Gio Takahashi Posted December 25, 2007 ID:11194 Share Posted December 25, 2007 Well this came a as a nice christmas gift on my mother's computer. You probably know the drill: "This worm has been detected on the computer, install this spyware to remove it." It came in several forms. popup balloons, alert messenger, and nonstop browser madness.I spent several hours attempting to remove this only to find that my efforts are for naught. While I'm not exactly sure what logs I need to post, I ran a few software and gathered information. I'll post the information when requested.Thanks for taking the time to help me out.Okay. I found the thread. Not sure how I missed this. while I haven't done AVG spyware scan yet, I have the HijackThis log. Sort of. I used Deckard's System Scanner.Here it is:Deckard's System Scanner v20071014.68Run by Gigondas on 2007-12-25 17:00:24Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --69: 2007-12-25 22:00:34 UTC - RP559 - Deckard's System Scanner Restore Point68: 2007-12-25 18:56:49 UTC - RP558 - Ad-Aware Restore Point 2007-12-25 13:56:4667: 2007-12-25 18:15:39 UTC - RP557 - Printer Driver HP Photosmart 2600 series fax Installed66: 2007-12-25 18:15:10 UTC - RP556 - Printer Driver HP Photosmart 2600 series fax Installed65: 2007-12-25 17:59:09 UTC - RP555 - Printer Driver HP Photosmart 2600 series fax Installed-- First Restore Point -- 1: 2007-09-26 17:35:39 UTC - RP491 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Gigondas.exe) --------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:06:48 PM, on 12/25/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ScsiAccess.EXEC:\WINDOWS\system32\svchost.exeC:\Program Files\RealVNC\VNC4\WinVNC4.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Google\Gmail Notifier\gnotify.exeC:\Program Files\Belkin\F5D9050\Belkinwcui.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Motherboard Monitor 5\MBM5.EXEC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\Nero\data\Xtras\mssysmgr.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\HP\hpcoretech\comp\hptskmgr.exeC:\Program Files\Motherboard Monitor 5\DLL\display.dllC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\PROGRA~1\Mozilla Firefox\firefox.exeC:\Program Files\Java\jre1.5.0_06\bin\jucheck.exeC:\WINDOWS\hh.exeC:\Documents and Settings\Gigondas.NUME\Application Data\Smilebox\SmileboxTray.exeC:\Documents and Settings\Gigondas.NUME\Desktop\dss.exeC:\PROGRA~1\TRENDM~1\HIJACK~1\Gigondas.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dllR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllR3 - URLSearchHook: (no name) - - (no file)O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dllO2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLLO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dllO2 - BHO: ALOT Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dllO2 - BHO: BDEX System - {83CDEF6B-98D2-4C60-84FC-00C44606A4F8} - C:\WINDOWS\domnftwpto.dll (file missing)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dllO3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLLO3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: (no name) - {1962c5bc-e475-465b-823b-133e711bceb9} - (no file)O3 - Toolbar: ALOT Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dllO3 - Toolbar: The emlkdvo - {940EBD8D-A3B7-44F9-A850-F60E76BE3B22} - C:\WINDOWS\emlkdvo.dllO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exeO4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\Gigondas.NUME\Application Data\Smilebox\SmileboxTray.exe"O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exeO8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.htmlO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.htmlO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.htmlO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dllO9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/scrab...rabblecubes.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO20 - AppInit_DLLs: WIKI.DLLO21 - SSODL: alxvdvm - {110030A8-993B-4FBB-A63C-AE37A5416CFD} - C:\WINDOWS\alxvdvm.dll (file missing)O21 - SSODL: bvtqfvx - {2A2A258C-959C-4F6C-8D8F-DA0E558D62E1} - C:\WINDOWS\bvtqfvx.