View Full Version : Is this the line for Help?
Can someone please help me. I seem to have some really good bugs. I have done the preliminary things requested. After the online scan and cleaning, some missed seed began to re-sprout after about only 6 hours. I have seen many of the same names pop up that other posts refer to.
I normally use Firefox and cannot even get IE to start due to some file (navcancl). My IE cookies are constantly resetting themselves to the minimum,(accept all cookies). I am not able to go back to any restore points. I am using a linksys router and was using defender and Avast when I was originally infected. Now I am using Zonealarm. All of my efforts to date have been unsuccessful.
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:44 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
G:\Extra Documents\Dad's extra dcouments\spy stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.aol.com/puccini/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\userinit.exe,
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\tckgftrc.dll",forkonce
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "G:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [OM_Monitor] G:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.2.0.51g/cab/aolpPlugins.10.4.0.2.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158171947181
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157823636773
O16 - DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} - http://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/YgpUploader.9.3.2.3.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/honeycombs/install.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/trytwoofakind/zylomgamesplayer.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.72.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 10309 bytes
steamwiz
2007-07-25, 23:21
Please download Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
steam
Steamwiz, Thanks for helping!!!
Combofix Log:
"Dad" - 2007-07-25 14:47:53 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\qomlkjh.dll
C:\WINDOWS\system32\qomlkjh.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\uninstall information
C:\Program Files\curity~1
C:\Program Files\fnts~1
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\winpop
C:\temp\tn3
C:\WINDOWS\system32\B0
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B1\wr73.exe
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B4
C:\WINDOWS\system32\B5
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\jigvnoqc.exe
C:\WINDOWS\system32\tqcillny.exe
C:\WINDOWS\wr.txt
((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))
2007-07-25 14:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-25 09:13 6,467 --ahs---- C:\WINDOWS\system32\bcefe.bak1
2007-07-25 09:13 228,960 --a------ C:\WINDOWS\system32\efecb.dll
2007-07-25 04:57 126,016 --a------ C:\WINDOWS\system32\tckgftrc.dll
2007-07-23 13:53 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-23 13:25 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\.housecall6.6
2007-07-20 20:48 1,804,400 ---hs---- C:\WINDOWS\system32\xabay.bak2
2007-07-20 08:48 6,365 ---hs---- C:\WINDOWS\system32\xabay.bak1
2007-07-20 07:31 <DIR> d-------- C:\VundoFix Backups
2007-07-18 10:20 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Yahoo!
2007-07-18 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-07-18 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\MailFrontier
2007-07-18 08:30 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-18 08:30 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-18 08:30 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-18 08:30 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-18 08:30 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-18 08:29 5,273,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-18 08:29 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-07-18 08:28 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-18 08:28 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-18 08:27 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-17 20:20 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Uniblue
2007-07-16 15:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-15 12:27 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-15 12:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Google Updater
2007-07-13 07:57 1,056,352 -r-hs---- C:\WINDOWS\zeepsezA.exe
2007-07-13 07:57 <DIR> d-------- C:\Temp\0c2
2007-07-13 07:56 <DIR> d-------- C:\Temp\brr
2007-07-03 16:39 <DIR> d-------- C:\DOCUME~1\MOM~1.FAM\APPLIC~1\Yahoo!
2007-07-01 15:05 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Ahead
2007-07-01 15:01 <DIR> d-------- C:\Program Files\Nero
2007-07-01 15:01 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-07-01 14:54 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Nero
2007-07-01 14:53 98,397 --a------ C:\WINDOWS\system32\Tppun.exe
2007-07-01 14:53 8,576 --a------ C:\WINDOWS\system32\drivers\Tppiosmp.sys
2007-07-01 14:53 34,132 --a------ C:\WINDOWS\system32\drivers\necusbbo.sys
2007-07-01 14:53 32,256 --a------ C:\WINDOWS\system32\drivers\Tppfx.sys
2007-07-01 14:53 282,624 --a------ C:\WINDOWS\Tppstray.exe
2007-07-01 14:53 282,624 --a------ C:\WINDOWS\Tppnttry.exe
2007-07-01 14:53 228,352 --a------ C:\WINDOWS\necusbdc.exe
2007-07-01 14:53 19,892 --a------ C:\WINDOWS\system32\drivers\ISBSTOR.SYS
2007-07-01 14:53 12,385 --a------ C:\WINDOWS\system32\Tppui32.dll
2007-07-01 14:53 118,784 --a------ C:\WINDOWS\Tppaldr.exe
2007-07-01 14:53 11,248 --a------ C:\WINDOWS\system32\Tppui16.dll
2007-07-01 14:53 10,092 --a------ C:\WINDOWS\system32\drivers\necusbdc.sys
2007-07-01 14:53 <DIR> d-------- C:\Program Files\Memorex External DVD Win98SE USB 2 Drivers - All
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-25 16:29:21 64,964 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-18 21:17:45 -------- d-----w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Lavasoft
2007-07-18 17:46:17 512,288 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-07-15 19:17:55 -------- d-----w C:\Program Files\Google
2007-06-26 17:44:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 13:19:32 -------- d-----w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\GTek
2007-06-21 19:45:44 -------- d-----w C:\Program Files\iPod
2007-06-21 19:33:51 -------- d-----w C:\Program Files\QuickTime
2007-06-21 19:25:12 -------- d-----w C:\Program Files\Apple Software Update
2007-06-21 19:21:21 -------- d-----w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Apple Computer
2007-05-27 16:27:38 -------- d-----w C:\Program Files\Yahoo!
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2004-11-22 15:07:14 784 ----a-w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\mpauth.dat
2004-02-09 16:16:46 3,794 ----a-w C:\Program Files\install_status.log
2003-10-08 02:40:00 68,976 ----a-w C:\Program Files\xpicleanup.exe
2003-10-08 02:40:00 6,112 ----a-w C:\Program Files\mozMapi32.dll
2003-10-08 02:40:00 51,712 ----a-w C:\Program Files\PalmSyncInstall.exe
2003-10-08 02:40:00 476 ----a-w C:\Program Files\softokn3.chk
2003-10-08 02:40:00 397,056 ----a-w C:\Program Files\softokn3.dll
2003-10-08 02:40:00 390,688 ----a-w C:\Program Files\nss3.dll
2003-10-08 02:40:00 34,416 ----a-w C:\Program Files\mozABConduit.dll
2003-10-08 02:40:00 31,744 ----a-w C:\Program Files\AccessibleMarshal.dll
2003-10-08 02:40:00 29,792 ----a-w C:\Program Files\plc4.dll
2003-10-08 02:40:00 25,424 ----a-w C:\Program Files\plds4.dll
2003-10-08 02:40:00 24,576 ----a-w C:\Program Files\nsldappr32v50.dll
2003-10-08 02:40:00 198,992 ----a-w C:\Program Files\msgbsutl.dll
2003-10-08 02:40:00 18,256 ----a-w C:\Program Files\PalmSyncProxy.dll
2003-10-08 02:40:00 173,200 ----a-w C:\Program Files\nspr4.dll
2003-10-08 02:40:00 144,880 ----a-w C:\Program Files\mozilla.exe
2003-10-08 02:40:00 14,624 ----a-w C:\Program Files\regxpcom.exe
2003-10-08 02:40:00 14,112 ----a-w C:\Program Files\MapiProxy.dll
2003-10-08 02:40:00 139,264 ----a-w C:\Program Files\nsldap32v50.dll
2003-10-08 02:40:00 130,672 ----a-w C:\Program Files\smime3.dll
2003-10-08 02:40:00 116,800 ----a-w C:\Program Files\ssl3.dll
2003-02-24 21:15:00 9,851 ----a-w C:\Program Files\readme.txt
1999-10-06 03:14:00 31,436 ----a-w C:\Program Files\license.txt
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46BC317E-D1A6-4404-97BB-568D3E904DC9}]
C:\WINDOWS\system32\awtus.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48E59A08-CE1A-4DB9-B823-FD06F5FA4294}]
2007-07-25 09:13 228960 --a------ C:\WINDOWS\system32\efecb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8047F7B4-CFC8-46CC-8A00-0C2FC96A0171}]
C:\WINDOWS\system32\yabax.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{889B936E-089F-4309-93A3-0EEA2928AF85}]
C:\WINDOWS\system32\nnnlm.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92BA3805-2651-43F6-ADFB-C79CBF50829F}]
C:\WINDOWS\system32\yabax.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A52F48F-B85A-4B40-BC4C-1E3C87EBB718}]
C:\WINDOWS\system32\geeca.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d479a458-87a9-4424-bc84-effc5c1a74ff}]
C:\WINDOWS\system32\usubdwr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E241954B-0566-41ED-91B9-B011D9B68689}]
C:\Program Files\America Online 9.0c\nipyradiqC:\WINDOWS\system32\B0\mwspasrt83122.exe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8D08D88-A6F4-4052-97BC-40172A478CF4}]
C:\WINDOWS\system32\mllki.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-12-05 10:13]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"HostManager"="C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe" [2006-09-25 17:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50]
"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]
"Cmaudio"="cmicnfg.cpl" []
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="G:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07]
"OM_Monitor"="G:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efecb]
C:\WINDOWS\system32\efecb.dll 2007-07-25 09:13 228960 C:\WINDOWS\system32\efecb.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages :\WINDOWS\system32\srrstr.dll cli scecli scecli scecli scecli scecli scecli scecli scecli e
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb99.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon07]
C:\WINDOWS\system32\hphmon07.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD07]
