View Full Version : VundoFix unsuccessful, suffering..
sharloff
2007-07-23, 07:02
I've tried VundoFix to remove whatever vundo issues I'm having, but new variants continue to pop-up (tried it about 7 times). Spyware Doctor and Windows Defender have been unsuccessful in remove whatever it is. I've searched a little and see I should post this HiJackThis log.. I renamed it to scanner.exe. PLEEASE HELP.
Logfile of HijackThis v1.99.1
Scan saved at 11:38:58 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\SpyBlocker Software\spyblocker.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\svhost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\AOL\1139272921\ee\aolsoftware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\downloads\Spyware and Virus Removal\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Richard Harloff\Application Data\Mozilla\Profiles\default\pzpf7dj5.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24B7312E-C858-4D18-A7C3-82DD73ADF7BC} - C:\WINDOWS\system32\ssttu.dll (file missing)
O2 - BHO: (no name) - {24DCE5F8-046B-49BD-B6D3-329D2CD109E1} - C:\WINDOWS\system32\pmkhe.dll
O2 - BHO: (no name) - {2E54B7F6-DE76-4C1B-871F-B14B51B24197} - (no file)
O2 - BHO: (no name) - {2FA34524-9A23-4A97-BE07-5D4EE6E7DD24} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {75EF3E0D-579A-4DE5-92F2-42B2597CEFA0} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {7FAB2C3B-5711-4684-A89D-C74855B71D5B} - C:\WINDOWS\system32\sstqp.dll (file missing)
O2 - BHO: (no name) - {CFBE846B-0984-46B5-BDC3-81BC6422156F} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\wvurolj.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120277472812
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: gebcd - C:\WINDOWS\
O20 - Winlogon Notify: mlljj - C:\WINDOWS\
O20 - Winlogon Notify: pmkhe - C:\WINDOWS\system32\pmkhe.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvurolj - C:\WINDOWS\SYSTEM32\wvurolj.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Angelfire777
2007-07-23, 13:26
Hi, welcome to Safer Networking Forums!
Download combofix.exe (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe)
1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
sharloff
2007-07-24, 00:02
Thanks Angelfire777 for you quick response! I followed your instructons, and here are the results you requested:
First: Combofix results
"Richard Harlolf" - 2007-07-23 16:24:04 - ComboFix 07-07-24 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\utqwujxh.dll
C:\WINDOWS\system32\ehkmp.bak1
C:\WINDOWS\system32\ehkmp.bak2
C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\ehkmp.ini2
C:\WINDOWS\system32\ehkmp.tmp
C:\WINDOWS\system32\ehkmp.bak1
C:\WINDOWS\system32\ehkmp.bak2
C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\ehkmp.ini2
C:\WINDOWS\system32\ehkmp.tmp
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\wvurolj.dll
C:\WINDOWS\system32\wvurolj.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\alntyxxw.exe
C:\WINDOWS\system32\dlyaphlp.exe
C:\WINDOWS\system32\drwxxrcm.exe
C:\WINDOWS\system32\kgtjnplq.exe
C:\WINDOWS\system32\pulsfoso.exe
C:\WINDOWS\system32\vqseirhw.exe
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))
2007-07-23 16:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 16:11 126,016 --a------ C:\WINDOWS\system32\ynxykero.dll
2007-07-23 00:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-22 23:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-22 23:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-22 22:49 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-22 22:43 <DIR> d-------- C:\d699c879b0f39e6c438ff35b32d13e
2007-07-22 21:36 6,488 --ahs---- C:\WINDOWS\system32\acbeg.bak1
2007-07-22 21:08 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-22 20:27 6,488 --ahs---- C:\WINDOWS\system32\jjllm.bak1
2007-07-22 03:05 6,529 --ahs---- C:\WINDOWS\system32\dcbeg.bak1
2007-07-22 00:32 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-07-22 00:32 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-07-22 00:32 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-07-22 00:32 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-07-22 00:32 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-07-22 00:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-07-22 00:32 <DIR> d-------- C:\DOCUME~1\RICHAR~1\APPLIC~1\PC Tools
2007-07-21 23:17 7,138 --ahs---- C:\WINDOWS\system32\knnmp.ini2
2007-07-21 22:54 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-21 22:52 <DIR> d-------- C:\Program Files\Disk Space Inspector
