TIBS C- I cant get rid of it!!! - Free Antivirus Forum

TIBS C- I cant get rid of it!!!

BullGuard Antivirus Forum > General Security > Spyware > TIBS C- I cant get rid of it!!!

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Momma2Evan
New Member

Date Joined Jun 2007
Total Posts : 9

Posted 6-23-2007 1:01 (GMT +1)

Im sorry if this has already been asked.

I have the TIBS C showing up on my yahooantispy. It cannot remove it. Ive looked and looked and I found the SDFix. I did that 2 times and neither time did it work. I found another option where you go in and delete certain files in safe mode. It says to delete file names kernels88 but I dont have that file. I have other kernels but with different numbers and I was afraid to delete anything that wasnt the exact name listed on the fix. None of the things I had matched the list but came close on some of them. Im not sure what Im doing wrong and I have NO idea how to get rid of this! Ive done various spyware searches with different programs and each found it but none could take it off for me for some reason or another.

Is there any other way to get rid of this?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 6-23-2007 5:39 (GMT +1)

Hi Momma2Evan and welcome smile

Click here - ->> Before posting a log

After You have run the scan tools -

Reboot normally

Post AVG Antispyware log along with hijackthis log, rootchk log

in this thread and tell how things are running

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Member of - Alliance of Security Analysis Professionals

Momma2Evan
New Member

Date Joined Jun 2007
Total Posts : 9

Posted 6-24-2007 4:06 (GMT +1)

Okay I think I did this right. Here are the logs. I have gotten rid of all the spyware multiple times in safe mode with restore off but it all keeps coming back. And now I have music playing on my computer when I dont even have anything running!! Its very weird. I dont know why Tibs C show up on the AVG spyware but it shows up on the Yahoo antispyware. Well here are the logs.

AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:01:54 AM 6/24/2007
+ Scan result:
C:\WINDOWS\xmlhelper.dll -> Adware.Agent : Ignored.
C:\WINDOWS\xmlhelper2.dll -> Adware.Agent : Ignored.
[3284] C:\WINDOWS\xmlhelper2.dll -> Adware.Agent : Ignored.
HKLM\SOFTWARE\Classes\ADM.ADM.1 -> Adware.Altnet : Ignored.
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Ignored.
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Ignored.
HKLM\SOFTWARE\Classes\LaunchInIE.Launch -> Adware.Ezula : Ignored.
HKLM\SOFTWARE\Classes\LaunchInIE.Launch.1 -> Adware.Ezula : Ignored.
HKLM\SOFTWARE\Classes\LaunchInIE.Launch\CLSID -> Adware.Ezula : Ignored.
HKLM\SOFTWARE\Classes\LaunchInIE.Launch\CurVer -> Adware.Ezula : Ignored.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007 -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\Owner\Application Data\WinAntiSpyware 2007 -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\Owner\Application Data\WinAntiSpyware 2007\Logs -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\Owner\Application Data\WinAntiSpyware 2007\Logs\update.log -> Adware.RogueSuspect : Ignored.
C:\Program Files\SoftwareRevenue.org\2r_samba.exe -> Adware.Softomate : Ignored.
C:\WINDOWS\system32\mi1.exe -> Adware.Softomate : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> Adware.ZenoSearch : Ignored.
C:\WINDOWS\system32\S7\wr620.exe -> Downloader.Agent.bls : Ignored.
C:\Program Files\poolsv\wr-1-0000077.exe -> Downloader.Agent.brf : Ignored.
C:\Program Files\svhost\wr-1-0000077.exe -> Downloader.Agent.brf : Ignored.
C:\Program Files\poolsv\YazzleBundle-1549.exe -> Downloader.PurityScan.eg : Ignored.
C:\WINDOWS\system32\o09PrEz\o09PrEz1099.exe -> Downloader.VB.awj : Ignored.
C:\WINDOWS\system32\S4\wen2.exe -> Dropper.Agent.bfr : Ignored.
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt -> TrackingCookie.Revsci : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt -> TrackingCookie.Statcounter : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt -> TrackingCookie.Trafficmp : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored.
C:\VundoFix Backups\kvqccowb.exe.bad -> Trojan.Agent.anr : Ignored.
C:\WINDOWS\system32\launchinie.dll -> Trojan.Small : Ignored.
::Report end

