Well, I've run the usual battery of anti-spyware and the like (Spybot S&D, Ad-aware, AVG anti-virus) to no avail. I keep having issues seeing winantiviruspro stuff popping up and being picked up by ad-aware adn spybot, supposedly eliminated, then back the next time I run the programs. Here's my HJT log. Logfile of HijackThis v1.99.1 Scan saved at 7:55:17 AM, on 7/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_home R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\SYSTEM32\ljjklmn.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141367120593 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: ljjklmn - C:\WINDOWS\SYSTEM32\ljjklmn.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: furnariidae - {89e4aaba-3b21-49b3-b922-8ca35193c68e} - C:\WINDOWS\system32\zlara.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Ok you got some infections... Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip Unzip it (folder named SmitFraudFix) to your desktop: Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist) Post the contents of this textfile to here. (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
Alrighty, I ran that program, here are the text file contents. And before I forget - thanks for helping me with this, it's very much appreciated. SmitFraudFix v2.69 Scan done at 13:16:46.64, Tue 07/11/2006 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\ld???.tmp FOUND ! C:\WINDOWS\system32\ld????.tmp FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\regperf.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1 C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="http://www.epicrockradio.com/playing.php" "SubscribedURL"="http://www.epicrockradio.com/playing.php" "FriendlyName"="Epic Rock Radio" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2] "Source"="http://www.epicrockradio.com/mini.php" "SubscribedURL"="http://www.epicrockradio.com/mini.php" "FriendlyName"="" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
Ok, lets get you cleaned You don't have a firewall on your computer. Download and install one firewall. These are good (free) firewalls: ZoneAlarm --> http://www.zonelabs.com Kerio--> http://www.sunbelt-software.com/Kerio.cfm Outpost-> http://www.agnitum.com If you used windows firewall, disable it after installing new firewall. Ok, you got some infections on your computer.... Cleaning instructions: Disable Spybot S&D's Teatimer and Ewido's guard before the cleaning because they may hinder the cleaning process, instructions -> http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1 Do NOT run yet. -> Open Ewido Anti-Spyware -> Click the Update icon at the top of the window -> Click the Start update button -> Wait for the update to download and install -> Quit the program, we'll use this later. Download VundoFix.exe to your desktop -> http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Put a check next to Run VundoFix as a task. * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK * When VundoFix re-opens, click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will shutdown your computer, click OK. * Turn your computer back on Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\SYSTEM32\ljjklmn.dll O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - O20 - Winlogon Notify: ljjklmn - C:\WINDOWS\SYSTEM32\ljjklmn.dll O21 - SSODL: furnariidae - {89e4aaba-3b21-49b3-b922-8ca35193c68e} - C:\WINDOWS\system32\zlara.dll (file missing) Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml Run ATF Cleaner -> Check select all -> Press Empty selected When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files. You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys. The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter". The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode. A textfile will appear after the cleaning process, copy this file and paste it to here. Tha log is saved to your local diskdrive, usually C:\rapport.txt. Warning : Running option 2 in a clean computer will delete your desktop wallpaper. -> Open Ewido Anti-Spyware -> Click the Scanner icon at the top of the window -> Click the Settings tab then select Recommended Options and choose Quarantine -> Click the Scan tab -> Select Complete System Scan. The scanning begins. -> When the scan has completed: -> If infections were found you'll be prompted about what to do. -> Please make sure that the Set all elements to is set to Quarantine (in downleft corner of the window) -> Then press Apply all actions and answer yes to all if it asks about something -> Click on the Save Scan Report button and save the scan to your Desktop. -> Copy and paste the scan results into your next post Post the following logs to here: -> a fresh HijackThis log -> Ewido's log -> contents of C:\Rapport.txt -> contents of C:\vundofix.txt
Okay, I have a new log file from HijackThis, an ewido log, and the rapport text - I do not have a vundo log as the program for it didn't print out a log and instead froze and the crashed after it was supposed to shut down the computer. here is the rapport log first, followed by the ewido and HJT log last. SmitFraudFix v2.69 Scan done at 14:40:20.92, Wed 07/12/2006 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\ld???.tmp Deleted C:\WINDOWS\system32\ot.ico Deleted C:\WINDOWS\system32\regperf.exe Deleted C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 3:33:39 PM 7/12/2006 + Scan result: C:\VundoFix Backups\ljjklmn.dll -> Adware.Virtumonde : Cleaned with backup (quarantined). :mozilla.104:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.105:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.50:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.98:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\Not owner\Cookies\not owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined). :mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined). :mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined). :mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined). :mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined). :mozilla.53:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.54:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.55:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.15:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). :mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). :mozilla.76:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined). :mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.11:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.80:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.81:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.16:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). :mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). :mozilla.10:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\Not owner\Cookies\not owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). :mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). :mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). :mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). :mozilla.59:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). :mozilla.60:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). :mozilla.61:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). :mozilla.62:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). :mozilla.37:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.38:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.39:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.40:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.41:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.640:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y5k4a7tu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.133:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined). :mozilla.134:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined). :mozilla.135:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined). :mozilla.136:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined). :mozilla.121:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). :mozilla.97:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined). :mozilla.43:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). :mozilla.44:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). :mozilla.45:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). :mozilla.46:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). :mozilla.47:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). :mozilla.102:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined). :mozilla.74:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). :mozilla.75:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). :mozilla.100:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). :mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). :mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). :mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). :mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). :mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). :mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). :mozilla.99:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). :mozilla.144:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). :mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). :mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). :mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). :mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). :mozilla.119:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). :mozilla.120:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). :mozilla.63:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). :mozilla.64:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). :mozilla.65:C:\Documents and Settings\Not owner\Application Data\Mozilla\Firefox\Profiles\szzdqh7t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\Not owner\Cookies\not owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). :mozilla.122:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined). :mozilla.123:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined). :mozilla.124:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zvl8vapr.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined). ::Report end Logfile of HijackThis v1.99.1 Scan saved at 3:37:32 PM, on 7/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {E866A250-49B5-4B45-9481-BAC6C2528F25} - C:\WINDOWS\system32\mljgg.dll (file missing) O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141367120593 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Ok we'll have to use a stronger tool.... 1. Download Avenger -> http://swandog46.geekstogo.com/avenger.zip and unzip it to desktop 2. Copy all text in quote box below to Notepad (starting from Files to delete Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system 3. Now, open The Avenger ->"Below Script file to execute" select "Input Script Manually". ->Now click magnifying glass which opens a new window "View/edit script". -> Paste the text you earlier copied to Notepad here -> Click Done. -> Now click green light in order to start script. -> Click "Yes" . 4.Avenger will do the following -> Reboot your computer. -> While booting, it will open a dos prompt, it's normal -> After reboot it will create a logfile which should open . This log is in C:\avenger.txt -> Avenger has created a backup here -> C:\avenger\backup.zip. 5. Fix this entry with HijackThis and do a reboot: O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\SYSTEM32\ljjklmn.dll 6. Copy/paste contents of avenger.txt along with a fresh HjT-log.