2007-07-21 22:35 <DIR> d-------- C:\Program Files\LookInMyPC
2007-07-21 19:57 1,793,405 --ahs---- C:\WINDOWS\system32\pqtss.bak2
2007-07-20 22:52 <DIR> d-------- C:\WINDOWS\vbSkinner
2007-07-20 22:52 <DIR> d-------- C:\Program Files\PortTrigger
2007-07-20 22:17 6,488 --ahs---- C:\WINDOWS\system32\pqtss.bak1
2007-07-19 15:57 4,026 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-18 23:55 10,485 --a------ C:\dnsbak.reg
2007-07-18 23:39 <DIR> d-------- C:\VundoFix Backups
2007-07-16 00:27 <DIR> d-------- C:\Program Files\QuickTime
2007-07-16 00:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-11 00:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-22 03:25:03 -------- d-----w C:\Program Files\mIRC
2007-07-16 04:25:24 -------- d-----w C:\Program Files\Apple Software Update
2007-07-12 20:49:17 -------- d-----w C:\Program Files\Absolute Poker
2007-06-25 22:10:59 -------- d-----w C:\DOCUME~1\RICHAR~1\APPLIC~1\AdobeAUM
2007-06-20 14:19:29 -------- d-----w C:\Program Files\FlashFXP
2007-06-06 14:22:40 -------- d-----w C:\Program Files\iTunes
2007-06-06 14:22:27 -------- d-----w C:\Program Files\iPod
2007-06-04 19:28:52 -------- d-----w C:\Program Files\AIM6
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-09-06 23:21:05 45,639,680 ----a-w C:\Program Files\iPod for Windows 2006-06-28.msi
2006-09-06 23:20:53 740,864 ----a-w C:\Program Files\1033.MST
2006-09-06 23:19:14 4,632 ----a-w C:\Program Files\0x0409.ini
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24B7312E-C858-4D18-A7C3-82DD73ADF7BC}]
C:\WINDOWS\system32\ssttu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E54B7F6-DE76-4C1B-871F-B14B51B24197}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FA34524-9A23-4A97-BE07-5D4EE6E7DD24}]
C:\WINDOWS\system32\pmkjg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75EF3E0D-579A-4DE5-92F2-42B2597CEFA0}]
C:\WINDOWS\system32\pmnlk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FAB2C3B-5711-4684-A89D-C74855B71D5B}]
C:\WINDOWS\system32\sstqp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFBE846B-0984-46B5-BDC3-81BC6422156F}]
C:\WINDOWS\system32\mljgh.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-26 01:12]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 11:33]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 16:05]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44]
"SpyBlocker"="C:\Program Files\SpyBlocker Software\spyblocker.exe" [2004-06-25 10:59]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-07-25 13:04]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 21:30]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 01:14]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 14:19]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-05-31 03:13]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-04-19 11:07]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 20:24]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-26 17:13]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
C:\Documents and Settings\Richard Harloff\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\MemTurbo30\MemTurbo.exe [2005-01-01 13:52:59]
Microsoft Office Shortcut Bar.lnk - C:\WINDOWS\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe [2005-01-02 12:58:21]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-01-14 18:59:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljj]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnk]
C:\WINDOWS\system32\pmnnk.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R1 AmdK8;AMD Athlon64 Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 eabfiltr;EABFiltr;\??\C:\WINDOWS\system32\drivers\EABFiltr.sys
R1 IKFileFlt;File Filter Driver;C:\WINDOWS\system32\drivers\ikfileflt.sys
R1 IKFileSec;File Security Driver;C:\WINDOWS\system32\drivers\ikfilesec.sys
R1 IkSysFlt;System Filter Driver;C:\WINDOWS\system32\drivers\iksysflt.sys
R1 IKSysSec;System Security Driver;C:\WINDOWS\system32\drivers\iksyssec.sys
R1 ISODrive;ISO CD-ROM Device Driver;\??\C:\Program Files\UltraISO\drivers\ISODrive.sys
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 MCSTRM;MCSTRM;C:\WINDOWS\system32\drivers\MCSTRM.sys
R2 pciinfo;HP Pci Information;\??\C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
S3 eabusb;eabusb;\??\C:\WINDOWS\system32\drivers\eabusb.sys
S3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\system32\DRIVERS\usb8023x.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
Contents of the 'Scheduled Tasks' folder