C:\Program Files\Hewlett-Packard\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"G:\Extra Documents\Kareese extra docs\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
g:\Program Files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
g:\Program Files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
G:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScottsPaperManager]
"G:\Program Files\SBPaper\paper.exe" -autominimize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wallpaper XE]
g:\Program Files\Amic Games\WallpaperXe\WallpaperXe.exe -tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
R0 prohlp02;StarForce Protection Helper Driver v2;C:\WINDOWS\system32\drivers\prohlp02.sys
R0 sfhlp01;StarForce Protection Helper Driver;C:\WINDOWS\system32\drivers\sfhlp01.sys
R0 srescan;srescan;C:\WINDOWS\system32\ZoneLabs\srescan.sys
R1 AFS2K;AFS2k;C:\WINDOWS\system32\drivers\AFS2K.sys
R1 cdrbsdrv;cdrbsdrv;C:\WINDOWS\system32\drivers\cdrbsdrv.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R1 prodrv06;StarForce Protection Environment Driver v6;C:\WINDOWS\system32\drivers\prodrv06.sys
R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 MLPTDR_B;MLPTDR_B;\??\C:\WINDOWS\System32\MLPTDR_B.sys
R3 cmpci;C-Media PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\cmaudio.sys
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12;C:\WINDOWS\system32\DRIVERS\HPZius12.sys
R3 LVUSBSta;Logitech USB Monitor Filter;C:\WINDOWS\system32\drivers\lvusbsta.sys
R3 pepifilter;Volume Adapter;C:\WINDOWS\system32\DRIVERS\lv302af.sys
R3 PID_08A0;QuickCam IM(PID_08A0);C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
R3 usbaudio;USB Audio Driver (WDM);C:\WINDOWS\system32\drivers\usbaudio.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
S3 61883;61883 Unit Device;C:\WINDOWS\system32\DRIVERS\61883.sys
S3 Avc;AVC Device;C:\WINDOWS\system32\DRIVERS\avc.sys
S3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\system32\drivers\cmuda.sys
S3 ENUM1394;%1394\031887&040892.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\enum1394.sys
S3 gameport;QS3000A PCI Joystick;C:\WINDOWS\system32\drivers\hwajoy.sys
S3 hidusb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
S3 MagicTune;MagicTune;C:\WINDOWS\system32\drivers\MTiCtwl.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 P2k;Motorola USB Device;C:\WINDOWS\system32\DRIVERS\P2k.sys
S3 QS3000A_A;QS3000A PCI AUDIO(WDM);C:\WINDOWS\system32\drivers\qs3a_wdm.sys
S3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
S3 usbser;Motorola USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
S3 usbsermpt;Motorola USB Modem Driver for MPT;C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
S3 usbvideo;USB Video Device (WDM);C:\WINDOWS\system32\Drivers\usbvideo.sys
S3 WpdUsb;WpdUsb;C:\WINDOWS\system32\DRIVERS\wpdusb.sys
Contents of the 'Scheduled Tasks' folder
2007-07-21 20:28:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-09 00:24:00 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7600#MY3A133067K3.job
2007-07-25 20:23:00 C:\WINDOWS\tasks\HP Usg Daily.job
2007-07-25 22:08:03 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 15:11:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-25 15:18:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-25 15:17
--- E O F ---
~~~~~~~~~~~~~~~~~~~~~~~~~~
Steamwiz,
HiJack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:08 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\Extra Documents\Dad's extra dcouments\spy stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.aol.com/puccini/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "G:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [OM_Monitor] G:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.2.0.51g/cab/aolpPlugins.10.4.0.2.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158171947181
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157823636773
O16 - DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} - http://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/YgpUploader.9.3.2.3.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/honeycombs/install.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/trytwoofakind/zylomgamesplayer.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.72.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9645 bytes
steamwiz
2007-07-26, 15:23
HI Ken
You have a vundo trojan hiding from hijackthis...
Please rename the hijackthis.exe to Ken.exe ... re-run it & post the new log...
Among others it will show this file as an O2 & O20 entry :-
C:\WINDOWS\system32\efecb.dll
To remove this I need you to run this program :-
1. Please download VirtumundoBegone, and save it to your desktop.
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
2. Double-click on VirtumundoBeGone.exe and follow the instructions.
Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
3. When the process finishes, reboot.
4. Post the contents of the VBG.TXT file, which you will find on your desktop
Then post a new hijackthis log...
-
So I need to see ...
1. A renamed hijackthis log taken before running VirtumundoBeGone
2. VBG.TXT file from VirtumundoBeGone
3. A hijackthis log taken after running VirtumundoBeGone
cheers
steam
steamwiz
2007-07-26, 15:31
HI Ken
I've just noticed you've run vundofix ... would you post the C:\vundofix.txt please.
steam
Steamwiz,
Hijack This rename Ken ----------Before BVG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:49 AM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe
C:\WINDOWS\system32\gvtsvmxj.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\Extra Documents\Dad's extra dcouments\spy stuff\ken.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.aol.com/puccini/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {081766ED-D81F-4704-B9EE-1FA237E70844} - C:\WINDOWS\system32\efecb.dll
O2 - BHO: (no name) - {46BC317E-D1A6-4404-97BB-568D3E904DC9} - C:\WINDOWS\system32\awtus.dll (file missing)
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8047F7B4-CFC8-46CC-8A00-0C2FC96A0171} - C:\WINDOWS\system32\yabax.dll (file missing)
O2 - BHO: (no name) - {889B936E-089F-4309-93A3-0EEA2928AF85} - C:\WINDOWS\system32\nnnlm.dll (file missing)
O2 - BHO: (no name) - {92BA3805-2651-43F6-ADFB-C79CBF50829F} - C:\WINDOWS\system32\yabax.dll (file missing)
O2 - BHO: (no name) - {9A52F48F-B85A-4B40-BC4C-1E3C87EBB718} - C:\WINDOWS\system32\geeca.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {d479a458-87a9-4424-bc84-effc5c1a74ff} - C:\WINDOWS\system32\usubdwr.dll (file missing)
O2 - BHO: (no name) - {E241954B-0566-41ED-91B9-B011D9B68689} - C:\Program Files\America Online 9.0c\nipyradiqC:\WINDOWS\system32\B0\mwspasrt83122.exe.dll (file missing)
O2 - BHO: (no name) - {F8D08D88-A6F4-4052-97BC-40172A478CF4} - C:\WINDOWS\system32\mllki.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\eaoggjyw.dll",forkonce
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "G:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [OM_Monitor] G:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.2.0.51g/cab/aolpPlugins.10.4.0.2.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158171947181
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157823636773
O16 - DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} - http://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/YgpUploader.9.3.2.3.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/honeycombs/install.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/trytwoofakind/zylomgamesplayer.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.72.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O20 - Winlogon Notify: efecb - C:\WINDOWS\system32\efecb.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 12073 bytes
==================================
Steamwiz,
Sorry multiple posts necessary due to size
VBG.txt
[07/26/2007, 10:10:33] - VirtumundoBeGone v1.5 ( "G:\Extra Documents\Dad's extra dcouments\spy stuff\VirtumundoBeGone.exe" )
[07/26/2007, 10:10:41] - Detected System Information:
[07/26/2007, 10:10:41] - Windows Version: 5.1.2600, Service Pack 2
[07/26/2007, 10:10:41] - Current Username: Dad (Admin)
[07/26/2007, 10:10:41] - Windows is in NORMAL mode.
[07/26/2007, 10:10:41] - Searching for Browser Helper Objects:
[07/26/2007, 10:10:41] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (&Yahoo! Toolbar Helper)
[07/26/2007, 10:10:41] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/26/2007, 10:10:41] - BHO 3: {081766ED-D81F-4704-B9EE-1FA237E70844} ()
[07/26/2007, 10:10:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:41] - Checking for HKLM\...\Winlogon\Notify\efecb
[07/26/2007, 10:10:41] - Found: HKLM\...\Winlogon\Notify\efecb - This is probably Virtumundo.
[07/26/2007, 10:10:41] - Assigning {081766ED-D81F-4704-B9EE-1FA237E70844} MSEvents Object
[07/26/2007, 10:10:41] - BHO list has been changed! Starting over...
[07/26/2007, 10:10:41] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (&Yahoo! Toolbar Helper)
[07/26/2007, 10:10:41] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/26/2007, 10:10:41] - BHO 3: {081766ED-D81F-4704-B9EE-1FA237E70844} (MSEvents Object)
[07/26/2007, 10:10:41] - ALERT: Found MSEvents Object!
[07/26/2007, 10:10:41] - BHO 4: {46BC317E-D1A6-4404-97BB-568D3E904DC9} ()
[07/26/2007, 10:10:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:42] - Checking for HKLM\...\Winlogon\Notify\awtus
[07/26/2007, 10:10:42] - Key not found: HKLM\...\Winlogon\Notify\awtus, continuing.
[07/26/2007, 10:10:42] - BHO 5: {5A263CF7-56A6-4D68-A8CF-345BE45BC911} (Yahoo! IE Suggest)
[07/26/2007, 10:10:42] - BHO 6: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[07/26/2007, 10:10:42] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/26/2007, 10:10:42] - BHO 8: {8047F7B4-CFC8-46CC-8A00-0C2FC96A0171} ()
[07/26/2007, 10:10:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:42] - Checking for HKLM\...\Winlogon\Notify\yabax
[07/26/2007, 10:10:42] - Key not found: HKLM\...\Winlogon\Notify\yabax, continuing.
[07/26/2007, 10:10:42] - BHO 9: {889B936E-089F-4309-93A3-0EEA2928AF85} ()
[07/26/2007, 10:10:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:42] - Checking for HKLM\...\Winlogon\Notify\nnnlm
[07/26/2007, 10:10:42] - Key not found: HKLM\...\Winlogon\Notify\nnnlm, continuing.
[07/26/2007, 10:10:42] - BHO 10: {92BA3805-2651-43F6-ADFB-C79CBF50829F} ()
[07/26/2007, 10:10:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:42] - Checking for HKLM\...\Winlogon\Notify\yabax
[07/26/2007, 10:10:42] - Key not found: HKLM\...\Winlogon\Notify\yabax, continuing.
