Solved ntload.sys trojan

[Resolved]ntload.sys trojan

Every time I star my pc Avast shows this virus:

C:\WINDOWS\system32\ntload.sys
Win32:NTRootKit-B [Trj]
Trojan Horse

I always move it to the quarentene, but it keeps showing up.

After Avast I get a message that winupdate.exe found a problem and needs to be closed. Below is my hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:19:28, on 18.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\winupdate.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Tech\Office Program Selector\2.0\ACROMAPP.EXE
C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\TuneUp Utilities 2007\Integrator.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Alwil Software\Avast4\ashSimpl.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
F3 - REG:win.ini: run= "C:\WINDOWS\system32\winupdate.exe "
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Tech] C:\Programme\Tech\Office Program Selector\2.0\ACROMAPP.EXE
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Dokumente und Einstellungen\Home\Desktop\allan\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Dokumente und Einstellungen\Home\Desktop\allan\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {1763F047-73AC-4AAD-B65E-0AA0DC18E8C0} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {1763F047-73AC-4AAD-B65E-0AA0DC18E8C0} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {59136DB4-6CA3-4B40-8F2F-BBF84B6F1E91} (Attachment Upload Control) - https://img.web.de/v/mail/activex/mail_upload_1124.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.incredigames.com/online/online2/bejeweled2/popcaploader_v6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: qommlki - qommlki.dll (file missing)
O20 - Winlogon Notify: winbug32 - C:\WINDOWS\SYSTEM32\winbug32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Unknown owner - C:\Programme\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - http://harrypotter.warnerbros.co.uk/site/media/downloads/icons/icon3.gif

--
End of file - 7477 bytes

 

Hi dogtag
This one I can help you with.

Please do this.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks
Geri

 