2007-07-16 04:25:32 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-23 20:49:32 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 16:47:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-23 16:52:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-23 16:52
--- E O F ---
sharloff
2007-07-24, 00:03
Logfile of HijackThis v1.99.1
Scan saved at 4:58:55 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SpyBlocker Software\spyblocker.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\AOL\1139272921\ee\aolsoftware.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\downloads\Spyware and Virus Removal\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Richard Harloff\Application Data\Mozilla\Profiles\default\pzpf7dj5.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24B7312E-C858-4D18-A7C3-82DD73ADF7BC} - C:\WINDOWS\system32\ssttu.dll (file missing)
O2 - BHO: (no name) - {2E54B7F6-DE76-4C1B-871F-B14B51B24197} - (no file)
O2 - BHO: (no name) - {2FA34524-9A23-4A97-BE07-5D4EE6E7DD24} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {75EF3E0D-579A-4DE5-92F2-42B2597CEFA0} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {7FAB2C3B-5711-4684-A89D-C74855B71D5B} - C:\WINDOWS\system32\sstqp.dll (file missing)
O2 - BHO: (no name) - {CFBE846B-0984-46B5-BDC3-81BC6422156F} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120277472812
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: gebcd - C:\WINDOWS\
O20 - Winlogon Notify: mlljj - C:\WINDOWS\
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
sharloff
2007-07-24, 03:51
I noticed upon rebooting my system, Spyware Doctor is finding and eliminating multiple things that are somehow connected to my host: 127.0.0.1. Some of the names were ad.microsoft.com, xx.amazon.com, etc.. There are about 7-10 "things" it removes upon every system reboot.
Just thought I'd throw that in there.
Angelfire777
2007-07-24, 11:58
*Uninstall the items in bold if found:
Weatherbug
If you only have the free version of the program, I recommend that you uninstall it because it is heavily ad-supported, which may be annoying for some users.
Absolute poker
The sites in which you play these games are known vectors for malware. If you do not play this, I recommend you uninstall it. Another good alternative if you want to play poker is this: www.pokerstars.net
__________
Download HostsXpert (http://www.funkytoad.com/download/HostsXpert.zip) by FunkyToad
Unzip the program and run it.
Click "Restore Original Hosts", click "OK"
Exit the program.
Combofix Deletions
Right click on your desktop, select "new" then choose "New text Document"
Name it as "CFScript"
Copy and paste the text inside the code box below to CFScript.txt
File::
C:\WINDOWS\system32\ynxykero.dll
C:\WINDOWS\system32\acbeg.bak1
C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\pqtss.bak1
Folder::
C:\Program Files\AWS (include this line of you uninstalled weatherbug)
C:\Program Files\Absolute Poker (include this line of you uninstalled absolute poker)
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24B7312E-C858-4D18-A7C3-82DD73ADF7BC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E54B7F6-DE76-4C1B-871F-B14B51B24197}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FA34524-9A23-4A97-BE07-5D4EE6E7DD24}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75EF3E0D-579A-4DE5-92F2-42B2597CEFA0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FAB2C3B-5711-4684-A89D-C74855B71D5B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFBE846B-0984-46B5-BDC3-81BC6422156F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}] (include this line if you uninstalled weatherbug)
Save it.
Drag and drop CFScript.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
http://img263.imageshack.us/img263/9894/cfscriptno0.gif
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log along with a fresh HijackThis log.
_______________
Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u2 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.
_______________
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
sharloff
2007-07-24, 19:33
Weatherbug and Absolute Poker are programs I had already uninstalled. I see the folders were left behind, but they shouldn't be active.. ? I deleted the remaining folders.
I downloaded and ran HostsXpert. If that was too correct the issue of Spyware Doctor finding malicious activites to block when my computer boots, it didn't work. After the reboot, Spyware Doctor still produced the "ads.microsoft.com" messages it was blocking.