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXEO23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe--End of file - 12016 bytes-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R1 EABFiltr - c:\windows\system32\drivers\eabfiltr.sys <Not Verified; Compaq Computer Corp.; Easy Access Button Utility>R1 mbmiodrvr - c:\windows\system32\mbmiodrvr.sys <Not Verified; cansoft@livewiredev.com; Windows ® 2000 DDK driver>R1 SysTool (SysTool Overclocking Utility) - c:\windows\system32\drivers\systool.sys <Not Verified; ; Low-Level Driver>R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\program files\belkin\f5d9050\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>R3 KKW_HID (Kensington HIDClass Filter Driver) - c:\windows\system32\drivers\kkw_hid.sys <Not Verified; Kensington Technology Group; KKW>S3 cg - c:\documents and settings\gigondas.nume\local settings\temp\cg-ics952618\cg.sys (file missing)S3 cmuda (C-Media WDM Audio Interface) - c:\windows\system32\drivers\cmuda.sys (file missing)S3 cpuz - c:\program files\cpuz\cpuz.sys (file missing)S3 eabusb - c:\windows\system32\drivers\eabusb.sys <Not Verified; Compaq Computer Corp.; Easy Access Button Utility>-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------R2 ScsiAccess - c:\windows\system32\scsiaccess.exe-- Device Manager: Disabled ----------------------------------------------------Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}Description: Realtek RTL8139/810x Family Fast Ethernet NICDevice ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&1F7DBC9F&0&48F0Manufacturer: Realtek Semiconductor Corp.Name: Realtek RTL8139/810x Family Fast Ethernet NICPNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&1F7DBC9F&0&48F0Service: RTL8023-- Files created between 2007-11-25 and 2007-12-25 -----------------------------2007-12-25 17:04:10 0 d-------- C:\Program Files\Trend Micro2007-12-25 16:54:46 0 d-------- C:\Zonedout2007-12-25 16:50:42 0 d-------- C:\ie-spyad_zo2007-12-25 16:49:21 0 d-------- C:\Program Files\SpywareBlaster2007-12-25 14:22:00 0 d-------- C:\WINDOWS\system32\ActiveScan2007-12-25 14:21:58 0 d-------- C:\WINDOWS\LastGood2007-12-25 13:16:44 0 d-------- C:\Documents and Settings\Gigondas.NUME\Application Data\HP2007-12-25 13:03:44 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WEBREG2007-12-25 12:51:55 0 d-------- C:\Documents and Settings\Gigondas.NUME\Application Data\HPAppData2007-12-25 12:50:28 0 d-------- C:\Program Files\Lavasoft2007-12-25 12:50:28 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft2007-12-25 12:39:15 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\HPSSUPPLY2007-12-25 12:36:24 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\HP Product Assistant2007-12-25 12:36:23 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\HP2007-12-25 12:26:00 8138 -----n--- C:\WINDOWS\hpomdl21.dat2007-12-25 12:26:00 147629 --a------ C:\WINDOWS\hpoins21.dat2007-12-25 10:07:16 0 d--h----- C:\WINDOWS\system32\GroupPolicy2007-12-24 22:34:54 0 d-------- C:\Program Files\Smilebox2007-12-24 22:27:27 86016 --a------ C:\WINDOWS\fvkwdrt.exe2007-12-24 22:27:27 172032 --a------ C:\WINDOWS\emlkdvo.dll <Not Verified; ; emlkdvo Module>2007-12-24 22:27:27 221184 --a------ C:\WINDOWS\bvtqfvx.dll2007-12-24 22:24:41 0 d-------- C:\Documents and Settings\Gigondas.NUME\Application Data\Smilebox2007-12-23 19:35:15 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MythPeople2007-12-22 16:49:47 0 d-------- C:\Program Files\InterActual2007-12-11 13:24:28 0 d-------- C:\Program Files\Mystery Case Files - Madame Fate2007-12-01 19:43:58 0 d-------- C:\Program Files\7 Artifacts2007-12-01 19:35:45 0 d-------- C:\Documents and Settings\Gigondas.NUME\Application Data\Flood Light Games2007-12-01 19:35:45 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Flood Light Games2007-11-30 20:57:18 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Real2007-11-26 18:35:54 0 d-------- C:\Program Files\Agatha Christie - Peril at End House-- Find3M Report ---------------------------------------------------------------2007-12-25 16:05:44 0 d-------- C:\Program Files\QuickTime2007-12-25 15:53:56 0 d-------- C:\Program Files\Motherboard Monitor 52007-12-25 15:49:49 0 d-------- C:\Program Files\Messenger2007-12-25 15:46:25 0 d-------- C:\Program Files\Key Words2007-12-25 15:37:17 0 d-------- C:\Program Files\Google2007-12-25 15:29:18 0 d-------- C:\Program Files\bfgtoolbar2007-12-25 14:20:03 0 d-------- C:\Documents and Settings\Gigondas.NUME\Application Data\alot2007-12-25 14:10:45 0 d-------- C:\Program Files\Viewpoint2007-12-25 13:55:41 0 d-------- C:\Program Files\Power Scan2007-12-25 13:53:04 0 d-------- C:\Documents and Settings\Gigondas.NUME\Application Data\Starware3372007-12-25 12:39:16 0 d-------- C:\Program Files\HP2007-12-25 12:35:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard2007-12-25 10:03:51 0 d-------- C:\Documents and Settings\Gigondas.NUME\Application Data\AVG72007-12-25 05:49:20 0 d-------- C:\Documents and Settings\Gigondas.NUME\Application Data\BFGTOOLBAR2007-12-24 19:38:16 0 d-------- C:\Program Files\Mozilla Thunderbird2007-12-11 12:46:12 0 d-------- C:\Program Files\Hidden Expedition - Everest2007-11-06 14:22:34 0 d-------- C:\Program Files\El Dorado Quest2007-10-30 14:26:57 0 d-------- C:\Program Files\Agatha Christie - And Then There Were None Strategy Guide2007-10-30 12:35:12 0 d-------- C:\Program Files\Amazonia-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]03/02/2007 04:52 PM 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]03/02/2007 04:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A}]05/23/2007 03:57 PM 1909760 --a------ C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8260C2B8-E0D1-448a-B062-33D12D468BF0}]09/12/2007 09:37 AM 551208 --a------ C:\Program Files\alot\bin\alot.