Pls advice what to fix?

[Thaqalain]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:33 PM, on 6/8/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti

-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\lcntnkdm.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\DOCUME~1\kay\MYDOCU~1\YSTEM3~1\csrss.exe
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\1-Click Answers\answers.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WLLoginProxy.exe
C:\PROGRA~1\1-CLIC~1\agtserv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\?ymbols\j?vaw.exe
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\DOCUME~1\kay\LOCALS~1\Temp\xrun.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\mdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

Discussions - 24hoursupport.helpdesk | Google Groups
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo

.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

Discussions - 24hoursupport.helpdesk | Google Groups
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

=
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D}

- C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD}

- C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll
O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [{B7-70-0C-C5-DW}] C:\WINDOWS\system32\jmwnw64o.exe

DWram
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe

61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394

662EA4EBF968951185EFC412806867680AEDE604D64C2661377FE13FD97CB77
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\lcntnkdm.exe

DWram
O4 - HKLM\..\Run: [44bb706a] rundll32.exe

"C:\DOCUME~1\Guest\LOCALS~1\Temp\bnjwpsgn.dll",b
O4 - HKLM\..\Run: [BM478843f6] Rundll32.exe

"C:\WINDOWS\System32\olaqsmot.dll",s
O4 - HKLM\..\Run: [{413ef8d8-c742-cf15-7cd2-cdbd2826b72b}]

C:\WINDOWS\System32\Rundll32.exe

"C:\WINDOWS\System32\{dc891cfd-9472-97e1-f590-c549e90933d2}.dll"

DllStart
O4 - HKCU\..\Run: [Yahoo! Pager]

"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN

Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Roan] "C:\DOCUME~1\kay\MYDOCU~1\YSTEM3~1\csrss.exe"

-vt yazb
O4 - HKCU\..\Run: [Zbnppg] "C:\Program Files\?ymbols\j?vaw.exe"
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate]

C:\WINDOWS\System32\Macromed\Flash\FlashUtil9d.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntnkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jmwnw64o.exe
O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click

Answers\answers.exe
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search -

http://bar.mywebsearch.com/menusearch.html?p=ZCxdm127
O8 - Extra context menu item: &Translate English Word -

res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Answers... - file://C:\Program

Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0F1100B5-8432-2BDA-F64F-2DBF65A3D5CA} -

http://85.255.114.166/1/rdgUS2516.exe
O16 - DPF: {0FA07125-6504-7440-EB46-53C961E6A56E} -

http://85.255.114.166/1/rdgUS2516.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitia

lSetup1.0.0.15-3.cab
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} -

http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -

http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {2FA71096-D7EB-6709-C58F-5563598CE550} -

http://85.255.114.166/1/rdgUS2516.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)

- C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} -

http://download1.answers.com/pub/AnswersSetup.cab
O16 - DPF: {47A731D1-93BD-136E-5D80-4997229071CD} -

http://85.255.114.166/1/rdgUS2516.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload

Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5B822B99-DA4B-4553-88CC-8DCA4E9C5656} (NtreevLauncher

Control) - http://www.trickster.co.kr/Control/NtreevLauncher.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -

http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {78943F1D-E2E4-32C2-4DA9-59391659CBF7} -

http://85.255.114.166/1/rdgUS2516.exe
O16 - DPF: {7AD0E5DF-8350-459D-F891-39BE4A5A847E} -

http://85.255.114.166/1/rdgUS2516.exe
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} -

http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} -

http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} -

http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/671

2/player/install/installer.exe
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -

http://download.spyspotter.com/spyspotter/sp3.02r/spyspottercabinstall.

cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =

85.255.116.98 85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =

85.255.116.98 85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =

85.255.116.98 85.255.112.142
O20 - AppInit_DLLs:
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 8783 bytes

 

[Thaqalain]

Please its autoloaded program itself done scanning but asking credit card info to remove.

AntiSpywareMaster scan report
Report generated at: 06/08/08 20:59:07


|Type |Run type |Name |Details

|Backdoor |C:\WINDOWS\System32\6to4svc.dll |Backdoor.Simali |is a Backdoor Trojan that gives a hacker access to your computer. It attempts to notify the hacker through email or ICQ
|Adware |autorun |Zlob.PornAdvertiser.ba |Adware that displays pop-up/pop-under advertisements of pornographic or online gambling.
|Spyware |C:\WINDOWS\System32\catsrv.dll |Spyware.SmartPCKeylog |is a spyware program that monitors user activity, logs keystrokes, and captures screenshots.
|Backdoor |C:\WINDOWS\System32\cnetcfg.dll |Backdoor.Simali |is a Backdoor Trojan that gives a hacker access to your computer. It attempts to notify the hacker through email or ICQ
|Trojan |hiden run |Trojan.Cinmeng |is a Trojan horse that displays pop-up advertisements.
|Adware |C:\WINDOWS\System32\dpnet.dll |Adware.Mycashbag |is an adware program that displays popup advertisements.
|Adware |registry |Zlob.PornAdvertiser.ba |Adware that displays pop-up/pop-under advertisements of pornographic or online gambling.
|Backdoor |C:\WINDOWS\System32\hpvcp70.dll |Backdoor.Armageddon |allows a hacker to remotely control an infected computer.
|Adware |injection |Adware.Mycashbag |is an adware program that displays popup advertisements.
|Trojan |C:\WINDOWS\System32\kbd103.dll |Trojan.Farfli |is a Trojan horse that downloads other files and modifies the Start Page for Internet Explorer.
|Dialer |autorun |Dialer.Sexprovider |is a dialer program that can be used to access pornography, by dialing a high-cost number using a modem.
|Spyware |C:\WINDOWS\System32\kbdkor.dll |Spyware.AllMonitor |is a spyware program that records keystrokes and monitors user activities on the computer.
|Adware |C:\WINDOWS\System32\ltfil13n.dll |Adware.Elodu |is an adware program that installs itself as a Browser Helper Object and displays pop up advertisements.
|Spyware |C:\WINDOWS\System32\mf3216.dll |Spyware.IEMonster.d |Steals passwords from Internet Explorer, Mozilla Firefox, Outlook.
|Worm |C:\WINDOWS\System32\mprui.dll |SymbOS.Hatihati.A |is a Trojan horse that runs on the Symbian OS.
|Adware |C:\WINDOWS\System32\msdmo.dll |Adware.AdVantage |is an adware program that monitors the contents of Internet browser windows.
|Backdoor |C:\WINDOWS\System32\MSJT4JLT.DLL |Backdoor.Armageddon |allows a hacker to remotely control an infected computer.
|Dialer |C:\WINDOWS\System32\MSSCP.dll |Dialer.Xpehbam.biz_d |loads pornographic material. The url information shows Hardcore Pornographic pages.
|Adware |C:\WINDOWS\System32\mswsock.dll |Adware.LoveFreeGames |is a security risk that installs an Internet Explorer toolbar.
|Trojan |registry |Trojan.Usbsteal |is a Trojan horse that steals sensitive information from the compromised computer.
|Worm |C:\WINDOWS\System32\nwcfg.dll |W32.Mikbaland |is a worm that copies itself to shared and removable drives.
|Trojan |C:\WINDOWS\System32\oleaut32.dll |Trojan.Farfli |is a Trojan horse that downloads other files and modifies the Start Page for Internet Explorer.
|Spyware |autorun |Spyware.SmartPCKeylog |is a spyware program that monitors user activity, logs keystrokes, and captures screenshots.
|Dialer |C:\WINDOWS\System32\rpcns4.dll |Dialer.Palazzo |is a dialer program that can be used to access a casino web site by dialing a high-cost number using the modem.
|Spyware |C:\WINDOWS\System32\SCP32.DLL |Spyware.ICQsniffer |is a spyware program that monitors and captures ICQ chat over a network.
|Trojan |C:\WINDOWS\System32\shscrap.dll |Trojan.Brutecell |is a Trojan horse that retrieves a username and password list from the remote attacker and attempts to login to eBay using the list, sending the result to the attacker.
|Dialer |registry |Dialer.Mejorbus |is a dialer program that can be used to access pornographic a webcam Web site by dialing a high-cost number using the modem.
|Spyware |autorun |Spyware.IEMonster.d |Steals passwords from Internet Explorer, Mozilla Firefox, Outlook.
|Tracking Cookie|Web browser |1057062368 |C:\Documents and Settings\kay\Cookies\kay@1057062368[1].txt
|Tracking Cookie|Web browser |adshuffle |C:\Documents and Settings\kay\Cookies\kay@adshuffle[1].txt
|Tracking Cookie|Web browser |cgi-bin |C:\Documents and Settings\kay\Cookies\kay@cgi-bin[2].txt
|Tracking Cookie|Web browser |fc.webmasterpro |C:\Documents and Settings\kay\Cookies\kay@fc.webmasterpro[1].txt
|Tracking Cookie|Web browser |iesnare |C:\Documents and Settings\kay\Cookies\kay@iesnare[1].txt
|Tracking Cookie|Web browser |neocounter2 |C:\Documents and Settings\kay\Cookies\kay@neocounter2[2].txt
|Tracking Cookie|Web browser |rockyou |C:\Documents and Settings\kay\Cookies\kay@rockyou[1].txt
|Tracking Cookie|Web browser |teachingenglish.mtk1 |C:\Documents and Settings\kay\Cookies\kay@teachingenglish.mtk1[1].txt

 

[techpro5238]

Hello Thaqalain,

That program that is showing you this stuff, is what we call a Rogue AntiSpyware Product. They trick users into buying, or downloading them, and they say that malware is present while they in fact ARE the malware. The results are tricks from the scanners .. and they do nothing good for your computer. Read this website for more information on these types of infections:

Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites

Since we have heavy infection on this PC we will take out the big tools. Please follow these steps in the order they are given and DO NOT skip any one step.

Step1 | Notepad Word Wrap Feature

Please go to Start => All Programs, and open a new notepad (not wordpad) document. When you have the new untitled document open, please follow the below instruction:

• Click on "Format" (in the above toolbar)
• Click "Word Wrap"

After doing so close notepad and proceed to the next step(s).

Step2 | ComboFix

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
• Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

Logs Required In Next Post
--------------------------------

ComboFix Log
New Hijackthis Log