[07/26/2007, 10:10:42] - BHO 11: {9A52F48F-B85A-4B40-BC4C-1E3C87EBB718} ()
[07/26/2007, 10:10:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:43] - Checking for HKLM\...\Winlogon\Notify\geeca
[07/26/2007, 10:10:43] - Key not found: HKLM\...\Winlogon\Notify\geeca, continuing.
[07/26/2007, 10:10:43] - BHO 12: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/26/2007, 10:10:43] - BHO 13: {d479a458-87a9-4424-bc84-effc5c1a74ff} ()
[07/26/2007, 10:10:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:43] - Checking for HKLM\...\Winlogon\Notify\usubdwr
[07/26/2007, 10:10:43] - Key not found: HKLM\...\Winlogon\Notify\usubdwr, continuing.
[07/26/2007, 10:10:43] - BHO 14: {E241954B-0566-41ED-91B9-B011D9B68689} ()
[07/26/2007, 10:10:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:43] - Checking for HKLM\...\Winlogon\Notify\mwspasrt83122.exe
[07/26/2007, 10:10:43] - Key not found: HKLM\...\Winlogon\Notify\mwspasrt83122.exe, continuing.
[07/26/2007, 10:10:43] - BHO 15: {F8D08D88-A6F4-4052-97BC-40172A478CF4} ()
[07/26/2007, 10:10:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:44] - Checking for HKLM\...\Winlogon\Notify\mllki
[07/26/2007, 10:10:44] - Key not found: HKLM\...\Winlogon\Notify\mllki, continuing.
[07/26/2007, 10:10:44] - Finished Searching Browser Helper Objects
[07/26/2007, 10:10:44] - *** Detected MSEvents Object
[07/26/2007, 10:10:44] - Trying to remove MSEvents Object...
[07/26/2007, 10:10:45] - Terminating Process: IEXPLORE.EXE
[07/26/2007, 10:10:45] - Terminating Process: RUNDLL32.EXE
[07/26/2007, 10:10:46] - Disabling Automatic Shell Restart
[07/26/2007, 10:10:46] - Terminating Process: EXPLORER.EXE
[07/26/2007, 10:10:46] - Suspending the NT Session Manager System Service
[07/26/2007, 10:10:47] - Terminating Windows NT Logon/Logoff Manager
[07/26/2007, 10:10:47] - Re-enabling Automatic Shell Restart
[07/26/2007, 10:10:48] - File to disable: C:\WINDOWS\system32\efecb.dll
[07/26/2007, 10:10:48] - Renaming C:\WINDOWS\system32\efecb.dll -> C:\WINDOWS\system32\efecb.dll.vir
[07/26/2007, 10:10:48] - File successfully renamed!
[07/26/2007, 10:10:48] - Removing HKLM\...\Browser Helper Objects\{081766ED-D81F-4704-B9EE-1FA237E70844}
[07/26/2007, 10:10:48] - Removing HKCR\CLSID\{081766ED-D81F-4704-B9EE-1FA237E70844}
[07/26/2007, 10:10:48] - Adding Kill Bit for ActiveX for GUID: {081766ED-D81F-4704-B9EE-1FA237E70844}
[07/26/2007, 10:10:48] - Deleting ATLEvents/MSEvents Registry entries
[07/26/2007, 10:10:48] - Removing HKLM\...\Winlogon\Notify\efecb
[07/26/2007, 10:10:48] - Searching for Browser Helper Objects:
[07/26/2007, 10:10:48] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (&Yahoo! Toolbar Helper)
[07/26/2007, 10:10:48] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/26/2007, 10:10:48] - BHO 3: {46BC317E-D1A6-4404-97BB-568D3E904DC9} ()
[07/26/2007, 10:10:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:48] - Checking for HKLM\...\Winlogon\Notify\awtus
[07/26/2007, 10:10:48] - Key not found: HKLM\...\Winlogon\Notify\awtus, continuing.
[07/26/2007, 10:10:48] - BHO 4: {5A263CF7-56A6-4D68-A8CF-345BE45BC911} (Yahoo! IE Suggest)
[07/26/2007, 10:10:48] - BHO 5: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[07/26/2007, 10:10:48] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/26/2007, 10:10:49] - BHO 7: {8047F7B4-CFC8-46CC-8A00-0C2FC96A0171} ()
[07/26/2007, 10:10:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:49] - Checking for HKLM\...\Winlogon\Notify\yabax
[07/26/2007, 10:10:49] - Key not found: HKLM\...\Winlogon\Notify\yabax, continuing.
[07/26/2007, 10:10:49] - BHO 8: {889B936E-089F-4309-93A3-0EEA2928AF85} ()
[07/26/2007, 10:10:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:49] - Checking for HKLM\...\Winlogon\Notify\nnnlm
[07/26/2007, 10:10:49] - Key not found: HKLM\...\Winlogon\Notify\nnnlm, continuing.
[07/26/2007, 10:10:49] - BHO 9: {92BA3805-2651-43F6-ADFB-C79CBF50829F} ()
[07/26/2007, 10:10:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:49] - Checking for HKLM\...\Winlogon\Notify\yabax
[07/26/2007, 10:10:49] - Key not found: HKLM\...\Winlogon\Notify\yabax, continuing.
[07/26/2007, 10:10:49] - BHO 10: {9A52F48F-B85A-4B40-BC4C-1E3C87EBB718} ()
[07/26/2007, 10:10:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:49] - Checking for HKLM\...\Winlogon\Notify\geeca
[07/26/2007, 10:10:49] - Key not found: HKLM\...\Winlogon\Notify\geeca, continuing.
[07/26/2007, 10:10:49] - BHO 11: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/26/2007, 10:10:49] - BHO 12: {d479a458-87a9-4424-bc84-effc5c1a74ff} ()
[07/26/2007, 10:10:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:49] - Checking for HKLM\...\Winlogon\Notify\usubdwr
[07/26/2007, 10:10:50] - Key not found: HKLM\...\Winlogon\Notify\usubdwr, continuing.
[07/26/2007, 10:10:50] - BHO 13: {E241954B-0566-41ED-91B9-B011D9B68689} ()
[07/26/2007, 10:10:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:50] - Checking for HKLM\...\Winlogon\Notify\mwspasrt83122.exe
[07/26/2007, 10:10:50] - Key not found: HKLM\...\Winlogon\Notify\mwspasrt83122.exe, continuing.
[07/26/2007, 10:10:50] - BHO 14: {F8D08D88-A6F4-4052-97BC-40172A478CF4} ()
[07/26/2007, 10:10:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 10:10:50] - Checking for HKLM\...\Winlogon\Notify\mllki
[07/26/2007, 10:10:50] - Key not found: HKLM\...\Winlogon\Notify\mllki, continuing.
[07/26/2007, 10:10:50] - Finished Searching Browser Helper Objects
[07/26/2007, 10:10:50] - Finishing up...
[07/26/2007, 10:10:50] - A restart is needed.
[07/26/2007, 10:11:01] - Attempting to Restart via STOP error (Blue Screen!)
==================
Hijack this rename Ken ------- After VBG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:13 AM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Extra Documents\Dad's extra dcouments\spy stuff\ken.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.aol.com/puccini/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46BC317E-D1A6-4404-97BB-568D3E904DC9} - C:\WINDOWS\system32\awtus.dll (file missing)
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8047F7B4-CFC8-46CC-8A00-0C2FC96A0171} - C:\WINDOWS\system32\yabax.dll (file missing)
O2 - BHO: (no name) - {889B936E-089F-4309-93A3-0EEA2928AF85} - C:\WINDOWS\system32\nnnlm.dll (file missing)
O2 - BHO: (no name) - {92BA3805-2651-43F6-ADFB-C79CBF50829F} - C:\WINDOWS\system32\yabax.dll (file missing)
O2 - BHO: (no name) - {9A52F48F-B85A-4B40-BC4C-1E3C87EBB718} - C:\WINDOWS\system32\geeca.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {d479a458-87a9-4424-bc84-effc5c1a74ff} - C:\WINDOWS\system32\usubdwr.dll (file missing)
O2 - BHO: (no name) - {E241954B-0566-41ED-91B9-B011D9B68689} - C:\Program Files\America Online 9.0c\nipyradiqC:\WINDOWS\system32\B0\mwspasrt83122.exe.dll (file missing)
O2 - BHO: (no name) - {F8D08D88-A6F4-4052-97BC-40172A478CF4} - C:\WINDOWS\system32\mllki.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\eaoggjyw.dll",forkonce
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "G:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [OM_Monitor] G:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.2.0.51g/cab/aolpPlugins.10.4.0.2.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158171947181
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157823636773
O16 - DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} - http://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/YgpUploader.9.3.2.3.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/honeycombs/install.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/trytwoofakind/zylomgamesplayer.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.72.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 11819 bytes
Steamwiz,
Here is vundofix text Note date run
Again,
Thanks for the help
VundoFix V6.5.6
Checking Java version...
Scan started at 7:31:06 AM 7/20/2007
Listing files found while scanning....
