Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: Please help with Outerinfo

  1. #1
    Junior Member
    Join Date
    Nov 2007
    Posts
    19

    Default Please help with Outerinfo

    Followed the instructions, everything was removed during safe mode S&D. Outerinfo popups still continue. Thank you in advance for your help.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:13:27 AM, on 11/21/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\acs.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\LxrJD31s.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Norton Ghost\Agent\VProTray.exe
    C:\Program Files\NetMeeting\mefereh77798.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\DOCUME~1\Shawn\MYDOCU~1\SKS~1\logonui.exe
    C:\Documents and Settings\Shawn\Application Data\?ssembly\r?ndll32.exe
    C:\Program Files\Insider\Insider.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\Program Files\No-IP\DUC20.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mymail.rit.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {27767020-BB95-9333-B598-B66EFC9C96B7} - C:\WINDOWS\system32\ozuklvfh.dll
    O2 - BHO: (no name) - {33D3BF68-7617-4975-BA46-83A2A604A4E3} - C:\Program Files\Internet Explorer\mewocykov83122.dll
    O2 - BHO: 0 - {4A29D965-E87A-4A98-2885-CFAE8B79C1D2} - C:\Program Files\Common Files\qujav.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6B729991-E1EC-4CB3-90C0-033B74928E66} - C:\WINDOWS\system32\sstqr.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {B823A847-BCF5-46B4-84D6-F8D34ED4C766} - \
    O2 - BHO: (no name) - {e84ee827-4c05-430c-8c5e-4f2faff8e43e} - C:\WINDOWS\system32\fdmywge.dll
    O2 - BHO: (no name) - {E8D0F521-8F19-4E62-AB91-A48082E0ED52} - C:\WINDOWS\system32\ewnjpkxm.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
    O4 - HKLM\..\Run: [mefereh] C:\Program Files\NetMeeting\mefereh77798.exe
    O4 - HKLM\..\RunOnce: [SpybotDeletingA9278] command /c del "C:\WINDOWS\system32\drivers\core.sys"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC6960] cmd /c del "C:\WINDOWS\system32\drivers\core.sys"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
    O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\Shawn\MYDOCU~1\SKS~1\logonui.exe" --ru -vt yazb
    O4 - HKCU\..\Run: [Nsf] "C:\Documents and Settings\Shawn\Application Data\?ssembly\r?ndll32.exe"
    O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O4 - Global Startup: D-Link REG Utility.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Shawn\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Shawn\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
    O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe
    O9 - Extra button: Golden Riviera Poker - {85BFB6E0-96F9-4424-8819-1D67E9F78D33} - C:\Program Files\goldenrivieraMPP\MPPoker.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
    O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
    O20 - Winlogon Notify: sstqr - C:\WINDOWS\system32\sstqr.dll (file missing)
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 11926 bytes

  2. #2
    Junior Member
    Join Date
    Nov 2007
    Posts
    19

    Default

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Tuesday, November 20, 2007 5:24:22 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 20/11/2007
    Kaspersky Anti-Virus database records: 462398
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 217115
    Number of viruses found: 27
    Number of infected objects: 62
    Number of suspicious objects: 4
    Duration of the scan process: 03:17:28