SDFix: Version 1.88
Run by Owner on Fri 06/22/2007 at 06:56 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\MYDOCU~1\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
Checking C:\WINDOWS
C:\WINDOWS
No streams found.
Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.
Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\bl4ck.com"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\bl4ck.com:*:ENABLED:0"
"C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exe:*:ENABLED:0"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\ASMonitor\\ASMonitor.exe"="C:\\Program Files\\ASMonitor\\ASMonitor.exe:*:Enabled:System"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os523.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os523.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\WINDOWS\\system32\\opslarxe.exe"="C:\\WINDOWS\\system32\\ops"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Listing Files with Hidden Attributes:
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\YahELite\Setup.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\WINDOWS\SoftwareDistribution\Download\d3226ed0a8904ae940c1794b1cd8b325\BIT7.tmp
Listing User Accounts:
Administrator            ASPNET                   Guest
HelpAssistant            Owner                    SUPPORT_388945a0
SUPPORT_fddfa904

Finished

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 6-25-2007 7:32 (GMT +1)

Post rootchk and hijackthis log

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Member of - Alliance of Security Analysis Professionals

Momma2Evan
New Member

Date Joined Jun 2007
Total Posts : 9

Posted 6-25-2007 3:56 (GMT +1)

Sorry for being such a pain!! Im not very computer literate (obviously) I think I have it right now. I hope :) Ive saved all my important stuff. Ive had various people, including my computer guy tell me that I will have to wipe my computer. But I really dont want to do that! You all are my last resort. I really appreciate this!

AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:01:54 AM 6/24/2007
+ Scan result:
C:\WINDOWS\xmlhelper.dll -> Adware.Agent : Ignored.
C:\WINDOWS\xmlhelper2.dll -> Adware.Agent : Ignored.
[3284] C:\WINDOWS\xmlhelper2.dll -> Adware.Agent : Ignored.
HKLM\SOFTWARE\Classes\ADM.ADM.1 -> Adware.Altnet : Ignored.
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Ignored.
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Ignored.
HKLM\SOFTWARE\Classes\LaunchInIE.Launch -> Adware.Ezula : Ignored.
HKLM\SOFTWARE\Classes\LaunchInIE.Launch.1 -> Adware.Ezula : Ignored.
HKLM\SOFTWARE\Classes\LaunchInIE.Launch\CLSID -> Adware.Ezula : Ignored.
HKLM\SOFTWARE\Classes\LaunchInIE.Launch\CurVer -> Adware.Ezula : Ignored.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007 -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\Owner\Application Data\WinAntiSpyware 2007 -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\Owner\Application Data\WinAntiSpyware 2007\Logs -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\Owner\Application Data\WinAntiSpyware 2007\Logs\update.log -> Adware.RogueSuspect : Ignored.
C:\Program Files\SoftwareRevenue.org\2r_samba.exe -> Adware.Softomate : Ignored.
C:\WINDOWS\system32\mi1.exe -> Adware.Softomate : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> Adware.ZenoSearch : Ignored.
C:\WINDOWS\system32\S7\wr620.exe -> Downloader.Agent.bls : Ignored.
C:\Program Files\poolsv\wr-1-0000077.exe -> Downloader.Agent.brf : Ignored.
C:\Program Files\svhost\wr-1-0000077.exe -> Downloader.Agent.brf : Ignored.
C:\Program Files\poolsv\YazzleBundle-1549.exe -> Downloader.PurityScan.eg : Ignored.
C:\WINDOWS\system32\o09PrEz\o09PrEz1099.exe -> Downloader.VB.awj : Ignored.
C:\WINDOWS\system32\S4\wen2.exe -> Dropper.Agent.bfr : Ignored.
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@advertising.txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@mediaplex.txt -> TrackingCookie.Mediaplex : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@revsci.txt -> TrackingCookie.Revsci : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@statcounter.txt -> TrackingCookie.Statcounter : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@trafficmp.txt -> TrackingCookie.Trafficmp : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager.txt -> TrackingCookie.Yieldmanager : Ignored.
C:\VundoFix Backups\kvqccowb.exe.bad -> Trojan.Agent.anr : Ignored.
C:\WINDOWS\system32\launchinie.dll -> Trojan.Small : Ignored.
::Report end