SDFix: Version 1.216
Run by Administrator on 19.08.2008 at 02:12

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
ntload

Path :
\??\C:\WINDOWS\system32\ntload.sys

ntload - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\WINBUG32.dll - Deleted
C:\WINDOWS\hosts - Deleted
C:\WINDOWS\system32\winupdate.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 02:39:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1 "=dword:2df9c43f
"s2 "=dword:110480d0
"h0 "=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0 "= "C:\Programme\DAEMON Tools Lite\ "
"h0 "=dword:00000000
"khjeh "=hex:94,67,35,ce,6a,5f,32,2a,49,98,74,7f,67,a1,50,4f,70,ad,57,fc,69,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0 "=hex:20,01,00,00,bf,7a,de,b8,84,09,b2,2c,53,71,ef,87,81,70,93,48,21,..
"khjeh "=hex:31,67,6f,57,35,35,f8,5d,6e,af,02,09,61,74,84,7f,22,e2,b8,a9,bb,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh "=hex:8d,2c,53,02,ea,6c,72,7b,ba,7b,1c,73,9a,5f,b9,6d,46,4b,0d,d6,39,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0 "= "C:\Programme\DAEMON Tools Lite\ "
"h0 "=dword:00000000
"khjeh "=hex:94,67,35,ce,6a,5f,32,2a,49,98,74,7f,67,a1,50,4f,70,ad,57,fc,69,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0 "=hex:20,01,00,00,bf,7a,de,b8,84,09,b2,2c,53,71,ef,87,81,70,93,48,21,..
"khjeh "=hex:31,67,6f,57,35,35,f8,5d,6e,af,02,09,61,74,84,7f,22,e2,b8,a9,bb,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh "=hex:8d,2c,53,02,ea,6c,72,7b,ba,7b,1c,73,9a,5f,b9,6d,46,4b,0d,d6,39,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Programme\\BearShare\\BearShare.exe "= "C:\\Programme\\BearShare\\BearShare.exe:*isabled:BearShare "
"C:\\WINDOWS\\system32\\dpvsetup.exe "= "C:\\WINDOWS\\system32\\dpvsetup.exe:*isabled:Microsoft DirectPlay Voice Test "
"C:\\WINDOWS\\system32\\rundll32.exe "= "C:\\WINDOWS\\system32\\rundll32.exe:*isabled:Eine DLL-Datei als Anwendung ausfhren "
"C:\\Programme\\Valve\\hl.exe "= "C:\\Programme\\Valve\\hl.exe:*:Enabled:Half-Life Launcher "
"C:\\Programme\\Valve\\Steam\\Steam.exe "= "C:\\Programme\\Valve\\Steam\\Steam.exe:*:Enabled:Steam "
"C:\\Programme\\Valve\\Steam\\SteamApps\\theballerman\\counter-strike\\hl.exe "= "C:\\Programme\\Valve\\Steam\\SteamApps\\theballerman\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher "
"C:\\Dokumente und Einstellungen\\Home\\Desktop\\Karol\\age of empires\\empires2.exe "= "C:\\Dokumente und Einstellungen\\Home\\Desktop\\Karol\\age of empires\\empires2.exe:*:Enabled:Age of Empires II "
"C:\\WINDOWS\\system32\\dplaysvr.exe "= "C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
"C:\\Programme\\Messenger\\msmsgs.exe "= "C:\\Programme\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger "
"E:\\Total Commander 6.53 PL\\Totalcmd.exe "= "E:\\Total Commander 6.53 PL\\Totalcmd.exe:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows "
"C:\\Programme\\Internet Explorer\\iexplore.exe "= "C:\\Programme\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer "
"C:\\Programme\\Logitech\\Video\\FxSvr2.exe "= "C:\\Programme\\Logitech\\Video\\FxSvr2.exe:*:Enabled:QuickCam Framework Server "
"C:\\Programme\\MSN Messenger\\msnmsgr.exe "= "C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Programme\\MSN Messenger\\livecall.exe "= "C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"C:\\Dokumente und Einstellungen\\Home\\Desktop\\allan\\ICQ6\\ICQ.exe "= "C:\\Dokumente und Einstellungen\\Home\\Desktop\\allan\\ICQ6\\ICQ.exe:*:Enabled:ICQ6 "
"C:\\Dokumente und Einstellungen\\Home\\Anwendungsdaten\\PowerChallenge\\PowerFootball\\PowerFootball.exe "= "C:\\Dokumente und Einstellungen\\Home\\Anwendungsdaten\\PowerChallenge\\PowerFootball\\PowerFootball.exe:*:EnabledowerFootball "
"C:\\Programme\\Skype\\Phone\\Skype.exe "= "C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Programme\\MSN Messenger\\msnmsgr.exe "= "C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Programme\\MSN Messenger\\livecall.exe "= "C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 13 May 2005 217,073 A.SHR --- "C:\WINDOWS\meta4.exe "
Mon 24 Oct 2005 66,560 A.SHR --- "C:\WINDOWS\MOTA113.exe "
Thu 13 Oct 2005 422,400 A.SHR --- "C:\WINDOWS\x2.64.exe "
Tue 3 Aug 2004 4,639 A.SH. --- "C:\Programme\Windows Media Player\mplayer2.exe "
Fri 28 Jan 2005 73,728 A.SH. --- "C:\Programme\Windows Media Player\wmplayer.exe "
Fri 7 Oct 2005 308,224 A.SHR --- "C:\WINDOWS\system32\avisynth.dll "
Thu 14 Jul 2005 27,648 A.SHR --- "C:\WINDOWS\system32\AVSredirect.dll "
Sat 16 Aug 2003 579,584 A.SHR --- "C:\WINDOWS\system32\cd.exe "
Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll "
Tue 21 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll "
Sun 25 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\i420vfw.dll "
Sun 6 Nov 2005 184,618 A.SHR --- "C:\WINDOWS\system32\patcher.exe "
Thu 27 Apr 2006 2,945,024 A.SHR --- "C:\WINDOWS\system32\Smab.dll "
Mon 28 Feb 2005 240,128 A.SHR --- "C:\WINDOWS\system32\x.264.exe "
Sun 25 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\yv12vfw.dll "
Mon 18 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b94c3e176474a8fd66daa4fe0c2353be\BIT55D.tmp "
Mon 18 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eac129044bb68298c81589f4b51d4c64\BIT55F.tmp "
Mon 18 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT55E.tmp "