C:\windows\system32\aalabret.dll
C:\WINDOWS\system32\aceeg.bak1
C:\WINDOWS\system32\aceeg.bak2
C:\WINDOWS\system32\aceeg.ini
C:\WINDOWS\system32\aceeg.ini2
C:\windows\system32\ahrhskrr.exe
C:\windows\system32\alghsqog.dll
C:\windows\system32\bdoyphbx.dll
C:\windows\system32\bfdatqaq.dll
C:\windows\system32\bncyadck.exe
C:\windows\system32\ckkjfurq.exe
C:\windows\system32\coafmjhp.dll
C:\windows\system32\cogfpjtc.dll
C:\windows\system32\conwovnd.exe
C:\windows\system32\cqvqgvtg.dll
C:\windows\system32\ctjpfgoc.ini
C:\windows\system32\dfgeeeyg.exe
C:\windows\system32\dgfcclhn.ini
C:\windows\system32\egyeofoa.exe
C:\windows\system32\fdaieipd.exe
C:\windows\system32\fgreudlb.exe
C:\WINDOWS\system32\geeca.dll
C:\windows\system32\gobgbkbw.dll
C:\windows\system32\govktmip.dll
C:\windows\system32\hgmbnwrt.dll
C:\windows\system32\hwnegulx.exe
C:\windows\system32\ikbqlbnv.dll
C:\windows\system32\iokygdil.exe
C:\windows\system32\itpheqth.dll
C:\windows\system32\jkouornh.dll
C:\windows\system32\jnsckpbs.exe
C:\WINDOWS\system32\kfgdinkv.dll
C:\windows\system32\kfmjkuwo.exe
C:\windows\system32\kfudrpff.exe
C:\windows\system32\kuxdolvi.dll
C:\windows\system32\kuycwvuq.dll
C:\windows\system32\lshvyovw.ini
C:\windows\system32\mhprqhxn.dll
C:\windows\system32\mihfhskc.exe
C:\windows\system32\mrhlyclm.exe
C:\windows\system32\mrqrxmuu.exe
C:\windows\system32\ngyjgbaf.exe
C:\windows\system32\nhlccfgd.dll
C:\windows\system32\nklhlfiv.dll
C:\windows\system32\nwhrtuur.dll
C:\windows\system32\oigldfar.exe
C:\windows\system32\oujnwbpd.exe
C:\windows\system32\quvwcyuk.ini
C:\windows\system32\rhpcwibd.dll
C:\windows\system32\riypxxgd.exe
C:\windows\system32\rksuspco.exe
C:\windows\system32\rtemfbxu.exe
C:\windows\system32\rudohtxr.exe
C:\windows\system32\sbpsgcdb.dll
C:\windows\system32\sgltiule.exe
C:\windows\system32\skmbxivj.dll
C:\windows\system32\tgkqfded.exe
C:\windows\system32\txyapqeq.dll
C:\windows\system32\utysxxoe.exe
C:\windows\system32\uyfpcdph.exe
C:\windows\system32\vknidgfk.ini
C:\windows\system32\vlwfieaj.dll
C:\WINDOWS\system32\wkxsoaxu.dll
C:\windows\system32\wplbusgc.dll
C:\windows\system32\wvoyvhsl.dll
C:\windows\system32\xbhpyodb.ini
C:\windows\system32\xblrlwlx.exe
C:\windows\system32\xjmtkvdv.dll
C:\windows\system32\xmlntrgr.dll
C:\windows\system32\xrcosqkn.exe
C:\windows\system32\xtwtwndg.exe
C:\windows\system32\xvhocqxt.dll
C:\windows\system32\yaaieexy.dll
C:\windows\system32\yseajhpc.dll
C:\windows\system32\ysndgfrj.exe
Beginning removal...
Attempting to delete C:\windows\system32\aalabret.dll
C:\windows\system32\aalabret.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\aceeg.bak1
C:\WINDOWS\system32\aceeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\aceeg.bak2
C:\WINDOWS\system32\aceeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\aceeg.ini
C:\WINDOWS\system32\aceeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\aceeg.ini2
C:\WINDOWS\system32\aceeg.ini2 Has been deleted!
Attempting to delete C:\windows\system32\ahrhskrr.exe
C:\windows\system32\ahrhskrr.exe Has been deleted!
Attempting to delete C:\windows\system32\alghsqog.dll
C:\windows\system32\alghsqog.dll Has been deleted!
Attempting to delete C:\windows\system32\bdoyphbx.dll
C:\windows\system32\bdoyphbx.dll Has been deleted!
Attempting to delete C:\windows\system32\bfdatqaq.dll
C:\windows\system32\bfdatqaq.dll Has been deleted!
Attempting to delete C:\windows\system32\bncyadck.exe
C:\windows\system32\bncyadck.exe Has been deleted!
Attempting to delete C:\windows\system32\ckkjfurq.exe
C:\windows\system32\ckkjfurq.exe Has been deleted!
Attempting to delete C:\windows\system32\coafmjhp.dll
C:\windows\system32\coafmjhp.dll Has been deleted!
Attempting to delete C:\windows\system32\cogfpjtc.dll
C:\windows\system32\cogfpjtc.dll Has been deleted!
Attempting to delete C:\windows\system32\conwovnd.exe
C:\windows\system32\conwovnd.exe Has been deleted!
Attempting to delete C:\windows\system32\cqvqgvtg.dll
C:\windows\system32\cqvqgvtg.dll Has been deleted!
Attempting to delete C:\windows\system32\ctjpfgoc.ini
C:\windows\system32\ctjpfgoc.ini Has been deleted!
Attempting to delete C:\windows\system32\dfgeeeyg.exe
C:\windows\system32\dfgeeeyg.exe Has been deleted!
Attempting to delete C:\windows\system32\dgfcclhn.ini
C:\windows\system32\dgfcclhn.ini Has been deleted!
Attempting to delete C:\windows\system32\egyeofoa.exe
C:\windows\system32\egyeofoa.exe Has been deleted!
Attempting to delete C:\windows\system32\fdaieipd.exe
C:\windows\system32\fdaieipd.exe Has been deleted!
Attempting to delete C:\windows\system32\fgreudlb.exe
C:\windows\system32\fgreudlb.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\geeca.dll
C:\WINDOWS\system32\geeca.dll Has been deleted!
Attempting to delete C:\windows\system32\gobgbkbw.dll
C:\windows\system32\gobgbkbw.dll Has been deleted!
Attempting to delete C:\windows\system32\govktmip.dll
C:\windows\system32\govktmip.dll Has been deleted!
Attempting to delete C:\windows\system32\hgmbnwrt.dll
C:\windows\system32\hgmbnwrt.dll Has been deleted!
Attempting to delete C:\windows\system32\hwnegulx.exe
C:\windows\system32\hwnegulx.exe Has been deleted!
Attempting to delete C:\windows\system32\ikbqlbnv.dll
C:\windows\system32\ikbqlbnv.dll Has been deleted!
Attempting to delete C:\windows\system32\iokygdil.exe
C:\windows\system32\iokygdil.exe Has been deleted!
Attempting to delete C:\windows\system32\itpheqth.dll
C:\windows\system32\itpheqth.dll Has been deleted!
Attempting to delete C:\windows\system32\jkouornh.dll
C:\windows\system32\jkouornh.dll Has been deleted!
Attempting to delete C:\windows\system32\jnsckpbs.exe
C:\windows\system32\jnsckpbs.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\kfgdinkv.dll
C:\WINDOWS\system32\kfgdinkv.dll Has been deleted!
Attempting to delete C:\windows\system32\kfmjkuwo.exe
C:\windows\system32\kfmjkuwo.exe Has been deleted!
Attempting to delete C:\windows\system32\kfudrpff.exe
C:\windows\system32\kfudrpff.exe Has been deleted!
Attempting to delete C:\windows\system32\kuxdolvi.dll
C:\windows\system32\kuxdolvi.dll Has been deleted!
Attempting to delete C:\windows\system32\kuycwvuq.dll
C:\windows\system32\kuycwvuq.dll Has been deleted!
Attempting to delete C:\windows\system32\lshvyovw.ini
C:\windows\system32\lshvyovw.ini Has been deleted!
Attempting to delete C:\windows\system32\mhprqhxn.dll
C:\windows\system32\mhprqhxn.dll Has been deleted!
Attempting to delete C:\windows\system32\mihfhskc.exe
C:\windows\system32\mihfhskc.exe Has been deleted!
Attempting to delete C:\windows\system32\mrhlyclm.exe
C:\windows\system32\mrhlyclm.exe Has been deleted!
Attempting to delete C:\windows\system32\mrqrxmuu.exe
C:\windows\system32\mrqrxmuu.exe Has been deleted!
Attempting to delete C:\windows\system32\ngyjgbaf.exe
C:\windows\system32\ngyjgbaf.exe Has been deleted!
Attempting to delete C:\windows\system32\nhlccfgd.dll
C:\windows\system32\nhlccfgd.dll Has been deleted!
Attempting to delete C:\windows\system32\nklhlfiv.dll
C:\windows\system32\nklhlfiv.dll Has been deleted!
Attempting to delete C:\windows\system32\nwhrtuur.dll
C:\windows\system32\nwhrtuur.dll Has been deleted!
Attempting to delete C:\windows\system32\oigldfar.exe
C:\windows\system32\oigldfar.exe Has been deleted!
Attempting to delete C:\windows\system32\oujnwbpd.exe
C:\windows\system32\oujnwbpd.exe Has been deleted!
Attempting to delete C:\windows\system32\quvwcyuk.ini
C:\windows\system32\quvwcyuk.ini Has been deleted!
Attempting to delete C:\windows\system32\rhpcwibd.dll
C:\windows\system32\rhpcwibd.dll Has been deleted!
Attempting to delete C:\windows\system32\riypxxgd.exe
C:\windows\system32\riypxxgd.exe Has been deleted!
Attempting to delete C:\windows\system32\rksuspco.exe
C:\windows\system32\rksuspco.exe Has been deleted!
Attempting to delete C:\windows\system32\rtemfbxu.exe
C:\windows\system32\rtemfbxu.exe Has been deleted!
Attempting to delete C:\windows\system32\rudohtxr.exe
C:\windows\system32\rudohtxr.exe Has been deleted!
Attempting to delete C:\windows\system32\sbpsgcdb.dll
C:\windows\system32\sbpsgcdb.dll Has been deleted!
Attempting to delete C:\windows\system32\sgltiule.exe
C:\windows\system32\sgltiule.exe Has been deleted!
Attempting to delete C:\windows\system32\skmbxivj.dll
C:\windows\system32\skmbxivj.dll Has been deleted!
Attempting to delete C:\windows\system32\tgkqfded.exe
C:\windows\system32\tgkqfded.exe Has been deleted!