SDFix: Version 1.88
Run by Owner on Fri 06/22/2007 at 06:56 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\MYDOCU~1\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
Checking C:\WINDOWS
C:\WINDOWS
No streams found.
Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.
Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\bl4ck.com"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\bl4ck.com:*:ENABLED:0"
"C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exe:*:ENABLED:0"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\ASMonitor\\ASMonitor.exe"="C:\\Program Files\\ASMonitor\\ASMonitor.exe:*:Enabled:System"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os523.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os523.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\WINDOWS\\system32\\opslarxe.exe"="C:\\WINDOWS\\system32\\ops"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Listing Files with Hidden Attributes:
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\YahELite\Setup.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\WINDOWS\SoftwareDistribution\Download\d3226ed0a8904ae940c1794b1cd8b325\BIT7.tmp
Listing User Accounts:
Administrator ASPNET Guest
HelpAssistant Owner SUPPORT_388945a0
SUPPORT_fddfa904

Finished

Logfile of HijackThis v1.99.1
Scan saved at 10:49:51 AM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\monitorbk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\My Documents\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {59DDCA7F-5B39-42FC-99DD-27F05EE8A20D} - C:\Program Files\Online Services\hoken83122.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E3943A24-2F83-4505-9AE5-F705E81B50CB} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1055_XP.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkhfgg - jkkhfgg.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\opslarxe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

********************************* ROOTCHK-(21-06-07)-LOG, by ejvindh
Mon 06/25/2007 10:54:02.79

Driver nm (visible) is present. Run COMBOFIX by sUBs.

********************************* ROOTCHK-LOG-end
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 10:54:03
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
hidden processes: 0
hidden services: 0
hidden files: 0

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 6-25-2007 4:50 (GMT +1)

No need to wipe the computer, You are doing fine smile

Next step is a scan with combofix. There will be some more scans after that, don´t worry, we´ll take one step at a time -

Please download Combofix:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

download.bleepingcomputer.com/sUBs/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt.

3. Post the contents of that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Member of - Alliance of Security Analysis Professionals

Momma2Evan
New Member

Date Joined Jun 2007
Total Posts : 9

Posted 6-25-2007 6:28 (GMT +1)

"Owner" - 2007-06-25 13:19:19 - ComboFix 07-06-25.3 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Owner\APPLIC~1.\ppatch~1
C:\DOCUME~1\Owner\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Owner\APPLIC~1.\winantispyware 2007 free
C:\DOCUME~1\Owner\APPLIC~1.\winantispyware 2007 free\DownloadUWAS7.url
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\dobe~1
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\svhost
C:\Program Files\Windows NT\profsyvyq.html
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S2\mwspasrt83122.exe
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\win
C:\WINDOWS\system32\ystem3~1

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_GB
-------\DomainService
-------\nm

((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))