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:10:19, on 19.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Tech\Office Program Selector\2.0\ACROMAPP.EXE
C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Tech] C:\Programme\Tech\Office Program Selector\2.0\ACROMAPP.EXE
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Dokumente und Einstellungen\Home\Desktop\allan\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Dokumente und Einstellungen\Home\Desktop\allan\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {1763F047-73AC-4AAD-B65E-0AA0DC18E8C0} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {1763F047-73AC-4AAD-B65E-0AA0DC18E8C0} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {59136DB4-6CA3-4B40-8F2F-BBF84B6F1E91} (Attachment Upload Control) - https://img.web.de/v/mail/activex/mail_upload_1124.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.incredigames.com/online/online2/bejeweled2/popcaploader_v6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: qommlki - qommlki.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Unknown owner - C:\Programme\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - http://harrypotter.warnerbros.co.uk/site/media/downloads/icons/icon3.gif

--
End of file - 7224 bytes

 

Hi
OK now run this.

Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Thanks
Geri

 

Hi thanks for the help so far.

Malwarebytes' Anti-Malware 1.25
Database version: 1065
Windows 5.1.2600 Service Pack 2

11:19:28 19.08.2008
mbam-log-08-19-2008 (11-19-28).txt

Scan type: Quick Scan
Objects scanned: 42616
Time elapsed: 11 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 28
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataDisp32 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drvfuc.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\muaui_navps.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\muaui_nav.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:20, on 19.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Tech\Office Program Selector\2.0\ACROMAPP.EXE
C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Tech] C:\Programme\Tech\Office Program Selector\2.0\ACROMAPP.EXE
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Dokumente und Einstellungen\Home\Desktop\allan\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Dokumente und Einstellungen\Home\Desktop\allan\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {1763F047-73AC-4AAD-B65E-0AA0DC18E8C0} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {1763F047-73AC-4AAD-B65E-0AA0DC18E8C0} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {59136DB4-6CA3-4B40-8F2F-BBF84B6F1E91} (Attachment Upload Control) - https://img.web.de/v/mail/activex/mail_upload_1124.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: qommlki - qommlki.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Unknown owner - C:\Programme\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - http://harrypotter.warnerbros.co.uk/site/media/downloads/icons/icon3.gif

--
End of file - 6876 bytes

 

Hi dogtag
OK looking good.

Now do this.

Delete SDFix.exe and this folder C:\SDFix


Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {1763F047-73AC-4AAD-B65E-0AA0DC18E8C0} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {1763F047-73AC-4AAD-B65E-0AA0DC18E8C0} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O20 - Winlogon Notify: qommlki - qommlki.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete this folders (if present):

C:\Programme\xp-AntiSpy

After that, Reboot.


Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now lets get a on-line scan

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results. and a New HJT log.

Thanks
Geri

 

I have completed the steps up to kaspersky's online scan. I spent ages trying to sort it out. Installed java applet, enabled all java plugs in internet options, deinstalled all anti-virus software that was not compatible with kaspersky however at the end I get the same error message over and over. I checked all possible forums and it should work howver it doesnt.
I dont know what else I could do therefore I will just paste the new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:21:29, on 20.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\Tech\Office Program Selector\2.0\ACROMAPP.EXE
C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKCU\..\Run: [Tech] C:\Programme\Tech\Office Program Selector\2.0\ACROMAPP.EXE
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Dokumente und Einstellungen\Home\Desktop\allan\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Dokumente und Einstellungen\Home\Desktop\allan\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {59136DB4-6CA3-4B40-8F2F-BBF84B6F1E91} (Attachment Upload Control) - https://img.web.de/v/mail/activex/mail_upload_1124.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Unknown owner - C:\Programme\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - http://harrypotter.warnerbros.co.uk/site/media/downloads/icons/icon3.gif

--
End of file - 5789 bytes


thanks for your help and ´rapid respons

 

Hi dogtag
Kaspersky and their Java thing They just went to that and they're becoming a pain.