Attempting to delete C:\windows\system32\txyapqeq.dll
C:\windows\system32\txyapqeq.dll Has been deleted!
Attempting to delete C:\windows\system32\utysxxoe.exe
C:\windows\system32\utysxxoe.exe Has been deleted!
Attempting to delete C:\windows\system32\uyfpcdph.exe
C:\windows\system32\uyfpcdph.exe Has been deleted!
Attempting to delete C:\windows\system32\vknidgfk.ini
C:\windows\system32\vknidgfk.ini Has been deleted!
Attempting to delete C:\windows\system32\vlwfieaj.dll
C:\windows\system32\vlwfieaj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wkxsoaxu.dll
C:\WINDOWS\system32\wkxsoaxu.dll Has been deleted!
Attempting to delete C:\windows\system32\wplbusgc.dll
C:\windows\system32\wplbusgc.dll Has been deleted!
Attempting to delete C:\windows\system32\wvoyvhsl.dll
C:\windows\system32\wvoyvhsl.dll Has been deleted!
Attempting to delete C:\windows\system32\xbhpyodb.ini
C:\windows\system32\xbhpyodb.ini Has been deleted!
Attempting to delete C:\windows\system32\xblrlwlx.exe
C:\windows\system32\xblrlwlx.exe Has been deleted!
Attempting to delete C:\windows\system32\xjmtkvdv.dll
C:\windows\system32\xjmtkvdv.dll Has been deleted!
Attempting to delete C:\windows\system32\xmlntrgr.dll
C:\windows\system32\xmlntrgr.dll Has been deleted!
Attempting to delete C:\windows\system32\xrcosqkn.exe
C:\windows\system32\xrcosqkn.exe Has been deleted!
Attempting to delete C:\windows\system32\xtwtwndg.exe
C:\windows\system32\xtwtwndg.exe Has been deleted!
Attempting to delete C:\windows\system32\xvhocqxt.dll
C:\windows\system32\xvhocqxt.dll Has been deleted!
Attempting to delete C:\windows\system32\yaaieexy.dll
C:\windows\system32\yaaieexy.dll Has been deleted!
Attempting to delete C:\windows\system32\yseajhpc.dll
C:\windows\system32\yseajhpc.dll Has been deleted!
Attempting to delete C:\windows\system32\ysndgfrj.exe
C:\windows\system32\ysndgfrj.exe Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Scan started at 7:59:40 AM 7/20/2007
Listing files found while scanning....
C:\WINDOWS\system32\mlnnn.bak1
C:\WINDOWS\system32\mlnnn.ini
C:\WINDOWS\system32\nnnlm.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\mlnnn.bak1
C:\WINDOWS\system32\mlnnn.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\mlnnn.ini
C:\WINDOWS\system32\mlnnn.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnlm.dll
C:\WINDOWS\system32\nnnlm.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Scan started at 4:36:26 AM 7/24/2007
Listing files found while scanning....
C:\windows\system32\emkygsoq.ini
C:\WINDOWS\system32\pijewxnk.dll
C:\WINDOWS\system32\qosgykme.dll
C:\WINDOWS\system32\yabax.dll
Beginning removal...
Attempting to delete C:\windows\system32\emkygsoq.ini
C:\windows\system32\emkygsoq.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pijewxnk.dll
C:\WINDOWS\system32\pijewxnk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qosgykme.dll
C:\WINDOWS\system32\qosgykme.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yabax.dll
C:\WINDOWS\system32\yabax.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Scan started at 1:22:38 PM 7/24/2007
Listing files found while scanning....
C:\WINDOWS\system32\ikllm.bak1
C:\WINDOWS\system32\ikllm.bak2
C:\WINDOWS\system32\ikllm.ini
C:\WINDOWS\system32\mllki.dll
C:\WINDOWS\system32\tgufkjfu.dll
C:\windows\system32\yolmcanp.exe
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ikllm.bak1
C:\WINDOWS\system32\ikllm.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ikllm.bak2
C:\WINDOWS\system32\ikllm.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ikllm.ini
C:\WINDOWS\system32\ikllm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mllki.dll
C:\WINDOWS\system32\mllki.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tgufkjfu.dll
C:\WINDOWS\system32\tgufkjfu.dll Has been deleted!
Attempting to delete C:\windows\system32\yolmcanp.exe
C:\windows\system32\yolmcanp.exe Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Scan started at 1:41:13 PM 7/24/2007
Listing files found while scanning....
VundoFix V6.5.6
Checking Java version...
Scan started at 8:54:27 AM 7/25/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtus.dll
C:\windows\system32\kldotlqr.dll
C:\WINDOWS\system32\sutwa.bak1
C:\WINDOWS\system32\sutwa.bak2
C:\WINDOWS\system32\sutwa.ini
C:\windows\system32\xygfgpdr.exe
C:\windows\system32\yolmcanp.exe
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtus.dll
C:\WINDOWS\system32\awtus.dll Has been deleted!
Attempting to delete C:\windows\system32\kldotlqr.dll
C:\windows\system32\kldotlqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sutwa.bak1
C:\WINDOWS\system32\sutwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\sutwa.bak2
C:\WINDOWS\system32\sutwa.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\sutwa.ini
C:\WINDOWS\system32\sutwa.ini Has been deleted!
Attempting to delete C:\windows\system32\xygfgpdr.exe
C:\windows\system32\xygfgpdr.exe Has been deleted!
Attempting to delete C:\windows\system32\yolmcanp.exe
C:\windows\system32\yolmcanp.exe Has been deleted!
Performing Repairs to the registry.
Done!
steamwiz
2007-07-27, 19:04
Hi Ken
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
O2 - BHO: (no name) - {46BC317E-D1A6-4404-97BB-568D3E904DC9} - C:\WINDOWS\system32\awtus.dll (file missing)
O2 - BHO: (no name) - {8047F7B4-CFC8-46CC-8A00-0C2FC96A0171} - C:\WINDOWS\system32\yabax.dll (file missing)
O2 - BHO: (no name) - {889B936E-089F-4309-93A3-0EEA2928AF85} - C:\WINDOWS\system32\nnnlm.dll (file missing)
O2 - BHO: (no name) - {92BA3805-2651-43F6-ADFB-C79CBF50829F} - C:\WINDOWS\system32\yabax.dll (file missing)
O2 - BHO: (no name) - {9A52F48F-B85A-4B40-BC4C-1E3C87EBB718} - C:\WINDOWS\system32\geeca.dll (file missing)
O2 - BHO: (no name) - {d479a458-87a9-4424-bc84-effc5c1a74ff} - C:\WINDOWS\system32\usubdwr.dll (file missing)
O2 - BHO: (no name) - {E241954B-0566-41ED-91B9-B011D9B68689} - C:\Program Files\America Online 9.0c\nipyradiqC:\WINDOWS\system32\B0\mwspasrt83122.exe.dll (file missing)
O2 - BHO: (no name) - {F8D08D88-A6F4-4052-97BC-40172A478CF4} - C:\WINDOWS\system32\mllki.dll (file missing)
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\eaoggjyw.dll",forkonce
Reboot
Then...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\bcefe.bak1
C:\WINDOWS\system32\efecb.dll
C:\WINDOWS\system32\tckgftrc.dll
C:\WINDOWS\system32\xabay.bak2
C:\WINDOWS\system32\xabay.bak1
C:\WINDOWS\system32\tckgftrc.dll
C:\WINDOWS\system32\eaoggjyw.dll
C:\WINDOWS\zeepsezA.exe
Folder::
C:\VundoFix Backups
C:\Temp\0c2
C:\Temp\brr
C:\Temp
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
Steam,
Here are the combofix and hiJackthis logs. Also following the process above caused my windows activation to become invalid, (says activate within three days) should i do this now?
