    #17
  19. 2007/09/10
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Mashi
    I'm glad everything is working well.
    I must advise you again, only run 1 anti-virus program. I seen that Norton
    was just disabled and not removed. Two AV's can confect with each other and end up giving you less protection.

    I will mark this thread "resolved ".

    Surf Safely
    Geri
     
    Geri,
    #18

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...