Lets try this one.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Thanks
Geri

 

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-20 13:07:57
PROTECTIONS: 0
MALWARE: 12
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00027660 adware/savenow Adware No 0 Yes No hkey_classes_root\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader.1
00027660 adware/savenow Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
00027660 adware/savenow Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@atdmt[1].txt
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023183.exe[C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023183.exe][SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023225.exe
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@mediaplex[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@burstnet[1].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Anwendungsdaten\Mozilla\Firefox\Profiles\eeoi4kyq.default\cookies.txt[.adultfriendfinder.com/]
00211158 application/bestoffer HackTools No 0 Yes No c:\windows\smdat32m.sys
00214288 adware/quickbar Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}
03377846 Spyware/Virtumonde Spyware No 1 Yes No C:\Dokumente und Einstellungen\Home\Lokale Einstellungen\Temporary Internet Files\Content.IE5\UDR1TZIE\ptch[1]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\Dokumente und Einstellungen\Home\Desktop\ComboFix.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
184380 MEDIUM MS08-002
184379 MEDIUM MS08-001
182048 HIGH MS07-069
182046 HIGH MS07-067
182043 HIGH MS07-064
179553 HIGH MS07-061
176382 HIGH MS07-057
176383 HIGH MS07-058
170907 HIGH MS07-046
170906 HIGH MS07-045
170904 HIGH MS07-043
164915 HIGH MS07-035
164913 HIGH MS07-033
164911 HIGH MS07-031
160623 HIGH MS07-027
157262 HIGH MS07-022
157261 HIGH MS07-021
157260 HIGH MS07-020
157259 HIGH MS07-019
156477 HIGH MS07-017
150253 HIGH MS07-016
150249 HIGH MS07-013
150248 HIGH MS07-012
150247 HIGH MS07-011
150243 HIGH MS07-008
150242 HIGH MS07-007
150241 MEDIUM MS07-006
141034 HIGH MS06-076
141033 MEDIUM MS06-075
137571 HIGH MS06-070
133387 MEDIUM MS06-065
133386 MEDIUM MS06-064
133385 MEDIUM MS06-063
133379 HIGH MS06-057
129977 MEDIUM MS06-053
129976 MEDIUM MS06-052
126093 HIGH MS06-051
126092 MEDIUM MS06-050
126087 HIGH MS06-046
126086 MEDIUM MS06-045
126082 HIGH MS06-041
126081 HIGH MS06-040
123421 HIGH MS06-036
123420 HIGH MS06-035
;===================================================================================================================================================================================

 

Hi dogtag
OK please do this.

Please backup your registry using ERUNT before proceeding to any of the steps.

. Download ERUNT from Derfisch or Aumha and save it to your desktop.

Use the setup program to install ERUNT on your computer
Click ERUNT.Setup.exe to install ERUNT and backup your registry.
Uncheck the "Create NTREGOPT desktop icon" box.
In the window that comes up to Create an ERUNT entry to the Start up folder select No.

By Default the backup location is C:\windows\erunt\ (current date)
Click OK to continue with the registry backup.
If the folder does not exist then let ERUNT create the folder for you by clicking Yes
You should see a progress bar when ERUNT is backing up the Windows Registry.
After ERUNT has completed the Windows Registry backup. Click OK to exit ERUNT


Open "Notepad†Copy the contents of the code box below to the blank Notepad.
Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the "File name" type in: fix.reg
In the "Save As Type" select: All Files
Once saved, Go to your desktop double click "fix.reg file" and let it merge with the registry.