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00000002.ps1 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00000002.ps2 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00010005.ci Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\cicat.fid Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\cicat.hsh Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiCL0001.000 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiP10000.000 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiP20000.000 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiPT0000.000 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiSL0001.000 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiSP0000.000 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiST0000.000 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiVP0000.000 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\INDEX.000 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\propstor.bk1 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\propstor.bk2 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/MTE3MTk6ODoxNg.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-20_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Aim\ebxzrvsf\spw26yankees\cert8.db Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Aim\ebxzrvsf\spw26yankees\key3.db Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\cert8.db Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\history.dat Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\key3.db Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\parent.lock Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\webappsstore.sqlite Object is locked skipped
    C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\6.0\36\37984024-7e2c5fbc/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
    C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\6.0\36\37984024-7e2c5fbc/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
    C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\6.0\36\37984024-7e2c5fbc/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
    C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\6.0\36\37984024-7e2c5fbc ZIP: infected - 3 skipped
    C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-637995f5-3e19d279.zip/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
    C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-637995f5-3e19d279.zip/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
    C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-637995f5-3e19d279.zip/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
    C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-637995f5-3e19d279.zip ZIP: infected - 3 skipped
    C:\Documents and Settings\Shawn\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\History\History.IE5\MSHist012007112020071121\index.dat Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Temp\camg-77798.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
    C:\Documents and Settings\Shawn\Local Settings\Temp\camg-77798.exe NSIS: infected - 1 skipped
    C:\Documents and Settings\Shawn\Local Settings\Temp\MBDownloader_876923.exe Infected: not-a-virus:AdWare.Win32.NetNucleus.b skipped
    C:\Documents and Settings\Shawn\Local Settings\Temp\OIN9D3.tmp.exe Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
    C:\Documents and Settings\Shawn\Local Settings\Temp\OIN9D6.tmp.exe Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
    C:\Documents and Settings\Shawn\Local Settings\Temp\Perflib_Perfdata_370.dat Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Temp\Perflib_Perfdata_68c.dat Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Temp\~ef8b72\~efe2.tmp Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Temp\~efe22d\~efe2.tmp Object is locked skipped
    C:\Documents and Settings\Shawn\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Shawn\My Documents\Таsks\logonui.exe Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
    C:\Documents and Settings\Shawn\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Shawn\ntuser.dat.LOG Object is locked skipped
    C:\Inetpub\catalog.wci\00000002.ps1 Object is locked skipped
    C:\Inetpub\catalog.wci\00000002.ps2 Object is locked skipped
    C:\Inetpub\catalog.wci\00010002.ci Object is locked skipped
    C:\Inetpub\catalog.wci\cicat.fid Object is locked skipped
    C:\Inetpub\catalog.wci\cicat.hsh Object is locked skipped
    C:\Inetpub\catalog.wci\CiCL0001.000 Object is locked skipped
    C:\Inetpub\catalog.wci\CiP10000.000 Object is locked skipped
    C:\Inetpub\catalog.wci\CiP20000.000 Object is locked skipped
    C:\Inetpub\catalog.wci\CiPT0000.000 Object is locked skipped
    C:\Inetpub\catalog.wci\CiSL0001.000 Object is locked skipped
    C:\Inetpub\catalog.wci\CiSP0000.000 Object is locked skipped
    C:\Inetpub\catalog.wci\CiST0000.000 Object is locked skipped
    C:\Inetpub\catalog.wci\CiVP0000.000 Object is locked skipped
    C:\Inetpub\catalog.wci\INDEX.000 Object is locked skipped
    C:\Inetpub\catalog.wci\propstor.bk1 Object is locked skipped
    C:\Inetpub\catalog.wci\propstor.bk2 Object is locked skipped
    C:\Program Files\Common Files\qujav.dll Infected: Trojan.Win32.BHO.ab skipped
    C:\Program Files\Common Files\rterek.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
    C:\Program Files\Internet Explorer\mewocykov4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
    C:\Program Files\Internet Explorer\mewocykov83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
    C:\Program Files\NetMeeting\mefereh77798.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
    C:\Program Files\No-IP\DUC - Shawn.log Object is locked skipped
    C:\Program Files\TightVNC-unstable\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
    C:\Program Files\TightVNC-unstable\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.j skipped
    C:\Program Files\TightVNC-unstable\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
    C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
    C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
    C:\System Volume Information\catalog.wci\00010002.ci Object is locked skipped
    C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
    C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
    C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
    C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\tracking.log Object is locked skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162131.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162367.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162370.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wi skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162371.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162371.exe NSIS: infected - 1 skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162372.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162373.exe Infected: Trojan.Win32.BHO.ab skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162374.exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162374.exe/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162374.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162375.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162376.exe Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162377.exe Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP809\A0162649.dll Infected: Trojan.Win32.Pakes.akr skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP809\A0162650.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wi skipped
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP810\change.log Object is locked skipped
    C:\temp\ftp.txt Infected: Trojan-Downloader.BAT.Ftp.ca skipped
    C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
    C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
    C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
    C:\WINDOWS\b104.exe NSIS: infected - 3 skipped
    C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
    C:\WINDOWS\b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped

  3. #3
    Junior Member
    Join Date
    Nov 2007
    Posts
    19

    Default

    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\i.bat Infected: Trojan-Downloader.BAT.Ftp.ca skipped
    C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
    C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
    C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
    C:\WINDOWS\Internet Logs\SPWLAPTOP.ldb Object is locked skipped
    C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{F76601BA-62C0-4F9E-A5B0-287BE51153FB}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\a1\rarndrll2.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
    C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
    C:\WINDOWS\system32\fdmywge.dll Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
    C:\WINDOWS\system32\g2\caws83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
    C:\WINDOWS\system32\g2\caws83122.exe NSIS: infected - 1 skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\hakbqwxp.exe Infected: Trojan.Win32.Obfuscated.kp skipped
    C:\WINDOWS\system32\Mz16r\Mz16r2291.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
    C:\WINDOWS\system32\ope9D2.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
    C:\WINDOWS\system32\ope9D4.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
    C:\WINDOWS\system32\ope9D4.exe NSIS: infected - 1 skipped
    C:\WINDOWS\system32\r2\wr31drs.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
    C:\WINDOWS\system32\rqrppqo.dll Infected: Trojan.Win32.Pakes.sv skipped
    C:\WINDOWS\system32\svjhpfru.exe Infected: Trojan.Win32.Obfuscated.kp skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\Perflib_Perfdata_4a4.dat Object is locked skipped
    C:\WINDOWS\Temp\ZLT07bc8.TMP Object is locked skipped
    C:\WINDOWS\Temp\ZLT07bcb.TMP Object is locked skipped
    C:\WINDOWS\tk58.exe Infected: Trojan.Win32.BHO.ab skipped
    C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
    C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped
    C:\WINDOWS\U2hhd24\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\WINDOWS\U2hhd24\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\xampp\apache\logs\access.log Object is locked skipped
    C:\xampp\apache\logs\error.log Object is locked skipped
    C:\xampp\apache\logs\sslerror.log Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\ibc_players.MYD Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\ibc_players.MYI Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\ibc_rookie_draft_pool.MYD Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\ibc_rookie_draft_pool.MYI Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\ibc_rookie_draft_queue.MYD Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\ibc_rookie_draft_queue.MYI Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\ibc_transactions.MYD Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\ibc_transactions.MYI Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\phpbb_config.MYD Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\phpbb_config.MYI Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\phpbb_sessions.MYD Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\phpbb_sessions.MYI Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\phpbb_themes.MYD Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\phpbb_themes.MYI Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\phpbb_users.MYD Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\phpbb_users.MYI Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\phpbb_user_group.MYD Object is locked skipped
    C:\xampp\mysql\data\ibcleague_com\phpbb_user_group.MYI Object is locked skipped
    C:\xampp\mysql\data\SPWlaptop.err Object is locked skipped

    Scan process completed.

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    You have a PurityScan/OIN infection but that is by far not the worse. You have a Vundo infection which can be very hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help, an option would be to reformat.

    If you wish to continue, keep this computer offline except when troubleshooting, the junk wil download more.
    If you have any of these tools, delete them and download them new from the links I provide.

    1) Open Hijackthis.
    Click the "Open the Misc Tools" section Button.
    Click the "Open Uninstall Manager" Button.
    Click the "Save list..." Button.
    Save it to your desktop. Copy and paste the contents into your reply.
    (You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

    2) Thanks to Atribune and any others who helped with this fix.

    http://vundofix.atribune.org/ <<< tutorial

    "Download VundoFix" to your Desktop

    http://www.atribune.org/ccount/click.php?id=4

    Double-click VundoFix.exe to run it.
    When VundoFix opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will reboot your computer, click OK.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
    the Scan for Vundo button." when VundoFix appears at reboot.

    Vundofix.txt will be on the C:\

    3) Thanks to sUBs and anyone else who helped with this fix.