2007-06-25 13:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 10:40 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-24 03:08 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-24 01:57 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-24 01:57 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-06-23 22:06 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-22 18:15 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-22 17:38 <DIR> d-------- C:\VIRUSfighter
2007-06-22 13:57 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-22 12:38 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-06-22 12:13 <DIR> d-------- C:\VundoFix Backups
2007-06-22 09:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-06-22 08:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-22 08:27 <DIR> d-------- C:\WINDOWS\Profiles
2007-06-22 08:27 <DIR> d-------- C:\WINDOWS\LastGood(2)
2007-06-22 08:27 <DIR> d-------- C:\WINDOWS\EHome
2007-06-22 08:27 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-06-22 08:27 <DIR> d-------- C:\WINDOWS\backup
2007-06-22 08:27 <DIR> d-------- C:\WINDOWS\aod
2007-06-22 08:27 <DIR> d-------- C:\WINDOWS\addins
2007-06-22 08:27 <DIR> d-------- C:\sysprep
2007-06-22 08:27 <DIR> d-------- C:\Python22
2007-06-22 08:27 <DIR> d-------- C:\Program Files\WinMX Music
2007-06-22 08:27 <DIR> d-------- C:\Program Files\SoftwareRevenue.org
2007-06-22 08:27 <DIR> d-------- C:\Program Files\MySpace
2007-06-22 08:27 <DIR> d-------- C:\Program Files\Mindscape
2007-06-22 08:27 <DIR> d-------- C:\Program Files\Microsoft Games
2007-06-22 08:27 <DIR> d-------- C:\DOCUME~1\Owner\jmeeting
2007-06-22 08:27 <DIR> d-------- C:\DOCUME~1\Owner\.limewire
2007-06-22 08:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-06-22 08:26 <DIR> d--hs---- C:\DOCUME~1\Owner\UserData
2007-06-22 08:26 <DIR> d-------- C:\ViaVoice
2007-06-22 08:26 <DIR> d-------- C:\UniScan
2007-06-22 08:26 <DIR> d-------- C:\Program Files\Messenger
2007-06-22 08:26 <DIR> d-------- C:\Program Files\LimeWire
2007-06-22 08:26 <DIR> d-------- C:\Program Files\Jasc Software Inc
2007-06-22 08:26 <DIR> d-------- C:\Program Files\InterMute
2007-06-22 08:26 <DIR> d-------- C:\Program Files\InterActual
2007-06-22 08:26 <DIR> d-------- C:\Program Files\Infogrames Interactive
2007-06-22 08:26 <DIR> d-------- C:\Program Files\Infogrames
2007-06-22 08:26 <DIR> d-------- C:\Program Files\Google
2007-06-22 08:26 <DIR> d-------- C:\My Downloads
2007-06-22 08:26 <DIR> d-------- C:\Maxis
2007-06-22 08:26 <DIR> d-------- C:\KPCMS
2007-06-22 08:26 <DIR> d-------- C:\Incomplete
2007-06-22 08:26 <DIR> d-------- C:\Downloads
2007-06-21 21:44 <DIR> d-------- C:\Temp
2007-06-21 14:44 195 --a------ C:\WINDOWS\system32\qviexio3.dat
2007-06-21 13:02 <DIR> d-------- C:\DOCUME~1\Owner\UserData(2)
2007-06-21 10:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-21 09:12 6,553,600 --a------ C:\DOCUME~1\Owner\ntuser.dat
2007-06-21 07:34 1,825,866 ---hs---- C:\WINDOWS\system32\rstwa.bak2
2007-06-21 07:24 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-20 15:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-07 19:17 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MySpace
2007-06-06 19:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-25 18:21:13 -------- d-----w C:\Program Files\Windows NT
2007-06-22 22:38:23 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 16:57:32 -------- d-----w C:\Program Files\YahELite
2007-06-22 16:46:46 -------- d-----w C:\Program Files\Common Files\Scanner
2007-06-22 16:46:39 -------- d-----w C:\Program Files\Yahoo!
2007-06-22 13:27:25 -------- d-----w C:\Program Files\CyberLink
2007-06-22 04:20:14 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-06-21 16:42:47 -------- d-----w C:\Program Files\Online Services
2007-06-08 13:41:48 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\LimeWire
2007-05-16 15:12:02 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-27 06:43:46 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-05-30 16:18]
{59DDCA7F-5B39-42FC-99DD-27F05EE8A20D}=C:\Program Files\Online Services\hoken83122.dll [2007-06-18 13:59]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 12:22]
{85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper2.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 12:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\profsyvyq.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkhfgg]
jkkhfgg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^2Wire Wireless Client Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2Wire Wireless Client Manager.lnk
backup=C:\WINDOWS\pss\2Wire Wireless Client Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
ndows_NTAUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
C:\WINDOWS\cfg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\rwinpndt.exe SKY003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\pdlqbwdd.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
"C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mjrdbqic]
C:\Program Files\Ehhkj\Wtkxnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]
"C:\WINDOWS\poolsv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svhost]
"C:\WINDOWS\svhost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syswin]
C:\WINDOWS\v6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zvùõš/‚²‘ÆßfÏNb‰»9C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zvùõš/‚²‘ÆßfÏNb‰»9C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zvùõš/‚²‘ÆßfÏNb‰»9C:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zvùõš/‚²‘ÆßfÏNb‰»9C:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\kbdtixe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{06-6E-EB-BD-ZN}]
C:\windows\system32\modsregk.exe SKY003