"Dad" - 2007-07-27 12:20:12 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
Command switches used :: G:\Extra Documents\Dad's extra dcouments\spy stuff\CFScript.txt
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\gkflvtun.exe
C:\WINDOWS\system32\gvtsvmxj.exe
C:\WINDOWS\system32\pxxgukwo.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Temp
C:\Temp\0c2
C:\Temp\0c2\tmpRC.log
C:\Temp\brr
C:\Temp\brr\tmpZTF.log
C:\Temp\logs-20070117.log
C:\VundoFix Backups
C:\VundoFix Backups\aalabret.dll.bad
C:\VundoFix Backups\aceeg.bak1.bad
C:\VundoFix Backups\aceeg.bak2.bad
C:\VundoFix Backups\aceeg.ini.bad
C:\VundoFix Backups\aceeg.ini2.bad
C:\VundoFix Backups\alghsqog.dll.bad
C:\VundoFix Backups\awtus.dll.bad
C:\VundoFix Backups\bdoyphbx.dll.bad
C:\VundoFix Backups\bfdatqaq.dll.bad
C:\VundoFix Backups\coafmjhp.dll.bad
C:\VundoFix Backups\cogfpjtc.dll.bad
C:\VundoFix Backups\cqvqgvtg.dll.bad
C:\VundoFix Backups\ctjpfgoc.ini.bad
C:\VundoFix Backups\dgfcclhn.ini.bad
C:\VundoFix Backups\emkygsoq.ini.bad
C:\VundoFix Backups\gobgbkbw.dll.bad
C:\VundoFix Backups\govktmip.dll.bad
C:\VundoFix Backups\hgmbnwrt.dll.bad
C:\VundoFix Backups\ikbqlbnv.dll.bad
C:\VundoFix Backups\ikllm.bak1.bad
C:\VundoFix Backups\ikllm.bak2.bad
C:\VundoFix Backups\ikllm.ini.bad
C:\VundoFix Backups\itpheqth.dll.bad
C:\VundoFix Backups\jkouornh.dll.bad
C:\VundoFix Backups\kfgdinkv.dll.bad
C:\VundoFix Backups\kldotlqr.dll.bad
C:\VundoFix Backups\kuxdolvi.dll.bad
C:\VundoFix Backups\kuycwvuq.dll.bad
C:\VundoFix Backups\lshvyovw.ini.bad
C:\VundoFix Backups\mhprqhxn.dll.bad
C:\VundoFix Backups\mllki.dll.bad
C:\VundoFix Backups\mlnnn.bak1.bad
C:\VundoFix Backups\mlnnn.ini.bad
C:\VundoFix Backups\nhlccfgd.dll.bad
C:\VundoFix Backups\nklhlfiv.dll.bad
C:\VundoFix Backups\nwhrtuur.dll.bad
C:\VundoFix Backups\pijewxnk.dll.bad
C:\VundoFix Backups\qosgykme.dll.bad
C:\VundoFix Backups\quvwcyuk.ini.bad
C:\VundoFix Backups\rhpcwibd.dll.bad
C:\VundoFix Backups\sbpsgcdb.dll.bad
C:\VundoFix Backups\skmbxivj.dll.bad
C:\VundoFix Backups\sutwa.bak1.bad
C:\VundoFix Backups\sutwa.bak2.bad
C:\VundoFix Backups\sutwa.ini.bad
C:\VundoFix Backups\tgufkjfu.dll.bad
C:\VundoFix Backups\txyapqeq.dll.bad
C:\VundoFix Backups\vknidgfk.ini.bad
C:\VundoFix Backups\vlwfieaj.dll.bad
C:\VundoFix Backups\wkxsoaxu.dll.bad
C:\VundoFix Backups\wplbusgc.dll.bad
C:\VundoFix Backups\wvoyvhsl.dll.bad
C:\VundoFix Backups\xbhpyodb.ini.bad
C:\VundoFix Backups\xjmtkvdv.dll.bad
C:\VundoFix Backups\xmlntrgr.dll.bad
C:\VundoFix Backups\xvhocqxt.dll.bad
C:\VundoFix Backups\xygfgpdr.exe.bad
C:\VundoFix Backups\yaaieexy.dll.bad
C:\VundoFix Backups\yabax.dll.bad
C:\VundoFix Backups\yolmcanp.exe.bad
C:\VundoFix Backups\yseajhpc.dll.bad
C:\WINDOWS\system32\bcefe.bak1
C:\WINDOWS\system32\eaoggjyw.dll
C:\WINDOWS\system32\iphrghnl.exe
C:\WINDOWS\system32\tckgftrc.dll
C:\WINDOWS\system32\xabay.bak1
C:\WINDOWS\system32\xabay.bak2
C:\WINDOWS\zeepsezA.exe
((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))
2007-07-26 04:51 1,733,580 ---hs---- C:\WINDOWS\system32\bcefe.bak2
2007-07-25 19:10 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-25 19:10 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-25 19:09 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-07-25 14:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-25 09:13 228,960 --a------ C:\WINDOWS\system32\efecb.dll.vir
2007-07-23 13:53 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-23 13:25 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\.housecall6.6
2007-07-18 10:20 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Yahoo!
2007-07-18 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-07-18 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\MailFrontier
2007-07-18 08:30 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-18 08:30 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-18 08:30 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-18 08:30 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-18 08:30 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-18 08:29 5,584,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-18 08:29 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-07-18 08:28 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-18 08:28 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-18 08:27 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-17 20:20 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Uniblue
2007-07-16 15:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-15 12:27 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-15 12:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Google Updater
2007-07-03 16:39 <DIR> d-------- C:\DOCUME~1\MOM~1.FAM\APPLIC~1\Yahoo!
2007-07-01 15:05 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Ahead
2007-07-01 15:01 <DIR> d-------- C:\Program Files\Nero
2007-07-01 15:01 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-07-01 14:54 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Nero
2007-07-01 14:53 98,397 --a------ C:\WINDOWS\system32\Tppun.exe
2007-07-01 14:53 8,576 --a------ C:\WINDOWS\system32\drivers\Tppiosmp.sys
2007-07-01 14:53 34,132 --a------ C:\WINDOWS\system32\drivers\necusbbo.sys
2007-07-01 14:53 32,256 --a------ C:\WINDOWS\system32\drivers\Tppfx.sys
2007-07-01 14:53 282,624 --a------ C:\WINDOWS\Tppstray.exe
2007-07-01 14:53 282,624 --a------ C:\WINDOWS\Tppnttry.exe
2007-07-01 14:53 228,352 --a------ C:\WINDOWS\necusbdc.exe
2007-07-01 14:53 19,892 --a------ C:\WINDOWS\system32\drivers\ISBSTOR.SYS
2007-07-01 14:53 12,385 --a------ C:\WINDOWS\system32\Tppui32.dll
2007-07-01 14:53 118,784 --a------ C:\WINDOWS\Tppaldr.exe
2007-07-01 14:53 11,248 --a------ C:\WINDOWS\system32\Tppui16.dll
2007-07-01 14:53 10,092 --a------ C:\WINDOWS\system32\drivers\necusbdc.sys
2007-07-01 14:53 <DIR> d-------- C:\Program Files\Memorex External DVD Win98SE USB 2 Drivers - All
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-27 19:05:47 68,612 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-18 21:17:45 -------- d-----w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Lavasoft
2007-07-18 17:46:17 512,288 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-07-15 19:17:55 -------- d-----w C:\Program Files\Google
2007-06-26 17:44:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 13:19:32 -------- d-----w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\GTek
2007-06-21 19:45:44 -------- d-----w C:\Program Files\iPod
2007-06-21 19:33:51 -------- d-----w C:\Program Files\QuickTime
2007-06-21 19:25:12 -------- d-----w C:\Program Files\Apple Software Update
2007-06-21 19:21:21 -------- d-----w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Apple Computer
2007-05-27 16:27:38 -------- d-----w C:\Program Files\Yahoo!
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2004-11-22 15:07:14 784 ----a-w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\mpauth.dat
2004-02-09 16:16:46 3,794 ----a-w C:\Program Files\install_status.log
2003-10-08 02:40:00 68,976 ----a-w C:\Program Files\xpicleanup.exe
2003-10-08 02:40:00 6,112 ----a-w C:\Program Files\mozMapi32.dll
2003-10-08 02:40:00 51,712 ----a-w C:\Program Files\PalmSyncInstall.exe
2003-10-08 02:40:00 476 ----a-w C:\Program Files\softokn3.chk
2003-10-08 02:40:00 397,056 ----a-w C:\Program Files\softokn3.dll
2003-10-08 02:40:00 390,688 ----a-w C:\Program Files\nss3.dll
2003-10-08 02:40:00 34,416 ----a-w C:\Program Files\mozABConduit.dll
2003-10-08 02:40:00 31,744 ----a-w C:\Program Files\AccessibleMarshal.dll
2003-10-08 02:40:00 29,792 ----a-w C:\Program Files\plc4.dll
2003-10-08 02:40:00 25,424 ----a-w C:\Program Files\plds4.dll
2003-10-08 02:40:00 24,576 ----a-w C:\Program Files\nsldappr32v50.dll
2003-10-08 02:40:00 198,992 ----a-w C:\Program Files\msgbsutl.dll
2003-10-08 02:40:00 18,256 ----a-w C:\Program Files\PalmSyncProxy.dll
2003-10-08 02:40:00 173,200 ----a-w C:\Program Files\nspr4.dll
2003-10-08 02:40:00 144,880 ----a-w C:\Program Files\mozilla.exe
2003-10-08 02:40:00 14,624 ----a-w C:\Program Files\regxpcom.exe
2003-10-08 02:40:00 14,112 ----a-w C:\Program Files\MapiProxy.dll
2003-10-08 02:40:00 139,264 ----a-w C:\Program Files\nsldap32v50.dll
2003-10-08 02:40:00 130,672 ----a-w C:\Program Files\smime3.dll
2003-10-08 02:40:00 116,800 ----a-w C:\Program Files\ssl3.dll
2003-02-24 21:15:00 9,851 ----a-w C:\Program Files\readme.txt
1999-10-06 03:14:00 31,436 ----a-w C:\Program Files\license.txt
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-12-05 10:13]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"HostManager"="C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe" [2006-09-25 17:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50]
"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]
"Cmaudio"="cmicnfg.cpl" []
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="G:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07]
"OM_Monitor"="G:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages :\WINDOWS\system32\srrstr.dll cli scecli scecli scecli scecli scecli scecli scecli scecli e
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb99.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon07]
C:\WINDOWS\system32\hphmon07.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD07]
C:\Program Files\Hewlett-Packard\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"G:\Extra Documents\Kareese extra docs\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
g:\Program Files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
g:\Program Files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
G:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScottsPaperManager]
"G:\Program Files\SBPaper\paper.exe" -autominimize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wallpaper XE]
g:\Program Files\Amic Games\WallpaperXe\WallpaperXe.exe -tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
R0 prohlp02;StarForce Protection Helper Driver v2;C:\WINDOWS\system32\drivers\prohlp02.sys
R0 sfhlp01;StarForce Protection Helper Driver;C:\WINDOWS\system32\drivers\sfhlp01.sys
R0 srescan;srescan;C:\WINDOWS\system32\ZoneLabs\srescan.sys
R1 AFS2K;AFS2k;C:\WINDOWS\system32\drivers\AFS2K.sys
R1 cdrbsdrv;cdrbsdrv;C:\WINDOWS\system32\drivers\cdrbsdrv.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R1 prodrv06;StarForce Protection Environment Driver v6;C:\WINDOWS\system32\drivers\prodrv06.sys
R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 MLPTDR_B;MLPTDR_B;\??\C:\WINDOWS\System32\MLPTDR_B.sys
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
R3 cmpci;C-Media PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\cmaudio.sys
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12;C:\WINDOWS\system32\DRIVERS\HPZius12.sys
R3 LVUSBSta;Logitech USB Monitor Filter;C:\WINDOWS\system32\drivers\lvusbsta.sys
R3 pepifilter;Volume Adapter;C:\WINDOWS\system32\DRIVERS\lv302af.sys
R3 PID_08A0;QuickCam IM(PID_08A0);C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
R3 usbaudio;USB Audio Driver (WDM);C:\WINDOWS\system32\drivers\usbaudio.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 61883;61883 Unit Device;C:\WINDOWS\system32\DRIVERS\61883.sys
S3 Avc;AVC Device;C:\WINDOWS\system32\DRIVERS\avc.sys
S3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\system32\drivers\cmuda.sys
S3 ENUM1394;%1394\031887&040892.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\enum1394.sys
S3 gameport;QS3000A PCI Joystick;C:\WINDOWS\system32\drivers\hwajoy.sys
S3 hidusb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
S3 MagicTune;MagicTune;C:\WINDOWS\system32\drivers\MTiCtwl.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 P2k;Motorola USB Device;C:\WINDOWS\system32\DRIVERS\P2k.sys
S3 PnkBstrK;PnkBstrK;\??\C:\WINDOWS\system32\drivers\PnkBstrK.sys
S3 QS3000A_A;QS3000A PCI AUDIO(WDM);C:\WINDOWS\system32\drivers\qs3a_wdm.sys
S3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
S3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
S3 usbser;Motorola USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
S3 usbsermpt;Motorola USB Modem Driver for MPT;C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
S3 usbvideo;USB Video Device (WDM);C:\WINDOWS\system32\Drivers\usbvideo.sys
S3 WpdUsb;WpdUsb;C:\WINDOWS\system32\DRIVERS\wpdusb.sys
Contents of the 'Scheduled Tasks' folder
2007-07-21 20:28:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-09 00:24:00 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7600#MY3A133067K3.job
2007-07-27 16:23:00 C:\WINDOWS\tasks\HP Usg Daily.job
2007-07-27 19:34:54 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 12:32:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-27 12:36:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-27 12:35
C:\ComboFix2.txt ... 2007-07-25 15:18
--- E O F ---
Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:45 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wpabaln.exe
G:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
G:\Extra Documents\Dad's extra dcouments\spy stuff\ken.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.aol.com/puccini/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "G:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [OM_Monitor] G:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.2.0.51g/cab/aolpPlugins.10.4.0.2.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158171947181
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157823636773
O16 - DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} - http://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/YgpUploader.9.3.2.3.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/honeycombs/install.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/trytwoofakind/zylomgamesplayer.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.72.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 10748 bytes
steamwiz
2007-07-27, 23:51
Here are the combofix and hiJackthis logs. Also following the process above caused my windows activation to become invalid, (says activate within three days) should i do this now?