Code:

REGEDIT4

[-hkey_classes_root\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}]

[-hkey_local_machine\software\classes\runmsc.loader]

[-hkey_local_machine\software\classes\runmsc.loader.1]

[-HKEY_CLASSES_ROOT\Interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}]

[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{9f95f736-0f62-4214-a4b4-caa6738d4c07}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}] 

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

c:\windows\smdat32m.sys

Close Windows Explorer.

Now follow this path

C:\Dokumente und Einstellungen\Home\Lokale Einstellungen\Temporary Internet Files

Once there click on the Edit tab > select all
Then click on the File tab > Delete
OK the prompt.

Now do this.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing the infected files there as well.

Now run ATF Cleaner again, make sure you also use the Firefox option.

Now another Panda scan and post the log.

Thanks
Geri

 

Hi Geri,
Concerning ComboFix, I do have the exe file on my desktop but have never installed it therefore the deinstallation is not possible. I have double checked the posts and I wasn't meant to do anything with it. I have successfully completed the other steps and finally done the scan:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-20 19:46:57
PROTECTIONS: 0
MALWARE: 3
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023225.exe
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023183.exe[C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023183.exe][SDFix\apps\Process.exe]
00214288 adware/quickbar Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}
03377846 Spyware/Virtumonde Spyware No 1 Yes No C:\Dokumente und Einstellungen\Home\Lokale Einstellungen\Temporary Internet Files\Content.IE5\UDR1TZIE\ptch[1]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\Dokumente und Einstellungen\Home\Desktop\ComboFix.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
184380 MEDIUM MS08-002
184379 MEDIUM MS08-001
182048 HIGH MS07-069
182046 HIGH MS07-067
182043 HIGH MS07-064
179553 HIGH MS07-061
176382 HIGH MS07-057
176383 HIGH MS07-058
170907 HIGH MS07-046
170906 HIGH MS07-045
170904 HIGH MS07-043
164915 HIGH MS07-035
164913 HIGH MS07-033
164911 HIGH MS07-031
160623 HIGH MS07-027
157262 HIGH MS07-022
157261 HIGH MS07-021
157260 HIGH MS07-020
157259 HIGH MS07-019
156477 HIGH MS07-017
150253 HIGH MS07-016
150249 HIGH MS07-013
150248 HIGH MS07-012
150247 HIGH MS07-011
150243 HIGH MS07-008
150242 HIGH MS07-007
150241 MEDIUM MS07-006
141034 HIGH MS06-076
141033 MEDIUM MS06-075
137571 HIGH MS06-070
133387 MEDIUM MS06-065
133386 MEDIUM MS06-064
133385 MEDIUM MS06-063
133379 HIGH MS06-057
129977 MEDIUM MS06-053
129976 MEDIUM MS06-052
126093 HIGH MS06-051
126092 MEDIUM MS06-050
126087 HIGH MS06-046
126086 MEDIUM MS06-045
126082 HIGH MS06-041
126081 HIGH MS06-040
123421 HIGH MS06-036
123420 HIGH MS06-035
;===================================================================================================================================================================================

 

Hi

OK Combofix is a very powerful tool and not to be used without supervision, It is updated almost daily and old version will do you no good any way.
Right click on it and click delete. to remove it.

These are still showing in the Panda scan and need to be removed, so please do this.

Delete the reg.fix file you saved to your desktop then do this.

Open “Notepad” Copy the contents of the code box below to the blank Notepad.
Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the “File name” type in: fix.reg
In the “Save As Type” select: All Files
Once saved, Go to your desktop double click “fix.reg file” and let it merge with the registry.

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}] 

Now follow this path and delete this
C:\Dokumente und Einstellungen\Home\Lokale Einstellungen\Temporary Internet Files\Content.IE5\UDR1TZIE

Now another Panda scan.