Combofix log:
"Richard Harlolf" - 2007-07-24 9:15:34 - ComboFix 07-07-24 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Richard Harlolf\Desktop\CFScript.txt
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\ljjhgfd.dll
C:\WINDOWS\system32\ljjhgfd.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\hosts
C:\WINDOWS\system32\acbeg.bak1
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\ynxykero.dll
((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))
2007-07-23 16:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 00:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-22 23:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-22 23:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-22 22:49 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-22 22:43 <DIR> d-------- C:\d699c879b0f39e6c438ff35b32d13e
2007-07-22 21:08 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-22 00:32 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-07-22 00:32 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-07-22 00:32 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-07-22 00:32 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-07-22 00:32 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-07-22 00:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-07-22 00:32 <DIR> d-------- C:\DOCUME~1\RICHAR~1\APPLIC~1\PC Tools
2007-07-21 22:54 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-21 22:52 <DIR> d-------- C:\Program Files\Disk Space Inspector
2007-07-21 22:35 <DIR> d-------- C:\Program Files\LookInMyPC
2007-07-20 22:52 <DIR> d-------- C:\WINDOWS\vbSkinner
2007-07-20 22:52 <DIR> d-------- C:\Program Files\PortTrigger
2007-07-19 15:57 4,026 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-18 23:55 10,485 --a------ C:\dnsbak.reg
2007-07-18 23:39 <DIR> d-------- C:\VundoFix Backups
2007-07-16 00:27 <DIR> d-------- C:\Program Files\QuickTime
2007-07-16 00:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-11 00:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-24 03:17:22 -------- d-----w C:\Program Files\Netscape
2007-07-24 03:05:36 -------- d-----w C:\Program Files\Lavasoft
2007-07-24 03:05:33 -------- d-----w C:\DOCUME~1\RICHAR~1\APPLIC~1\Lavasoft
2007-07-22 03:25:03 -------- d-----w C:\Program Files\mIRC
2007-07-16 04:25:24 -------- d-----w C:\Program Files\Apple Software Update
2007-06-25 22:10:59 -------- d-----w C:\DOCUME~1\RICHAR~1\APPLIC~1\AdobeAUM
2007-06-20 14:19:29 -------- d-----w C:\Program Files\FlashFXP
2007-06-06 14:22:40 -------- d-----w C:\Program Files\iTunes
2007-06-06 14:22:27 -------- d-----w C:\Program Files\iPod
2007-06-04 19:28:52 -------- d-----w C:\Program Files\AIM6
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-09-06 23:21:05 45,639,680 ----a-w C:\Program Files\iPod for Windows 2006-06-28.msi
2006-09-06 23:20:53 740,864 ----a-w C:\Program Files\1033.MST
2006-09-06 23:19:14 4,632 ----a-w C:\Program Files\0x0409.ini
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-26 01:12]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 11:33]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 16:05]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44]
"SpyBlocker"="C:\Program Files\SpyBlocker Software\spyblocker.exe" [2004-06-25 10:59]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-07-25 13:04]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 21:30]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 01:14]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 14:19]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-05-31 03:13]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-04-19 11:07]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 20:24]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-26 17:13]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
C:\Documents and Settings\Richard Harloff\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\MemTurbo30\MemTurbo.exe [2005-01-01 13:52:59]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R1 AmdK8;AMD Athlon64 Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 eabfiltr;EABFiltr;\??\C:\WINDOWS\system32\drivers\EABFiltr.sys
R1 IKFileFlt;File Filter Driver;C:\WINDOWS\system32\drivers\ikfileflt.sys
R1 IKFileSec;File Security Driver;C:\WINDOWS\system32\drivers\ikfilesec.sys
R1 IkSysFlt;System Filter Driver;C:\WINDOWS\system32\drivers\iksysflt.sys
R1 IKSysSec;System Security Driver;C:\WINDOWS\system32\drivers\iksyssec.sys
R1 ISODrive;ISO CD-ROM Device Driver;\??\C:\Program Files\UltraISO\drivers\ISODrive.sys
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 MCSTRM;MCSTRM;C:\WINDOWS\system32\drivers\MCSTRM.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
S2 pciinfo;HP Pci Information;\??\C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys
S3 eabusb;eabusb;\??\C:\WINDOWS\system32\drivers\eabusb.sys
S3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\system32\DRIVERS\usb8023x.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
Contents of the 'Scheduled Tasks' folder
2007-07-16 04:25:32 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-24 13:25:35 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 09:23:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-24 9:27:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-24 09:27
C:\ComboFix2.txt ... 2007-07-23 16:52
--- E O F ---
sharloff
2007-07-24, 19:34
I'll be running Kaspersky Online right after this post, and I will post it at 4:30pm EST.
Here is the latest HiJackThis log.
Thanks again.