    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Post the Vundofix.txt, combofix log, uninstall list and a new HJT log.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  5. #5
    Junior Member
    Join Date
    Nov 2007
    Posts
    19

    Default

    Thank you for your help so far pskelley.

    I have read that topic and had read it before posting as well.

    The 4 requested logs are attached.

  6. #6
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    http://forums.spybot.info/showthread.php?t=288

    Well...I would say you need to read it again?

    Please do not attach or link to infected files!
    If a helper requests files they will give you a link to upload them.
    All logs should be copy/pasted into topic and not attached unless requested by helper in that format.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  7. #7
    Junior Member
    Join Date
    Nov 2007
    Posts
    19

    Default

    Well gosh, now I just look stupid I thought I read something about attaching a zip if copy/paste would end up taking over 2 posts, but I can't find that so I guess I imagined it.

    Uninstall List:
    Absolute Poker
    Adobe Flash Player ActiveX
    Adobe Flash Player Plugin
    Adobe Photoshop 7.0
    Adobe Reader 8
    Adobe Shockwave Player
    Adobe SVG Viewer 3.0
    AIMutation (remove only)
    AOL Instant Messenger
    ATI Control Panel
    ATI Display Driver
    BEAT THE MARKET
    bet365poker
    CDBurnerXP Pro 3
    Compaq Presario r4000 User Guides
    Conexant AC-Link Audio
    Craxtion4
    Data Fax SoftModem with SmartCP
    DC++ 0.691
    Diamond Mind Baseball version 9
    D-Link AirPlus Xtreme G Adapter
    DMB Encyclopedia 9b patch
    DMB Encyclopedia version 9
    DMB version 9a patch
    DMB version 9b patch
    DMB version 9c patch
    EmpirePoker
    GamesGrid Poker
    Golden Riviera Poker
    HijackThis 2.0.2
    HollywoodPoker.com (remove only)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB926239)
    HP Document Viewer 5.3
    HP Help and Support
    HP Image Zone 5.3
    HP Imaging Device Functions 5.3
    HP Integrated Module with Bluetooth wireless technology
    HP PSC & OfficeJet 5.3.A
    HP Software Update
    HP Solution Center & Imaging Support Tools 5.3
    InterPoker
    InterVideo WinDVD
    Ipswitch WS_FTP Professional 2006
    ISO Recorder
    iTunes
    J2SE Development Kit 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 11
    Java(TM) 6 Update 2
    JD Secure 3.1
    Kaspersky Online Scanner
    K-Lite Codec Pack 2.77 Basic
    LiveUpdate 3.2 (Symantec Corporation)
    Logitech Harmony Remote Software 7
    Macromedia Director MX 2004
    Macromedia Dreamweaver MX 2004
    Macromedia Extension Manager
    Macromedia Flash 8
    Macromedia Flash 8 Video Encoder
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Device Emulator version 1.0 - ENU
    Microsoft Document Explorer 2005
    Microsoft Document Explorer 2005
    Microsoft Money 2005
    Microsoft Office Converter Pack
    Microsoft Office OneNote 2003
    Microsoft Office Visio Professional 2003
    Microsoft Office XP Professional
    Microsoft Script Debugger
    Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual J# 2.0 Redistributable Package
    Microsoft Visual Studio 2005 Professional Edition - ENU
    Microsoft Works
    MLB.TV Mosaic
    Mozilla Firefox (2.0.0.9)
    MSN Music Assistant
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB933579)
    muvee autoProducer 4.0 - SE
    MySQL Server 5.0
    NHL 2001
    No-IP.com DUC (remove only)
    Norton Ghost
    Paradise Poker
    PartyPoker
    Personal License Update Wizard for Windows Media Player
    Poker Tracker Version 2.10.02b
    Poker World
    PokerPlex
    PokerStars
    PowerISO
    Quick Launch Buttons 5.10 B3
    QuickTime
    Remote Control USB Driver
    River Belle Poker
    Royal Vegas Poker
    ScreenStream
    Security Update for Microsoft .NET Framework 2.0 (KB928365)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Sonic Audio Module
    Sonic Copy Module
    Sonic Data Module
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic Update Manager
    Sportsbook.com Poker
    Spybot - Search & Destroy
    SQLite ODBC Driver
    Steam(TM)
    SunPoker.com
    Swarmcast
    Swarmcast for MLB-TV-Mosaic
    Synaptics Pointing Device Driver
    totalbet poker
    UltimateBet
    UltraEdit-32
    UserGuides
    William Hill Poker
    Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
    Windows Genuine Advantage v1.3.0254.0
    Windows Installer 3.1 (KB893803)
    Windows Live Messenger
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows Media Player 11
    WinRAR archiver
    WinSCP 4.0.4
    Yahoo! Widgets
    ZoneAlarm