Geri

 

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-21 11:48:34
PROTECTIONS: 0
MALWARE: 5
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023183.exe[C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023183.exe][SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023225.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@mediaplex[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@apmebf[1].txt
00214288 adware/quickbar Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}
;===================================================================================================================================================================================
SUSPECTS
Sent Location ~
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ~
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 ~
184379 MEDIUM MS08-001 ~
182048 HIGH MS07-069 ~
182046 HIGH MS07-067 ~
182043 HIGH MS07-064 ~
179553 HIGH MS07-061 ~
176382 HIGH MS07-057 ~
176383 HIGH MS07-058 ~
170907 HIGH MS07-046 ~
170906 HIGH MS07-045 ~
170904 HIGH MS07-043 ~
164915 HIGH MS07-035 ~
164913 HIGH MS07-033 ~
164911 HIGH MS07-031 ~
160623 HIGH MS07-027 ~
157262 HIGH MS07-022 ~
157261 HIGH MS07-021 ~
157260 HIGH MS07-020 ~
157259 HIGH MS07-019 ~
156477 HIGH MS07-017 ~
150253 HIGH MS07-016 ~
150249 HIGH MS07-013 ~
150248 HIGH MS07-012 ~
150247 HIGH MS07-011 ~
150243 HIGH MS07-008 ~
150242 HIGH MS07-007 ~
150241 MEDIUM MS07-006 ~
141034 HIGH MS06-076 ~
141033 MEDIUM MS06-075 ~
137571 HIGH MS06-070 ~
133387 MEDIUM MS06-065 ~
133386 MEDIUM MS06-064 ~
133385 MEDIUM MS06-063 ~
133379 HIGH MS06-057 ~
129977 MEDIUM MS06-053 ~
129976 MEDIUM MS06-052 ~
126093 HIGH MS06-051 ~
126092 MEDIUM MS06-050 ~
126087 HIGH MS06-046 ~
126086 MEDIUM MS06-045 ~
126082 HIGH MS06-041 ~
126081 HIGH MS06-040 ~
123421 HIGH MS06-036 ~
123420 HIGH MS06-035 ~
;===================================================================================================================================================================================

 

Hi
The registry key just does not want to go away lets try this.

• Download RegASSASSIN by malwarebytes.org from here
• Unzip/extract it to a folder on your desktop
• Double-click on RegASSASSIN.exe to start RegASSASSIN
• Copy and paste the below into the white box
  • 
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}
• Click Delete
• Answer Yes to any prompts

Now a another Panda scan.

Thanks
Geri

 

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-22 16:03:42
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1229 [VPS 080821-0] 4.8.1229 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@atdmt[1].txt
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023183.exe[C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023183.exe][SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023225.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@mediaplex[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@apmebf[1].txt
00214288 adware/quickbar Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
184380 MEDIUM MS08-002
184379 MEDIUM MS08-001
182048 HIGH MS07-069
182046 HIGH MS07-067
182043 HIGH MS07-064
179553 HIGH MS07-061
176382 HIGH MS07-057
176383 HIGH MS07-058
170907 HIGH MS07-046
170906 HIGH MS07-045
170904 HIGH MS07-043
164915 HIGH MS07-035
164913 HIGH MS07-033
164911 HIGH MS07-031
160623 HIGH MS07-027
157262 HIGH MS07-022
157261 HIGH MS07-021
157260 HIGH MS07-020
157259 HIGH MS07-019
156477 HIGH MS07-017
150253 HIGH MS07-016
150249 HIGH MS07-013
150248 HIGH MS07-012
150247 HIGH MS07-011
150243 HIGH MS07-008
150242 HIGH MS07-007
150241 MEDIUM MS07-006
141034 HIGH MS06-076
141033 MEDIUM MS06-075
137571 HIGH MS06-070
133387 MEDIUM MS06-065
133386 MEDIUM MS06-064
133385 MEDIUM MS06-063
133379 HIGH MS06-057
129977 MEDIUM MS06-053
129976 MEDIUM MS06-052
126093 HIGH MS06-051
126092 MEDIUM MS06-050
126087 HIGH MS06-046
126086 MEDIUM MS06-045
126082 HIGH MS06-041
126081 HIGH MS06-040
123421 HIGH MS06-036
123420 HIGH MS06-035
;===================================================================================================================================================================================

 

Hi
OK, RRRR

Lets try it this way.