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83CDEF6B-98D2-4C60-84FC-00C44606A4F8}] C:\WINDOWS\domnftwpto.dll[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]"{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A}"= C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL [05/23/2007 03:57 PM 1909760][-HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A}][HKEY_CLASSES_ROOT\bfgtoolbar.BFGTOOLBAR][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SoundMan"="SOUNDMAN.EXE" [02/09/2004 03:54 AM C:\WINDOWS\SOUNDMAN.EXE]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 01:03 PM]"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [03/11/2007 09:34 PM]"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 01:54 PM]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/25/2007 09:15 AM]"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/13/2007 03:30 PM]"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/15/2005 04:48 PM]"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [03/14/2006 03:52 PM]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/14/2007 05:25 PM]"MBM 5"="C:\Program Files\Motherboard Monitor 5\MBM5.EXE" [06/12/2004 08:40 AM][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [11/11/2004 08:50 PM]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]"SmileboxTray"="C:\Documents and Settings\Gigondas.NUME\Application Data\Smilebox\SmileboxTray.exe" [12/04/2007 07:04 PM]C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [3/11/2007 9:26:24 PM]Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [12/13/2003 2:28:04 PM]Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [6/8/2003 4:48:18 PM][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"alxvdvm"= {110030A8-993B-4FBB-A63C-AE37A5416CFD} - C:\WINDOWS\alxvdvm.dll [ ]"bvtqfvx"= {2A2A258C-959C-4F6C-8D8F-DA0E558D62E1} - C:\WINDOWS\bvtqfvx.dll [12/24/2007 02:10 PM 221184][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"appinit_dlls"=WIKI.DLL[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Gio Takahashi.NUME^Start Menu^Programs^Startup^Reboot.exe]path=C:\Documents and Settings\Gio Takahashi.NUME\Start Menu\Programs\Startup\Reboot.exebackup=C:\WINDOWS\pss\Reboot.exeStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]RunDll32 cmicnfg.cpl,CMICtrlWnd[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]C:\WINDOWS\ehome\ehtray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]C:\Program Files\Common Files\AOL\1145037644\ee\AOLHostManager.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kkw_run.exe]kkw_run.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kmw_run.exe]kmw_run.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]"C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]"C:\Program Files\MSN Messenger\msnmsgr.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSWheel][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]Usnsvc usnsvcHPZ12 Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt hpqcxs08 hpqddsvc[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be945e0e-7296-11da-9197-806d6172696f}]AutoRun\command- install.exe*Newly Created Service* - GTNDIS5*Newly Created Service* - HPQCXS08*Newly Created Service* - HPQDDSVC*Newly Created Service* - RKPAVPROC-- Hosts -----------------------------------------------------------------------192.168.2.101 HP000D9D0D3963127.0.0.1 muser.messenger.hotmail.com127.0.0.1 muser.messenger.hotmail.com-- End of Deckard's System Scanner: finished at 2007-12-25 17:07:26 ------------ Link to post Share on other sites More sharing options...
Gio Takahashi Posted December 26, 2007 Author ID:11200 Share Posted December 26, 2007 Wow. after spending a few hour running AVG spyware, and spybot search and destroy that actually did the trick... I'll run the scanners tomorrow morning and post result. Link to post Share on other sites More sharing options...
JeanInMontana Posted December 26, 2007 ID:11229 Share Posted December 26, 2007 Hi there Gio Takahashi, and welcome to Malwarebytes. You should never run special fix tools like Deckards without someone familiar with the programs assisting. It can result in destruction of the system. Please follow the directions below while logged in under your Mother's account.If you haven't already, please get these programs, update and run a complete scan removing all items found.Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this.AVG AntiSpyware Be sure to "take action"Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures. Link to post Share on other sites More sharing options...
Recommended Posts