    VundoFix V6.6.2

    Checking Java version...

    Java version is 1.5.0.11

    Scan started at 10:41:20 AM 11/23/2007

    Listing files found while scanning....

    C:\windows\system32\rqrppqo.dll
    C:\WINDOWS\system32\rqtss.bak1
    C:\WINDOWS\system32\rqtss.bak2
    C:\WINDOWS\system32\rqtss.ini
    C:\WINDOWS\system32\rqtss.tmp
    C:\WINDOWS\system32\sstqr.dll

    Beginning removal...

    Attempting to delete C:\windows\system32\rqrppqo.dll
    C:\windows\system32\rqrppqo.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rqtss.bak1
    C:\WINDOWS\system32\rqtss.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rqtss.bak2
    C:\WINDOWS\system32\rqtss.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rqtss.ini
    C:\WINDOWS\system32\rqtss.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rqtss.tmp
    C:\WINDOWS\system32\rqtss.tmp Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.6.2

    Checking Java version...

    Java version is 1.5.0.11

    Scan started at 11:01:48 AM 11/23/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\sstqr.dll

    Beginning removal...

    Performing Repairs to the registry.
    Done!

  8. #8
    Junior Member
    Join Date
    Nov 2007
    Posts
    19

    Default

    ComboFix 07-11-19.3 - Shawn 2007-11-23 11:32:16.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.109 [GMT -5:00]
    Running from: C:\Documents and Settings\Shawn\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Shawn\Application Data\SSEMBL~1
    C:\Documents and Settings\Shawn\Application Data\SSEMBL~1\r?ndll32.exe
    C:\Documents and Settings\Shawn\Application Data\WinTouch
    C:\Documents and Settings\Shawn\My Documents\SKS~1
    C:\Documents and Settings\Shawn\My Documents\SKS~1\??sks\
    C:\Documents and Settings\Shawn\My Documents\SKS~1\logonui.exe
    C:\Program Files\Common Files\qujav.dll
    C:\Program Files\Insider
    C:\Program Files\Insider\Insider.exe
    C:\Program Files\Insider\UnInstall.exe
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\outerinfo.ico
    C:\Program Files\outerinfo\Terms.rtf
    C:\Program Files\outerinfo\Thumbs.db
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\temp\tn3
    C:\WINDOWS\b104.exe
    C:\WINDOWS\b111.exe
    C:\WINDOWS\b122.exe
    C:\WINDOWS\b138.exe
    C:\WINDOWS\b147.exe
    C:\WINDOWS\hosts
    C:\WINDOWS\system32\a1
    C:\WINDOWS\system32\a1\rarndrll2.exe
    C:\WINDOWS\system32\Cache
    C:\WINDOWS\system32\ewnjpkxm.dll
    C:\WINDOWS\system32\fdmywge.dll
    C:\WINDOWS\system32\g2
    C:\WINDOWS\system32\g2\caws83122.exe
    C:\WINDOWS\system32\h1
    C:\WINDOWS\system32\ozuklvfh.dll
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\r2
    C:\WINDOWS\system32\r2\wr31drs.exe
    C:\WINDOWS\system32\v8
    C:\WINDOWS\system32\v8\taldrvr11.exe
    C:\WINDOWS\tk58.exe
    C:\WINDOWS\TTC-4444.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_CORE
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_NETWORK_MONITOR
    -------\nm


    ((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
    .