Well Ken... removing malware can have some surprising side effects, but I've not heard that one before ... all we did was remove vundo Trojan files and some temp files ... none of which should have had any connection to windows activation...
2 more vundo files have shown up in the new combofix log ... I think we'd better remove them first... then if your new log is clean ... you can re-activate ...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\efecb.dll.vir
C:\WINDOWS\system32\bcefe.bak2
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
steam
Steam,
Latest combofix.txt
"Dad" - 2007-07-27 15:41:18 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
Command switches used :: G:\Extra Documents\Dad's extra dcouments\spy stuff\CFScript.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\bcefe.bak2
C:\WINDOWS\system32\efecb.dll.vir
((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))
2007-07-25 19:10 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-25 19:10 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-25 19:09 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-07-25 14:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 13:53 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-23 13:25 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\.housecall6.6
2007-07-18 10:20 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Yahoo!
2007-07-18 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-07-18 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\MailFrontier
2007-07-18 08:30 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-18 08:30 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-18 08:30 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-18 08:30 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-18 08:30 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-18 08:29 5,650,464 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-18 08:29 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-07-18 08:28 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-18 08:28 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-18 08:27 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-17 20:20 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Uniblue
2007-07-16 15:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-15 12:27 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-15 12:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Google Updater
2007-07-03 16:39 <DIR> d-------- C:\DOCUME~1\MOM~1.FAM\APPLIC~1\Yahoo!
2007-07-01 15:05 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Ahead
2007-07-01 15:01 <DIR> d-------- C:\Program Files\Nero
2007-07-01 15:01 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-07-01 14:54 <DIR> d-------- C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Nero
2007-07-01 14:53 98,397 --a------ C:\WINDOWS\system32\Tppun.exe
2007-07-01 14:53 8,576 --a------ C:\WINDOWS\system32\drivers\Tppiosmp.sys
2007-07-01 14:53 34,132 --a------ C:\WINDOWS\system32\drivers\necusbbo.sys
2007-07-01 14:53 32,256 --a------ C:\WINDOWS\system32\drivers\Tppfx.sys
2007-07-01 14:53 282,624 --a------ C:\WINDOWS\Tppstray.exe
2007-07-01 14:53 282,624 --a------ C:\WINDOWS\Tppnttry.exe
2007-07-01 14:53 228,352 --a------ C:\WINDOWS\necusbdc.exe
2007-07-01 14:53 19,892 --a------ C:\WINDOWS\system32\drivers\ISBSTOR.SYS
2007-07-01 14:53 12,385 --a------ C:\WINDOWS\system32\Tppui32.dll
2007-07-01 14:53 118,784 --a------ C:\WINDOWS\Tppaldr.exe
2007-07-01 14:53 11,248 --a------ C:\WINDOWS\system32\Tppui16.dll
2007-07-01 14:53 10,092 --a------ C:\WINDOWS\system32\drivers\necusbdc.sys
2007-07-01 14:53 <DIR> d-------- C:\Program Files\Memorex External DVD Win98SE USB 2 Drivers - All
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-27 19:05:47 68,612 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-18 21:17:45 -------- d-----w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Lavasoft
2007-07-18 17:46:17 512,288 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-07-15 19:17:55 -------- d-----w C:\Program Files\Google
2007-06-26 17:44:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 13:19:32 -------- d-----w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\GTek
2007-06-21 19:45:44 -------- d-----w C:\Program Files\iPod
2007-06-21 19:33:51 -------- d-----w C:\Program Files\QuickTime
2007-06-21 19:25:12 -------- d-----w C:\Program Files\Apple Software Update
2007-06-21 19:21:21 -------- d-----w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\Apple Computer
2007-05-27 16:27:38 -------- d-----w C:\Program Files\Yahoo!
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2004-11-22 15:07:14 784 ----a-w C:\DOCUME~1\DAD~1.FAM\APPLIC~1\mpauth.dat
2004-02-09 16:16:46 3,794 ----a-w C:\Program Files\install_status.log
2003-10-08 02:40:00 68,976 ----a-w C:\Program Files\xpicleanup.exe
2003-10-08 02:40:00 6,112 ----a-w C:\Program Files\mozMapi32.dll
2003-10-08 02:40:00 51,712 ----a-w C:\Program Files\PalmSyncInstall.exe
2003-10-08 02:40:00 476 ----a-w C:\Program Files\softokn3.chk
2003-10-08 02:40:00 397,056 ----a-w C:\Program Files\softokn3.dll
2003-10-08 02:40:00 390,688 ----a-w C:\Program Files\nss3.dll
2003-10-08 02:40:00 34,416 ----a-w C:\Program Files\mozABConduit.dll
2003-10-08 02:40:00 31,744 ----a-w C:\Program Files\AccessibleMarshal.dll
2003-10-08 02:40:00 29,792 ----a-w C:\Program Files\plc4.dll
2003-10-08 02:40:00 25,424 ----a-w C:\Program Files\plds4.dll
2003-10-08 02:40:00 24,576 ----a-w C:\Program Files\nsldappr32v50.dll
2003-10-08 02:40:00 198,992 ----a-w C:\Program Files\msgbsutl.dll
2003-10-08 02:40:00 18,256 ----a-w C:\Program Files\PalmSyncProxy.dll
2003-10-08 02:40:00 173,200 ----a-w C:\Program Files\nspr4.dll
2003-10-08 02:40:00 144,880 ----a-w C:\Program Files\mozilla.exe
2003-10-08 02:40:00 14,624 ----a-w C:\Program Files\regxpcom.exe
2003-10-08 02:40:00 14,112 ----a-w C:\Program Files\MapiProxy.dll
2003-10-08 02:40:00 139,264 ----a-w C:\Program Files\nsldap32v50.dll
2003-10-08 02:40:00 130,672 ----a-w C:\Program Files\smime3.dll
2003-10-08 02:40:00 116,800 ----a-w C:\Program Files\ssl3.dll
2003-02-24 21:15:00 9,851 ----a-w C:\Program Files\readme.txt
1999-10-06 03:14:00 31,436 ----a-w C:\Program Files\license.txt
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-12-05 10:13]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"HostManager"="C:\Program Files\Common Files\AOL\1110910822\ee\AOLSoftware.exe" [2006-09-25 17:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50]
"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]
"Cmaudio"="cmicnfg.cpl" []
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="G:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07]
"OM_Monitor"="G:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages :\WINDOWS\system32\srrstr.dll cli scecli scecli scecli scecli scecli scecli scecli scecli e
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb99.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon07]
C:\WINDOWS\system32\hphmon07.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD07]
C:\Program Files\Hewlett-Packard\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"G:\Extra Documents\Kareese extra docs\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
g:\Program Files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
g:\Program Files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
G:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScottsPaperManager]
"G:\Program Files\SBPaper\paper.exe" -autominimize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wallpaper XE]
g:\Program Files\Amic Games\WallpaperXe\WallpaperXe.exe -tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
R0 prohlp02;StarForce Protection Helper Driver v2;C:\WINDOWS\system32\drivers\prohlp02.sys
R0 sfhlp01;StarForce Protection Helper Driver;C:\WINDOWS\system32\drivers\sfhlp01.sys
R0 srescan;srescan;C:\WINDOWS\system32\ZoneLabs\srescan.sys
R1 AFS2K;AFS2k;C:\WINDOWS\system32\drivers\AFS2K.sys
R1 cdrbsdrv;cdrbsdrv;C:\WINDOWS\system32\drivers\cdrbsdrv.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R1 prodrv06;StarForce Protection Environment Driver v6;C:\WINDOWS\system32\drivers\prodrv06.sys
R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 MLPTDR_B;MLPTDR_B;\??\C:\WINDOWS\System32\MLPTDR_B.sys
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
R3 cmpci;C-Media PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\cmaudio.sys
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12;C:\WINDOWS\system32\DRIVERS\HPZius12.sys
R3 LVUSBSta;Logitech USB Monitor Filter;C:\WINDOWS\system32\drivers\lvusbsta.sys
R3 pepifilter;Volume Adapter;C:\WINDOWS\system32\DRIVERS\lv302af.sys
R3 PID_08A0;QuickCam IM(PID_08A0);C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
R3 usbaudio;USB Audio Driver (WDM);C:\WINDOWS\system32\drivers\usbaudio.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 61883;61883 Unit Device;C:\WINDOWS\system32\DRIVERS\61883.sys
S3 Avc;AVC Device;C:\WINDOWS\system32\DRIVERS\avc.sys
S3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\system32\drivers\cmuda.sys
S3 ENUM1394;%1394\031887&040892.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\enum1394.sys
S3 gameport;QS3000A PCI Joystick;C:\WINDOWS\system32\drivers\hwajoy.sys
S3 hidusb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
S3 MagicTune;MagicTune;C:\WINDOWS\system32\drivers\MTiCtwl.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 P2k;Motorola USB Device;C:\WINDOWS\system32\DRIVERS\P2k.sys
S3 PnkBstrK;PnkBstrK;\??\C:\WINDOWS\system32\drivers\PnkBstrK.sys
S3 QS3000A_A;QS3000A PCI AUDIO(WDM);C:\WINDOWS\system32\drivers\qs3a_wdm.sys
S3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
S3 usbser;Motorola USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
S3 usbsermpt;Motorola USB Modem Driver for MPT;C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
S3 usbvideo;USB Video Device (WDM);C:\WINDOWS\system32\Drivers\usbvideo.sys
S3 WpdUsb;WpdUsb;C:\WINDOWS\system32\DRIVERS\wpdusb.sys
Contents of the 'Scheduled Tasks' folder
2007-07-21 20:28:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-09 00:24:00 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7600#MY3A133067K3.job
2007-07-27 20:23:00 C:\WINDOWS\tasks\HP Usg Daily.job
2007-07-27 20:56:34 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 15:49:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-27 15:52:10
C:\ComboFix-quarantined-files.txt ... 2007-07-27 15:51
C:\ComboFix2.txt ... 2007-07-27 12:36
C:\ComboFix3.txt ... 2007-07-25 15:18
--- E O F ---
steamwiz
2007-07-28, 20:57
Hi Ken
The Combofix log is now clean & your vundo problem is history...
I would like you to run 2 more programs, then let me know if your problems are resolved ?
-
Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
---
THEN...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
steam
Steamwiz,
Thank you for pointing to CCleaner, got about 8 gigs more free space after running it. My computer seems to be back to its normal (slow) speed not to bad for a four year old machine. The POP-UP's from hell seem to have gone back to where they belong. I must say that the "vundo" bug is the nastiest thing I have come across. Thank you for you help................However here is the superantispyware log, which did find some other stuff and hopefully quarantined it.
Log from Superantispyware.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/28/2007 at 08:28 PM
Application Version : 3.9.1008
Core Rules Database Version : 3275
Trace Rules Database Version: 1286
Scan type : Complete Scan
Total Scan Time : 05:05:38
Memory items scanned : 427
Memory threats detected : 0
Registry items scanned : 7173
Registry threats detected : 0
File items scanned : 177370
File threats detected : 218
Adware.Tracking Cookie
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@zedo[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@questionmarket[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@ford.112.2o7[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@revsci[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@casalemedia[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@ads.web.aol[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@www3.addfreestats[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@partner2profit[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@icc.intellisrv[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@tacoda[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@atwola[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@smartmoney.112.2o7[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@bluestreak[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@2o7[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@edge.ru4[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@ar.atwola[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@toplist[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@ads.pointroll[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@qnsr[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@serving-sys[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@www.burstnet[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@cbs.112.2o7[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@bs.serving-sys[2].txt
C:\Documents and Settings\Dad.FAMILYROOM\Cookies\dad@tribalfusion[1].txt
C:\Documents and Settings\Dad.FAMILYROOM\My Documents\Cookies\dad@atwola[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@2o7[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@a.websponsors[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ad.103092804[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ad.adnetinteractive[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ad.bannerconnect[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ad.directanetworks[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ad.motiveinteractive[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ad.xplusone[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ad.yieldmanager[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ad.zanox[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@adbrite[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@adecn[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@adknowledge[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@adlegend[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@adopt.hbmediapro[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@adopt.specificclick[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@adrevolver[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.adbrite[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.addynamix[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.e-planning[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.glispa[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.mediamayhemcorp[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.mininova[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.monster[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.mouseplanet[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.myyearbook[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.pointroll[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.realtechnetwork[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.revsci[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.scrapbook[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.shopthescene[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads.web.aol[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads3.blastro[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ads4.blastro[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@adserving.cpxinteractive[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@adv.webmd[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@advert.travlang[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@advertising[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@anapa7.tripod[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ar.atwola[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ar.atwola[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@arthursanimals.tripod[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@atdmt[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@atwola[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@azjmp[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@bannerspace[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@belnk[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@bluestreak[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@casalemedia[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@click.cashengines[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@clickbank[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@connectify.directtrack[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@counter.surfcounters[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@cpvfeed[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@dealtime.co[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@dgdnfanfics.tripod[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@dist.belnk[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@divavillage.advertserve[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@doubleclick[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@drivecleaner[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@drivecleaner[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@eas.apm.emediate[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@edge.ru4[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ehg-pcsecurityshield.hitbox[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ez-tracks[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@fastclick[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@freecodesource.advertserve[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@gostats[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@hitbox[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@i.screensavers[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@icc.intellisrv[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@imrworldwide[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@interclick[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ipoint.targetpoint[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@jorma.freestats[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@keywordmax[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@m1.webstats.motigo[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@media.adrevolver[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@media.fimnetwork[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@medianewsgroup[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@mediaplex[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@mediatraffic[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@mybannermaker[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@mywebpower[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@mywebsearch[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@nextag[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@offeroptimizer[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@offeroptimizer[3].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@offeroptimizer[4].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@offers.intermediainteractive[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@optimost[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@parentingteens.about[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@partner2profit[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@precisionclick[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@pt.crossmediaservices[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@publishers.clickbooth[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@qnsr[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@questionmarket[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@quiltssc.tripod[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@radprofile[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@realmedia.co[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@realmedia[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@redorbit[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@reduxads.valuead[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@revsci[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@ringtones.ez-tracks[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@sales.liveperson[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@sales.liveperson[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@screensavers[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@secure.agoramedia[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@server.cpmstar[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@server.iad.liveperson[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@serving.rpowermedia[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@sitestat.mayoclinic[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@smileycentral[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@specificclick[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@statcounter[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@stats.drivecleaner[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@stats.sphere[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@stats1.reliablestats[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@superstats[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@teensay.co[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@toplist[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@toseeka[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@track.bestbuy[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@track.searchignite[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@tracker.freerun[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@trafficmp[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@tremor.adbureau[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@tribalfusion[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@tripod[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@try.screensavers[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@vhost.oddcast[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@winantispyware[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@winantivirus[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.addfreestats[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.claxonmedia[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.drivecleaner[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.drivecleaner[3].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.ez-tracks[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.googleadservices[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.hellasmultimedia[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.imediaconnection[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.screensavers[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.tagworld[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.winantispyware[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.winantivirus[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www.xctrk[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www1.addfreestats[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www5.addfreestats[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www6.addfreestats[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www7.addfreestats[1].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@www8.addfreestats[2].txt
C:\Documents and Settings\Kareese.FAMILYROOM\Cookies\kareese@xiti[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@ads.as4x.tmcs.ticketmaster[2].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@ads.linksponsor[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@ads.mm.ap[2].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@ads4.clearchannel[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@adv.webmd[2].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@atwola[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@centralmedia[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@db1.sitestats[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@etracking[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@media[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@metareward[2].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@nandomedia[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@windowsmedia[1].txt
C:\Documents and Settings\Mom.FAMILYROOM\My Documents\Cookies\mom@www.blackhairmedia[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@ads.as4x.tmcs.ticketmaster[2].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@ads.as4x.tmcs[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@ads.linksponsor[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@ads.mm.ap[2].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@ads4.clearchannel[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@adv.webmd[2].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@atwola[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@centralmedia[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@db1.sitestats[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@etracking[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@indextools[2].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@media[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@metareward[2].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@nandomedia[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@windowsmedia[1].txt
G:\Extra Documents\Mom extra stuff\Mom's Documents\My Documents\Cookies\mom@www.blackhairmedia[1].txt
Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\POOLSV\YAZZLEBUNDLE-1549.EXE.VIR
Adware.Vundo/Traff-2
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\XYGFGPDR.EXE.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\YOLMCANP.EXE.BAD.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\GKFLVTUN.EXE.VIR
Trojan.Downloader-Gen/TStamp
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\GVTSVMXJ.EXE.VIR
Trojan.Unknown Origin
C:\WINDOWS\TEMPF.TXT
steamwiz
2007-07-29, 20:13
Hi
Looks good :)
Have a look here for how to help keep your computer clean :-
http://forums.spybot.info/showthread.php?t=279
Happy surfing
steam
Steamwiz,
Thank you for all your assistance. This was one that was beyond me.
Ken
steamwiz
2007-07-30, 19:48
HI Ken
You're very welcome :)
steam