When I went to run HjT after I ran Avenger, I could not find the entry that you instructed me to fix. Here is the Avenger log and the HjT log. Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\lpqplkqy ******************* Script file located at: \??\C:\Program Files\yeydmvef.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\ggjlm.dll not found! Deletion of file C:\WINDOWS\system32\ggjlm.dll failed! Could not process line: C:\WINDOWS\system32\ggjlm.dll Status: 0xc0000034 File C:\WINDOWS\system32\ggjlm.tmp not found! Deletion of file C:\WINDOWS\system32\ggjlm.tmp failed! Could not process line: C:\WINDOWS\system32\ggjlm.tmp Status: 0xc0000034 File C:\WINDOWS\system32\ggjlm.tmp1 not found! Deletion of file C:\WINDOWS\system32\ggjlm.tmp1 failed! Could not process line: C:\WINDOWS\system32\ggjlm.tmp1 Status: 0xc0000034 File C:\WINDOWS\system32\ggjlm.tmp2 not found! Deletion of file C:\WINDOWS\system32\ggjlm.tmp2 failed! Could not process line: C:\WINDOWS\system32\ggjlm.tmp2 Status: 0xc0000034 File C:\WINDOWS\system32\ggjlm.bak not found! Deletion of file C:\WINDOWS\system32\ggjlm.bak failed! Could not process line: C:\WINDOWS\system32\ggjlm.bak Status: 0xc0000034 File C:\WINDOWS\system32\ggjlm.bak1 not found! Deletion of file C:\WINDOWS\system32\ggjlm.bak1 failed! Could not process line: C:\WINDOWS\system32\ggjlm.bak1 Status: 0xc0000034 File C:\WINDOWS\system32\ggjlm.bak2 not found! Deletion of file C:\WINDOWS\system32\ggjlm.bak2 failed! Could not process line: C:\WINDOWS\system32\ggjlm.bak2 Status: 0xc0000034 File C:\WINDOWS\system32\ggjlm.ini not found! Deletion of file C:\WINDOWS\system32\ggjlm.ini failed! Could not process line: C:\WINDOWS\system32\ggjlm.ini Status: 0xc0000034 File C:\WINDOWS\system32\ggjlm.ini2 not found! Deletion of file C:\WINDOWS\system32\ggjlm.ini2 failed! Could not process line: C:\WINDOWS\system32\ggjlm.ini2 Status: 0xc0000034 File C:\WINDOWS\system32\mljgg.dll not found! Deletion of file C:\WINDOWS\system32\mljgg.dll failed! Could not process line: C:\WINDOWS\system32\mljgg.dll Status: 0xc0000034 File C:\WINDOWS\system32\mljgg.bak not found! Deletion of file C:\WINDOWS\system32\mljgg.bak failed! Could not process line: C:\WINDOWS\system32\mljgg.bak Status: 0xc0000034 File C:\WINDOWS\system32\mljgg..ini not found! Deletion of file C:\WINDOWS\system32\mljgg..ini failed! Could not process line: C:\WINDOWS\system32\mljgg..ini Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. Logfile of HijackThis v1.99.1 Scan saved at 1:46:26 PM, on 7/13/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {E866A250-49B5-4B45-9481-BAC6C2528F25} - C:\WINDOWS\system32\mljgg.dll (file missing) O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141367120 593 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Ok looks really good... There should be this one leftover entry in your HijackThis log, check again and fix it if found: O2 - BHO: (no name) - {E866A250-49B5-4B45-9481-BAC6C2528F25} - C:\WINDOWS\system32\mljgg.dll (file missing) Reboot and post a fresh HjT log to here.
Cool beans. On a slightly different subject, do you know how to set the Kerio Firewall to start on system start up? Currently I have to manually start it up. Here's my latest HjT log. Logfile of HijackThis v1.99.1 Scan saved at 3:33:24 PM, on 7/15/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141367120593 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Ok looks clean now You seem to be having two antiviruses running, AVG and ClamWin. You should uninstall one of these and leave only one. Go to Control Panel -> Add/Remove programs -> Remove AVG or ClamWin Now you can empty Ewidos Quarantine: -> Open Ewido -> Select "Infections" -> Click "Select all" -> Click "Remove finally" -> Close Ewido You should update your Java (old version has all kinds of vulnerabilities) 1. Click "Start"-> "Control panel" -> Double-click Java icon (coffee cup) 2. Move to "Update" tab and update Java by clicking "Update Now". After that do a restart. 3. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp 4. After updating, uninstall the old Java (if found) from Add/Remove Programs, named as J2SE Runtime Environment 5.0 Update 6 Now that you're clean, here are some tips how to stay clean. -> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware. -> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning. -> Use CCleaner -> http://www.ccleaner.com Download and install CCleaner. Clean your registry and temporary files with it regularly. -> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48 Download and install Ad-Aware. Update it and scan your computer regularly with it. -> Use Ewido -> http://www.ewido.net/en Download and install Ewido. Update it and scan your computer regularly with it. -> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html SpywareBlaster will prevent spyware from being installed to your computer. -> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm This prevents your computer from connecting to harmful sites. -> Change your browser to Firefox -> http://www.mozilla.org Firefox is faster, safer and quicker browser than Internet Explorer. -> Keep your systen up-to-date -> http://windowsupdate.microsoft.com Visit Windows Update regularly. -> Keep your antivirus and firewall up-to-date Scan your computer regularly with your antivirus. -> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html So how did I get infected in the first place? Stay clean Are you absolutely sure that Kerio won't start automatically ? It takes some time from Kerio to load at the startup, are you sure that you've waited enough?
Sir, you have been a lifesaver – I don’t know what I would have done without your help. About the firewall - turns out I'm just impatient, it starts fine. All of this started when a "friend" of mine came over, jumped on my computer, and started to engage in some "improprieties." Things like this make me all the more paranoid about letting anyone near my computer. Thanks again for all your help!!