    2007-11-23 10:41 <DIR> d-------- C:\VundoFix Backups
    2007-11-20 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-18 10:21 143 --a------ C:\WINDOWS\system32\mcrh.tmp
    2007-11-17 10:52 215,144 -ra------ C:\WINDOWS\patchw32.dll
    2007-11-17 10:47 215,144 -ra------ C:\WINDOWS\pw32a.dll
    2007-11-17 10:34 71,188 --a------ C:\WINDOWS\system32\hakbqwxp.exe
    2007-11-17 10:34 353 --ahs---- C:\WINDOWS\system32\klkkj.ini
    2007-11-17 10:32 132,320 --a------ C:\WINDOWS\system32\drivers\symsnap.sys
    2007-11-17 10:32 128,104 --a------ C:\WINDOWS\system32\drivers\WimFltr.sys
    2007-11-17 10:32 37,864 --a------ C:\WINDOWS\system32\drivers\v2imount.sys
    2007-11-17 10:32 14,072 --a------ C:\WINDOWS\system32\drivers\vproeventmonitor.sys
    2007-11-17 10:23 <DIR> d--hs---- C:\WINDOWS\U2hhd24
    2007-11-17 10:23 35,840 --a------ C:\WINDOWS\mrofinu312.exe
    2007-11-17 10:23 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
    2007-11-17 10:22 <DIR> d-------- C:\temp\mZOr
    2007-11-17 10:22 <DIR> d-------- C:\Program Files\PowerISO
    2007-11-17 10:22 352,410 --a------ C:\WINDOWS\ope9CB.exe
    2007-11-17 10:22 0 --a------ C:\WINDOWS\system32\ope9D1.tmp
    2007-11-09 11:33 <DIR> d-------- C:\Documents and Settings\Shawn\Application Data\U3

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-23 16:47 19,451,936 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2007-11-23 16:44 230,048 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2007-11-23 16:28 246 ----a-w C:\Program Files\Common Files\qujav
    2007-11-19 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-17 15:58 --------- d-----w C:\Documents and Settings\Shawn\Application Data\Symantec
    2007-11-17 15:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-11-17 15:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-11-17 15:29 --------- d-----w C:\Program Files\Norton Ghost
    2007-11-17 15:22 --------- d-----w C:\Documents and Settings\Shawn\Application Data\uTorrent
    2007-11-04 02:08 --------- d-----w C:\Documents and Settings\Shawn\Application Data\Microgaming
    2007-10-21 17:28 --------- d--h--w C:\Program Files\Zero G Registry
    2007-10-21 17:22 --------- d-----w C:\Program Files\Workspace Macro Pro 6.5
    2007-10-21 17:22 --------- d-----w C:\Program Files\Automation Anywhere 4.0
    2007-10-09 20:41 --------- d-----w C:\Program Files\Swarmcast
    2007-10-01 22:30 --------- d-----w C:\Program Files\No-IP
    2007-10-01 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
    2007-10-01 21:30 --------- d-----w C:\Program Files\NCH Software
    2007-10-01 21:30 --------- d-----w C:\Documents and Settings\Shawn\Application Data\NCH Software
    2007-10-01 21:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software
    2007-09-25 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
    2007-09-12 01:30 65,360 -c--a-w C:\Documents and Settings\Shawn\Application Data\GDIPFONTCACHEV1.DAT
    2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
    2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\rterek.html
    2005-10-23 20:23 0 -c----w C:\Documents and Settings\Shawn\Application Data\wklnhst.dat
    2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\U2hhd24\asappsrv.dll
    2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\U2hhd24\command.exe
    2005-07-29 21:24 472 --sha-r C:\WINDOWS\U2hhd24\oZ11xZb.vbs
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27767020-BB95-9333-B598-B66EFC9C96B7}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33D3BF68-7617-4975-BA46-83A2A604A4E3}]
    2007-08-02 08:43 282624 --a------ C:\Program Files\Internet Explorer\mewocykov83122.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A29D965-E87A-4A98-2885-CFAE8B79C1D2}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B729991-E1EC-4CB3-90C0-033B74928E66}]
    C:\WINDOWS\system32\sstqr.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B823A847-BCF5-46B4-84D6-F8D34ED4C766}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e84ee827-4c05-430c-8c5e-4f2faff8e43e}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8D0F521-8F19-4E62-AB91-A48082E0ED52}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
    "AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 14:08]
    "C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe"="1&1 EasyLogin HIDE" []
    "Snte"="C:\DOCUME~1\Shawn\MYDOCU~1\SKS~1\logonui.exe" []
    "Nsf"="C:\Documents and Settings\Shawn\Application Data\?ssembly\r?ndll32.exe" []
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 23:05]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
    "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24]
    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00]
    "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
    "Norton Ghost 12.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2007-10-05 12:33]
    "mefereh"="C:\Program Files\NetMeeting\mefereh77798.exe" [2007-08-07 15:30]