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Autorun.exe

Contents of the 'Scheduled Tasks' folder
2007-06-25 05:00:00 C:\WINDOWS\tasks\At1.job
2007-06-25 14:00:00 C:\WINDOWS\tasks\At10.job
2007-06-25 15:00:00 C:\WINDOWS\tasks\At11.job
2007-06-25 16:00:00 C:\WINDOWS\tasks\At12.job
2007-06-25 17:00:00 C:\WINDOWS\tasks\At13.job
2007-06-25 18:00:00 C:\WINDOWS\tasks\At14.job
2007-06-24 19:00:00 C:\WINDOWS\tasks\At15.job
2007-06-24 20:00:00 C:\WINDOWS\tasks\At16.job
2007-06-24 21:00:00 C:\WINDOWS\tasks\At17.job
2007-06-24 22:00:00 C:\WINDOWS\tasks\At18.job
2007-06-24 23:00:00 C:\WINDOWS\tasks\At19.job
2007-06-25 06:00:00 C:\WINDOWS\tasks\At2.job
2007-06-25 00:00:00 C:\WINDOWS\tasks\At20.job
2007-06-25 01:00:00 C:\WINDOWS\tasks\At21.job
2007-06-25 02:00:00 C:\WINDOWS\tasks\At22.job
2007-06-25 03:00:00 C:\WINDOWS\tasks\At23.job
2007-06-25 04:00:00 C:\WINDOWS\tasks\At24.job
2007-06-25 07:00:00 C:\WINDOWS\tasks\At3.job
2007-06-25 08:00:00 C:\WINDOWS\tasks\At4.job
2007-06-25 09:00:00 C:\WINDOWS\tasks\At5.job
2007-06-25 10:00:00 C:\WINDOWS\tasks\At6.job
2007-06-25 11:00:00 C:\WINDOWS\tasks\At7.job
2007-06-25 12:00:00 C:\WINDOWS\tasks\At8.job
2007-06-25 13:00:00 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 13:23:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-25 13:25:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-25 13:25

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 1:29:13 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {59DDCA7F-5B39-42FC-99DD-27F05EE8A20D} - C:\Program Files\Online Services\hoken83122.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E3943A24-2F83-4505-9AE5-F705E81B50CB} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1055_XP.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkhfgg - jkkhfgg.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 6-26-2007 6:20 (GMT +1)

Please download free Trial of Superantispyware

http://www.superantispyware.com/superantispywarefreevspro.html

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.

close the program

Download and install DrWebCureit:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

http://spywareinfo.dk/download/drweb-cureit.exe

to your desktop.

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

O2 - BHO: (no name) - {59DDCA7F-5B39-42FC-99DD-27F05EE8A20D} - C:\Program Files\Online Services\hoken83122.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll (file missing)

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

O20 - Winlogon Notify: jkkhfgg - jkkhfgg.dll (file missing)

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot to Safe mode

Delete the following files or folders (delete item in bold). Please do not be concerned if

any of the items are not found as they may have been automatically removed by actions I had

you take earlier in the cleaning process.

Open Folder Options in Controlpanel >view and check your settings:

Select

Show hidden files and folders

Display the contents of system folders

Uncheck: Hide protected operating system files

Delete:

Files:

C:\Program Files\Online Services\hoken83122.dll

Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the green screwdriver-

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete

Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Start Superantispyware/rightclick on the black/yellow bug in tray.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next,

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, allow it to Reboot

Start Superantispyware again –

Click Preferences and then click the statistics/logs tab.

Click the dated log and press view log and a text file will appear.