Logfile of HijackThis v1.99.1
Scan saved at 12:31:00 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SpyBlocker Software\spyblocker.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\AOL\1139272921\ee\aolsoftware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
c:\program files\common files\aol\1139272921\ee\aim6.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\downloads\Spyware and Virus Removal\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120277472812
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
sharloff
2007-07-24, 19:40
Oh, and I just installed the latest Java from your link. :)
sharloff
2007-07-24, 23:14
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 24, 2007 4:09:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 24/07/2007
Kaspersky Anti-Virus database records: 367171
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 82494
Number of viruses found: 14
Number of infected objects: 64
Number of suspicious objects: 0
Duration of the scan process: 01:49:54
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-07222007-210949.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard Harloff\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Richard Harloff\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1105BAE2-99EB-4288-A24F-7581914C52F8} Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{70832B54-1F0D-47A2-81B0-73D1B6B60AAC} Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A6810605-99C7-418F-8E14-C4D801C3BEE9} Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C388D2E3-A232-43B1-A95D-9AC243F98650} Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\History\History.IE5\MSHist012007072420070725\index.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temp\Perflib_Perfdata_998.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temp\Perflib_Perfdata_e28.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temp\~DF620D.tmp Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temp\~DF621A.tmp Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temp\~DFB62F.tmp Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\ntuser.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\ntuser.dat.LOG Object is locked skipped
C:\downloads\Fish_Patched_mIRC_6.16.rar/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\downloads\Fish_Patched_mIRC_6.16.rar RAR: infected - 1 skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\1JJ1EZDA.NQF/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\ESET\infected\1JJ1EZDA.NQF/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\ESET\infected\1JJ1EZDA.NQF RarSFX: infected - 2 skipped
C:\Program Files\ESET\infected\1JJ1EZDA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\4Z5EWNCA.NQF Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\ESET\infected\51EZLKDA.NQF/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Program Files\ESET\infected\51EZLKDA.NQF WiseSFX: infected - 1 skipped
C:\Program Files\ESET\infected\51EZLKDA.NQF WiseSFX Dropper: infected - 1 skipped
C:\Program Files\ESET\infected\51EZLKDA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\infected\55YA1KCA.NQF Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\ESET\infected\AXDMVHDA.NQF Infected: Trojan.Win32.Agent.apt skipped
C:\Program Files\ESET\infected\BTJEBYCA.NQF/data0004/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\Program Files\ESET\infected\BTJEBYCA.NQF/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\Program Files\ESET\infected\BTJEBYCA.NQF NSIS: infected - 2 skipped
C:\Program Files\ESET\infected\BTJEBYCA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\I55S1BDA.NQF Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\ESET\infected\JKC5XEBA.NQF Infected: Trojan.Win32.Agent.apt skipped
C:\Program Files\ESET\infected\MJUTB2BA.NQF Infected: Trojan.Win32.Agent.apt skipped
C:\Program Files\ESET\infected\Q2YPIPDA.NQF/data0007 Infected: Trojan-Downloader.Win32.Zlob.bmx skipped
C:\Program Files\ESET\infected\Q2YPIPDA.NQF NSIS: infected - 1 skipped
C:\Program Files\ESET\infected\Q2YPIPDA.NQF UPX: infected - 1 skipped
C:\Program Files\ESET\infected\Q2YPIPDA.NQF PE_Patch.UPX: infected - 1 skipped
C:\Program Files\ESET\infected\Q2YPIPDA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\alntyxxw.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dlyaphlp.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drwxxrcm.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kgtjnplq.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljjhgfd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmkhe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pulsfoso.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vqseirhw.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wvurolj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP393\A0072556.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP394\A0072574.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0073670.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0073671.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0073672.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074692.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074693.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074694.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074695.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074696.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074703.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074704.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP405\A0076332.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP408\change.log Object is locked skipped
C:\VundoFix Backups\jkhhh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\mljgh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\nvrukvga.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\pmkjg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\pmnlk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\qvgoitij.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\ssoykhbb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\sstqo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\sstqp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\ssttu.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\thpuyuyo.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\uxluhuhy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\vtsqp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\wajoqcvk.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\xmxqudqm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D23F129E-2C18-45A7-A69C-C92F15CCCB8A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Angelfire777
2007-07-25, 12:17
Hi,
I downloaded and ran HostsXpert. If that was too correct the issue of Spyware Doctor finding malicious activites to block when my computer boots, it didn't work. After the reboot, Spyware Doctor still produced the "ads.microsoft.com" messages it was blocking.
Please click start > run > copy and paste this command:
cmd /c start notepad "%windir%\system32\drivers\etc\hosts"
A notepad will appear, please post all of its contents on your next reply..
__________
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
*Using windows explorer,
Delete the following folders:
C:\QooBox <<combofix backup
C:\VundoFix Backups
Delete all the contents of the following folder:
C:\Program Files\ESET\infected <<Nod32 quarantine
empty your recycle bin.