Click Start > Run in the run box copy and paste this in and click OK.

Code:

reg delete  "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C} "

OK any prompts

Incase this doesn't work, how are you with deleting registry entries manually?

OK another Panda scan.

Thanks
Geri

 

Well I think its gone now! Here is the active scan log - sorry it took me so long:


;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-23 17:04:30
PROTECTIONS: 1
MALWARE: 5
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1229 [VPS 080822-0] 4.8.1229 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@atdmt[1].txt
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023183.exe[C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023183.exe][SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{226D930D-2CEC-410C-9502-518B10E3E016}\RP91\A1023225.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@mediaplex[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Dokumente und Einstellungen\Home\Cookies\home@apmebf[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location 7<
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 7<
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 7<
184379 MEDIUM MS08-001 7<
182048 HIGH MS07-069 7<
182046 HIGH MS07-067 7<
182043 HIGH MS07-064 7<
179553 HIGH MS07-061 7<
176382 HIGH MS07-057 7<
176383 HIGH MS07-058 7<
170907 HIGH MS07-046 7<
170906 HIGH MS07-045 7<
170904 HIGH MS07-043 7<
164915 HIGH MS07-035 7<
164913 HIGH MS07-033 7<
164911 HIGH MS07-031 7<
160623 HIGH MS07-027 7<
157262 HIGH MS07-022 7<
157261 HIGH MS07-021 7<
157260 HIGH MS07-020 7<
157259 HIGH MS07-019 7<
156477 HIGH MS07-017 7<
150253 HIGH MS07-016 7<
150249 HIGH MS07-013 7<
150248 HIGH MS07-012 7<
150247 HIGH MS07-011 7<
150243 HIGH MS07-008 7<
150242 HIGH MS07-007 7<
150241 MEDIUM MS07-006 7<
141034 HIGH MS06-076 7<
141033 MEDIUM MS06-075 7<
137571 HIGH MS06-070 7<
133387 MEDIUM MS06-065 7<
133386 MEDIUM MS06-064 7<
133385 MEDIUM MS06-063 7<
133379 HIGH MS06-057 7<
129977 MEDIUM MS06-053 7<
129976 MEDIUM MS06-052 7<
126093 HIGH MS06-051 7<
126092 MEDIUM MS06-050 7<
126087 HIGH MS06-046 7<
126086 MEDIUM MS06-045 7<
126082 HIGH MS06-041 7<
126081 HIGH MS06-040 7<
123421 HIGH MS06-036 7<
123420 HIGH MS06-035 7<
;===================================================================================================================================================================================

 

Hi dogtag
OK Good.

That's OK, not your fault, sometimes these things just don't want to be deleted.

Ok you can delete RegASSASSIN.exe

We need to turn off and on system restore. There are infections in it and by using system restore you would reinfect yourself.

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
5. Click Apply, and then click OK
6. Make a new restore point.
7. Click Start, All Programs, Accessories, System Tools, System Restore.
Choose Create a restore point and clicked Next, Under “Type a description for your restore point…”put a name in the box,. Click Create. In the next window click Close.


You seem to be missing some Windows security Updates.
All these that are showing in the Panda scan under...
VULNERABILITIES
Id Severity Description
184380 MEDIUM MS08-002 7<
184379 MEDIUM MS08-001 7<
182048 HIGH MS07-069 7<
182046 HIGH MS07-067 7<
182043 HIGH MS07-064 7<

It is very important to keep these Windows updates updated.

Let me know how things are running.

Thanks
Geri

 

Thank you soo much for your help!! I have just completed th last step (system resote) and am downloading the latest windows updates. You guys are doing a great job! Everything seems to be working alright!
thanks again geri

 

Hi dogtag
OK that's good to hear.
You're welcome.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Malware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

I'll mark this one resolved.

Surf Safely.
Geri