    C:\Documents and Settings\Shawn\Start Menu\Programs\Startup\
    No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2007-10-01 17:30:18]
    PowerReg Scheduler.exe [2007-09-01 13:24:05]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqr]
    C:\WINDOWS\system32\sstqr.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
    backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
    backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shawn^Start Menu^Programs^Startup^Webshots.lnk]
    path=C:\Documents and Settings\Shawn\Start Menu\Programs\Startup\Webshots.lnk
    backup=C:\WINDOWS\pss\Webshots.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
    2005-02-17 16:01 233534 --------- C:\Program Files\HPQ\Default Settings\cpqset.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-05-11 22:12 49152 --------- C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2006-10-30 09:36 256576 --------- C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MNS]
    C:\Program Files\Mobile Net Switch\MNS.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
    2003-10-07 08:48 147514 --------- C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
    C:\Program Files\Zune\ZuneLauncher.exe

    R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
    R2 v2imount;Symantec V2i Mount Driver;C:\WINDOWS\system32\DRIVERS\v2imount.sys
    R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
    S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys
    S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys
    S3 WimFltr;WimFltr;C:\WINDOWS\system32\DRIVERS\wimfltr.sys
    S3 xbreader;MaxDrive XBox Driver (xbreader.sys);C:\WINDOWS\system32\Drivers\xbreader.sys
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89c0f80e-15ae-11da-aa24-00904bf40e21}]
    \Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89c0f80f-15ae-11da-aa24-00904bf40e21}]
    \Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c036955-d5f0-11da-aaa1-00904bf40e21}]
    \Shell\AutoRun\command - E:\PortableFirefox\PortableFirefox.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c92bbc61-ded1-11da-aaa2-000fb0745ca3}]
    \Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deb960f0-5a6d-11db-aae2-00904bf40e21}]
    \Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-23 11:49:40
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "C:\\Program Files\\1&1\\1&1 EasyLogin\\EasyLogin.exe"="\"1&1 EasyLogin\" HIDE"
    .
    Completion time: 2007-11-23 11:51:11
    .
    --- E O F ---

  9. #9
    Junior Member
    Join Date
    Nov 2007
    Posts
    19

    Default

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:53:28 AM, on 11/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\acs.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\LxrJD31s.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Norton Ghost\Agent\VProTray.exe
    C:\Program Files\NetMeeting\mefereh77798.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\Program Files\No-IP\DUC20.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mymail.rit.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {33D3BF68-7617-4975-BA46-83A2A604A4E3} - C:\Program Files\Internet Explorer\mewocykov83122.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6B729991-E1EC-4CB3-90C0-033B74928E66} - C:\WINDOWS\system32\sstqr.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {B823A847-BCF5-46B4-84D6-F8D34ED4C766} - \
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
    O4 - HKLM\..\Run: [mefereh] C:\Program Files\NetMeeting\mefereh77798.exe
    O4 - HKLM\..\RunOnce: [SpybotDeletingA9278] command /c del "C:\WINDOWS\system32\drivers\core.sys"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC6960] cmd /c del "C:\WINDOWS\system32\drivers\core.sys"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
    O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\Shawn\MYDOCU~1\SKS~1\logonui.exe" --ru -vt yazb
    O4 - HKCU\..\Run: [Nsf] "C:\Documents and Settings\Shawn\Application Data\?ssembly\r?ndll32.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O4 - Global Startup: D-Link REG Utility.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Shawn\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Shawn\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
    O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe
    O9 - Extra button: Golden Riviera Poker - {85BFB6E0-96F9-4424-8819-1D67E9F78D33} - C:\Program Files\goldenrivieraMPP\MPPoker.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
    O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
    O20 - Winlogon Notify: sstqr - C:\WINDOWS\system32\sstqr.dll (file missing)
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 11031 bytes