Post this log along with fresh hijackthis log, Dr.Web log and tell how things are running ?

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Member of - Alliance of Security Analysis Professionals

Momma2Evan
New Member

Date Joined Jun 2007
Total Posts : 9

Posted 6-26-2007 6:36 (GMT +1)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/26/2007 at 12:58 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:46:42

Memory items scanned : 171
Memory threats detected : 0
Registry items scanned : 5998
Registry threats detected : 30
File items scanned : 38746
File threats detected : 102

AdwareFilter Toolbar
HKLM\Software\Classes\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}
HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}
HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}
HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\InprocServer32
HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\InprocServer32#ThreadingModel
HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\ProgID
HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\Programmable
HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\TypeLib
HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\VersionIndependentProgID
C:\PROGRAM FILES\ADWAREFILTERTOOLBAR\ADWAREFILTER.DLL
HKU\S-1-5-21-3431314084-3304976700-517204731-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{1028F737-81E7-452B-A860-E50CAD90A08C}
HKCR\AdwareFilter.AdwareFilterToolBar.1
HKCR\AdwareFilter.AdwareFilterToolBar.1\CLSID
HKCR\AdwareFilter.AdwareFilterToolBar
HKCR\AdwareFilter.AdwareFilterToolBar\CLSID
HKCR\AdwareFilter.AdwareFilterToolBar\CurVer
HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}
HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}\1.0
HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}\1.0\0
HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}\1.0\0\win32
HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}\1.0\FLAGS
HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}\1.0\HELPDIR

Adware.k8l
C:\PROGRAM FILES\WINDOWS NT\PROFSYVYQ.HTML
HKU\S-1-5-21-3431314084-3304976700-517204731-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0
HKU\S-1-5-21-3431314084-3304976700-517204731-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#Source
HKU\S-1-5-21-3431314084-3304976700-517204731-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#SubscribedURL
HKU\S-1-5-21-3431314084-3304976700-517204731-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#FriendlyName
HKU\S-1-5-21-3431314084-3304976700-517204731-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#Flags
HKU\S-1-5-21-3431314084-3304976700-517204731-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#Position
HKU\S-1-5-21-3431314084-3304976700-517204731-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#CurrentState
HKU\S-1-5-21-3431314084-3304976700-517204731-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#OriginalStateInfo
HKU\S-1-5-21-3431314084-3304976700-517204731-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#RestoredStateInfo

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@tracking.foxnews.txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices.txt
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4.txt
C:\Documents and Settings\Owner\Cookies\owner@amaena.txt
C:\Documents and Settings\Owner\Cookies\owner@www.drivecleaner.txt
C:\Documents and Settings\Owner\Cookies\owner@advertising.txt
C:\Documents and Settings\Owner\Cookies\owner@winantivirus.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.cnn.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.auctionads.txt
C:\Documents and Settings\Owner\Cookies\owner@proposalportal.112.2o7.txt
C:\Documents and Settings\Owner\Cookies\owner@247realmedia.txt
C:\Documents and Settings\Owner\Cookies\owner@enhance.txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-dig.hitbox.txt
C:\Documents and Settings\Owner\Cookies\owner@count4.exitexchange.txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adbrite.txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices.txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket.txt
C:\Documents and Settings\Owner\Cookies\owner@ad.firstadsolution.txt
C:\Documents and Settings\Owner\Cookies\owner@tremor.adbureau.txt
C:\Documents and Settings\Owner\Cookies\owner@stats.drivecleaner.txt
C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats.txt
C:\Documents and Settings\Owner\Cookies\owner@entrepreneur.txt
C:\Documents and Settings\Owner\Cookies\owner@toseeka.txt
C:\Documents and Settings\Owner\Cookies\owner@buzznet.112.2o7.txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices.txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia.txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda.txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson.txt
C:\Documents and Settings\Owner\Cookies\owner@fortunecity.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.revsci.txt
C:\Documents and Settings\Owner\Cookies\owner@goclick.txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak.txt
C:\Documents and Settings\Owner\Cookies\owner@ad.xplusone.txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson.txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter.txt
C:\Documents and Settings\Owner\Cookies\owner@2o7.txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-maniatv.hitbox.txt
C:\Documents and Settings\Owner\Cookies\owner@media.top-banners.txt
C:\Documents and Settings\Owner\Cookies\owner@hc2.humanclick.txt
C:\Documents and Settings\Owner\Cookies\owner@usatoday1.112.2o7.txt
C:\Documents and Settings\Owner\Cookies\owner@qnsr.txt
C:\Documents and Settings\Owner\Cookies\owner@drivecleaner.txt
C:\Documents and Settings\Owner\Cookies\owner@stats.adbrite.txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.allthatsearch.txt
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix.txt
C:\Documents and Settings\Owner\Cookies\owner@hosts4porn.txt
C:\Documents and Settings\Owner\Cookies\owner@interclick.txt
C:\Documents and Settings\Owner\Cookies\owner@indextools.txt
C:\Documents and Settings\Owner\Cookies\owner@revsci.txt
C:\Documents and Settings\Owner\Cookies\owner@hc2.humanclick.txt
C:\Documents and Settings\Owner\Cookies\owner@buycom.122.2o7.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.searchingbooth.txt
C:\Documents and Settings\Owner\Cookies\owner@educationmanagementllc.112.2o7.txt
C:\Documents and Settings\Owner\Cookies\owner@kaboose.112.2o7.txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite.txt
C:\Documents and Settings\Owner\Cookies\owner@adinterax.txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive.txt
C:\Documents and Settings\Owner\Cookies\owner@3.adbrite.txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox.txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick.txt
C:\Documents and Settings\Owner\Cookies\owner@4.adbrite.txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-mgmmirageoperations.hitbox.txt
C:\Documents and Settings\Owner\Cookies\owner@count3.exitexchange.txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp.txt
C:\Documents and Settings\Owner\Cookies\owner@precisionclick.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll.txt
C:\Documents and Settings\Owner\Cookies\owner@www.drivecleaner.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.madisonavenue.txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex.txt
C:\Documents and Settings\Owner\Cookies\owner@adserving.cpxinteractive.txt
C:\Documents and Settings\Owner\Cookies\owner@heavycom.122.2o7.txt
C:\Documents and Settings\Owner\Cookies\owner@overture.txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices.txt
C:\Documents and Settings\Owner\Cookies\owner@entrepreneur.122.2o7.txt
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack.txt
C:\Documents and Settings\Owner\Cookies\owner@www.winantivirus.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.k8l.txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-hollywoodmedia.hitbox.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.expedia.txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager.txt
C:\Documents and Settings\Owner\Cookies\owner@exitexchange.txt
C:\Documents and Settings\Owner\Cookies\owner@count1.exitexchange.txt
C:\Documents and Settings\Owner\Cookies\owner@reduxads.valuead.txt
C:\Documents and Settings\Owner\Cookies\owner@count2.exitexchange.txt
C:\Documents and Settings\Owner\Cookies\owner@perf.overture.txt
C:\Documents and Settings\Owner\Cookies\owner@ad.creafi.txt
C:\Documents and Settings\Owner\Cookies\owner@ad.directanetworks.txt
C:\Documents and Settings\Owner\Cookies\owner@ad.iconadserver.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.k8l.txt
C:\Documents and Settings\Owner\Cookies\owner@drivecleaner.txt
C:\Documents and Settings\Owner\Cookies\owner@drivecleaner.txt
C:\Documents and Settings\Owner\Cookies\owner@eas.apm.emediate.txt
C:\Documents and Settings\Owner\Cookies\owner@indextools.txt
C:\Documents and Settings\Owner\Cookies\owner@roiservice.txt
C:\Documents and Settings\Owner\Cookies\owner@tracking.foxnews.txt
C:\Documents and Settings\Owner\Cookies\owner@tremor.adbureau.txt
Adware.RAC
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KAX36RB7\ACDT-PID67N.EXE

Logfile of HijackThis v1.99.1
Scan saved at 1:08:41 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\Y