Reboot then please post a fresh HijackThis log along with the contents of the notepad file.
sharloff
2007-07-25, 19:20
Please click start > run > copy and paste this command:
cmd /c start notepad "%windir%\system32\drivers\etc\hosts"
A notepad will appear, please post all of its contents on your next reply..
__________
When I try to post, I get this:
The following errors occurred when this message was submitted:
The text that you have entered is too long (885933 characters). Please shorten it to 20000 characters long.
When I try to upload, I get this:
Upload Errors
hosts.txt:
Your file of 865.4 KB bytes exceeds the forum's limit of 19.5 KB for this filetype.
What should I do?
sharloff
2007-07-25, 19:35
Logfile of HijackThis v1.99.1
Scan saved at 12:30:49 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\SpyBlocker Software\spyblocker.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\AOL\1139272921\ee\aolsoftware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
c:\program files\common files\aol\1139272921\ee\aim6.exe
C:\downloads\Spyware and Virus Removal\scanner.exe
C:\WINDOWS\system32\msiexec.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120277472812
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
sharloff
2007-07-25, 22:07
I realized that SpyBlocker was making changes to the hosts file upon start-up. I removed this program, and re-ran HostsXpert. No problems upon rebooting.
Angelfire777
2007-07-26, 12:33
That was odd.. As I have no experience with Spyblocker, I can't exaplain what's happening..It is possible though that Spyblocker is protecting you by adding entries in the hosts file and Spyware Doctor thinks that the entries put by Spy blocker are bad..
Congratulations! Your log looks clean!
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.
Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.
» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http//www.sunbelt-software.com/Kerio-Download.cfm)
Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)
IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy safe surfing!
sharloff
2007-07-26, 20:31
I did a Kaspersky scan last night, here are the results:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 26, 2007 1:27:16 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 26/07/2007
Kaspersky Anti-Virus database records: 367785
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 84783
Number of viruses found: 6
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 01:50:06
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-07222007-210949.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard Harloff\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Richard Harloff\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{24907338-F8DC-4B1D-8CB0-9BFC346D6664} Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temp\Perflib_Perfdata_5c8.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temp\~DF8353.tmp Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temp\~DF8362.tmp Object is locked skipped
C:\Documents and Settings\Richard Harloff\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\ntuser.dat Object is locked skipped
C:\Documents and Settings\Richard Harloff\ntuser.dat.LOG Object is locked skipped
C:\downloads\Fish_Patched_mIRC_6.16.rar/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\downloads\Fish_Patched_mIRC_6.16.rar RAR: infected - 1 skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP393\A0072556.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP394\A0072574.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0073670.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0073671.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0073672.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074692.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074693.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074694.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074695.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074696.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074703.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP399\A0074704.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP405\A0076332.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP410\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0813B144-C9AE-478F-9FFE-0D99506548F2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
sharloff
2007-07-26, 20:32
Some websites I go to, like aimtoday.com, pop a message box up when I visit them. The message box states its trying to install Windows Office 2003, and requests the startup disc for it.
Is there something fishy about this?
Angelfire777
2007-07-28, 04:14
Hi,
C:\Documents and Settings\Richard Harloff\Desktop\SmitfraudFix\Reboot.exe <<Is a tool used in Smitfraudfix..You can delete the smitfraudfix folder.
C:\Program Files\mIRC\mirc.exe
C:\downloads\Fish_Patched_mIRC_6.16.rar <<Something to do with mirc, kaspersky detects it as a risk tool but not a virus.
C:\System Volume Information <<Is a folder in where system backups are kept. It is only used when you access system restore and you will only be infected if you use system restore. I take it that you didn't follow my previous post..If you have cleared your system restore and created a new one just like what my previous instructions stated, those entries wouldn't be there..Overall, your machine is OK :)
Some websites I go to, like aimtoday.com, pop a message box up when I visit them. The message box states its trying to install Windows Office 2003, and requests the startup disc for it.
Is there something fishy about this?
Sorry but I'm not sure.. There's probably something that wants to open a microsoft office program..but I'm pretty sure it's not malware related.
You can ask about it here: www.pcpitstop.com You would need to register first though.
Please post back if you have any more concerns :)
sharloff
2007-07-30, 01:58
Thanks for all your help Angelfire777! I would not have been able to do it without your support.
Be well,
Steve
Angelfire777
2007-07-30, 13:16
It was my pleasure:bigthumb:
Angelfire777
2007-08-02, 14:35
Glad we could be of assistance :bigthumb:
Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.