  10. #10
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your information, looking at the uninstall list for security issues.
    Uninstall List:
    J2SE Development Kit 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 11
    Java(TM) 6 Update 2
    See this: http://forums.spybot.info/showpost.p...80&postcount=2
    Download the newest version of Java and uninstall all old versions in Add Remove programs.

    I see someone likes Poker...I really see nothing like OIN, etc I was looking for. You should look to be sure you know all programs you have installed.

    Some questions first, I normally remove all downloaded program files dealing with poker and betting because these "free" games are often bundled with adware. I will leave them in your log, you can check and remove them if you wish. My suggestion from a security standpoint is to either play online or purchase the game so you can read the eula before you install it. Free rarely is.

    This one, I need to know if you use Netmeeting:
    C:\Program Files\NetMeeting\mefereh77798.exe <<< there is little doubt that file is bad, but the folder may need to go also. The hackers call their junk what they wish, you should look in that folder and if it was all installed at the time of this infection, probably Files Created from 2007-10-23 to 2007-11-23 then you should delete the complete folder. I will ask you to make that call.

    1) How to make files and folders visible:
    Click Start > Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm. Click OK.
    You may reverse this for safety when we are finished.

    2) Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop. We will use this later.

    3) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
    http://russelltexas.com/malware/teatimer.htm

    4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {33D3BF68-7617-4975-BA46-83A2A604A4E3} - C:\Program Files\Internet Explorer\mewocykov83122.dll
    O2 - BHO: (no name) - {6B729991-E1EC-4CB3-90C0-033B74928E66} - C:\WINDOWS\system32\sstqr.dll (file missing)
    O2 - BHO: (no name) - {B823A847-BCF5-46B4-84D6-F8D34ED4C766} - \
    O4 - HKLM\..\Run: [mefereh] C:\Program Files\NetMeeting\mefereh77798.exe
    O4 - HKLM\..\RunOnce: [SpybotDeletingA9278] command /c del "C:\WINDOWS\system32\drivers\core.sys" G
    O4 - HKLM\..\RunOnce: [SpybotDeletingC6960] cmd /c del "C:\WINDOWS\system32\drivers\core.sys"
    O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\Shawn\MYDOCU~1\SKS~1\logonui.exe" --ru -vt yazb
    O4 - HKCU\..\Run: [Nsf] "C:\Documents and Settings\Shawn\Application Data\?ssembly\r?ndll32.exe"
    O4 - Startup: PowerReg Scheduler.exe
    O20 - Winlogon Notify: sstqr - C:\WINDOWS\system32\sstqr.dll (file missing)

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    5) RIGHT Click on Start then click on Explore. Locate and delete these items:

    C:\Program Files\NetMeeting\mefereh77798.exe <<< delete at least that file (the folder if you find it is bad, which I believe it is)

    C:\DOCUME~1\Shawn\MYDOCUMENTS & SETTINGS~1\SKS~1\ <<< delete that folder

    C:\Documents and Settings\Shawn\Application Data\?ssembly\ <<< delete that folder

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of that "Recovery" folder
    http://ict.cas.psu.edu/training/howt...vespybot.htm#1 <<< see this

    C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\ <<< Java cache is infected, delete the contents
    See this >>> http://support.f-secure.com/enu/home...avacache.shtml

    C:\Documents and Settings\Shawn\Local Settings\Temp\ <<< delete the contents of that Temp folder

    C:\temp\ <<< delete the ontents of that temp folder

    5) Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Restart the computer and post a new HJT log along with some feedback.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •