View Full Version : Request Help With Vundo etc.
Seems the family computer has been infected with vundo and some win32 trojan things (detected by Spybot, AVG, and Ad-Aware, but is back daily with varying names). I've followed all the steps in the "BEFORE you POST" (READ this Procedure BEFORE Requesting Assistance), minus the on-line virus scanner as the computer seems to have issues with them. I do suppose a HJT log file is the way to start these off, so here goes.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:26 AM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
J:\Valve\Steam\Steam.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B6B7A60-8EE7-47F7-832B-6986013A3F06} - C:\WINDOWS\system32\sstqn.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\efcccbx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\wrdymcsj.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll (file missing)
O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GLSetIT32] c:\windows\system32\msiexec16.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\jdfdmcke.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "j:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0CBF7EDC-17EC-442C-8AE9-5E804707B6CA} (NeffyClient Class) - http://dist.cdnetworks.co.kr/cdndist/neffy/Neffy.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin8USA.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} (HGPluginJP23 Class) - http://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O20 - Winlogon Notify: efcccbx - C:\WINDOWS\SYSTEM32\efcccbx.dll
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\projyfsi.html
--
End of file - 10879 bytes
pskelley
2007-08-02, 13:17
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Please see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2\ <<< your Java program is BADLY outdated and probably the reasonb you ae infected. I suggest you download the newest version and uninstall all old versions in Add Remove programs.
I hate to be the bearer of bad news and you do have a Vundo infection but you have a much worse password stealer that no doubt has compromised your information, see this:
O4 - HKLM\..\Run: [GLSetIT32] c:\windows\system32\msiexec16.exe
http://www.google.com/search?hl=en&q=msiexec16.exe&btnG=Google+Search
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=39482
Windows errors related to msiexec16.exe ?
msiexec16.exe is a process which is registered as Troj/OptixP-13 Trojan. This process can allow an attacker to gain control of system, steal passwords and access personal data and network shares.
Out of concern for your safety and security I will post this information:
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Please let us know what you have decided to do in your next post.
Thanks
Many thanks for your quick response. I have removed the old Java program and downloaded the latest Java (JSE Runtime Environment 6 Update 2) as per your instructions. This whole business regarding the msiexec16.exe is certainly disheartening to say the least. Thankfully all important matters involving banking etc. is done on a different CPU with many layers of anti-virus/spyware software. If possible I'd like to salvage this computer if at all possible, but if reformatting is the only solution I'll have to do it. If you believe this to be the most logical course of action then I shall take your advice, however would request you help me make the computer relatively "safe" enough for a few days to remove/transfer some files that I'd hate to lose (family photos and things to that extent). Thanks again for your prompt and informative response.
pskelley
2007-08-02, 15:12
Sorry to have to bring you the bad news and I would be glad to help clean the computer, let's proceed like this.
1) Thanks to andymanchesta and anyone else who helped with the fix.
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
(Wait until you finish to post the reports and logs)
2) Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Post the SDFix report, the Vundofix report and a new HJT log.
Thanks
Copied the instructions to a notepad document and proceeded to to the steps as outlined. Here are the logs from SDFix, VundoFix, and HJT. As a sidenote, something odd happened, after restarting the CPU in the VundoFix procedure, the VundoFix program said the computer was clean without removing the sstqn.dll is had found previously. Just wondering if that was normal, or should I run it again? I hope this means nothing, but to be sure I thought to mention it at the very least.
SDFix: Version 1.95
Run by Derek on Thu 08/02/2007 at 06:36 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\Documents and Settings\Derek\Start Menu\Programs\Startup\TA_Start.lnk - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\TISKY009.exe - Deleted
C:\WINDOWS\wr.txt - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"J:\\Valve\\Steam\\Steam.exe"="J:\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"J:\\Valve\\Steam\\SteamApps\\ippo makunochi\\counter-strike\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\ippo makunochi\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"J:\\Valve\\Steam\\SteamApps\\kansei\\counter-strike\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\kansei\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"J:\\Valve\\Steam\\SteamApps\\db-vash\\counter-strike\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\db-vash\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"J:\\Valve\\Steam\\SteamApps\\ryomashiba\\counter-strike\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\ryomashiba\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"J:\\Valve\\Steam\\SteamApps\\ryomashiba\\day of defeat\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\ryomashiba\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"J:\\Valve\\Steam\\SteamApps\\ryomashiba\\team fortress classic\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\ryomashiba\\team fortress classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\WORMS3D\\bin\\Worms3D.exe"="C:\\WORMS3D\\bin\\Worms3D.exe:*:Enabled:Worms3D"
"J:\\World of Warcraft\\WoW-1.4.0-enUS-downloader.exe"="J:\\World of Warcraft\\WoW-1.4.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"J:\\World of Warcraft\\WoW-1.4.2.4375-to-1.5.0-enUS-downloader.exe"="J:\\World of Warcraft\\WoW-1.4.2.4375-to-1.5.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"J:\\Valve\\Steam\\SteamApps\\ryomashiba\\counter-strike\\hlds.exe"="J:\\Valve\\Steam\\SteamApps\\ryomashiba\\counter-strike\\hlds.exe:*:Enabled:hlds"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"J:\\Valve\\Steam\\SteamApps\\ryomashiba\\half-life\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\ryomashiba\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"J:\\Valve\\Steam\\SteamApps\\xxaoshishinimorixx@yahoo.com\\counter-strike\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\xxaoshishinimorixx@yahoo.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"="C:\\Program Files\\MAIET\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\GunzRunnable[08-30-05].exe"="C:\\Program Files\\MAIET\\Gunz\\GunzRunnable[08-30-05].exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\GunzRunnable[9-15-05].exe"="C:\\Program Files\\MAIET\\Gunz\\GunzRunnable[9-15-05].exe:*:Enabled:Gunz"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Documents and Settings\\Derek\\Desktop\\voice_tweak.exe"="C:\\Documents and Settings\\Derek\\Desktop\\voice_tweak.exe:*:Enabled:voice_tweak"
"C:\\Program Files\\MAIET\\Gunz\\BAReport.exe"="C:\\Program Files\\MAIET\\Gunz\\BAReport.exe:*:Enabled:BAReport MFC ?? ????"
"C:\\Program Files\\Triggersoft\\Rose Online\\TRose.exe"="C:\\Program Files\\Triggersoft\\Rose Online\\TRose.exe:*:Enabled:Client"
"J:\\Valve\\Steam\\SteamApps\\ippo makunochi\\day of defeat\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\ippo makunochi\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe:*:Enabled:bf2_w32ded"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2VoipServer.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2VoipServer.exe:*:Enabled:BF2VoipServer"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Warcraft II BNE\\Warcraft II BNE.exe"="C:\\Program Files\\Warcraft II BNE\\Warcraft II BNE.exe:*:Enabled:Warcraft II Battle.net Edition"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"J:\\Valve\\Steam\\SteamApps\\xxaoshishinimorixx@yahoo.com\\day of defeat\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\xxaoshishinimorixx@yahoo.com\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\FlashFXP\\flashfxp.exe"="C:\\Program Files\\FlashFXP\\flashfxp.exe:*:Enabled:FlashFXP v3"
"J:\\Valve\\Steam\\SteamApps\\bestbuymike\\counter-strike\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\bestbuymike\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"J:\\Valve\\Steam\\SteamApps\\bestbuymike\\counter-strike source\\hl2.exe"="J:\\Valve\\Steam\\SteamApps\\bestbuymike\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"J:\\Valve\\Steam\\SteamApps\\xxaoshishinimorixx@yahoo.com\\ricochet\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\xxaoshishinimorixx@yahoo.com\\ricochet\\hl.exe:*:Enabled:Half-Life Launcher"
"J:\\Valve\\Steam\\SteamApps\\xxaoshishinimorixx@yahoo.com\\half-life\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\xxaoshishinimorixx@yahoo.com\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"="C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe:*:Enabled:GunzLauncher"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"J:\\Warcraft III\\Warcraft III.exe"="J:\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"J:\\Valve\\Steam\\SteamApps\\bestbuymike\\day of defeat\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\bestbuymike\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"J:\\Valve\\Steam\\SteamApps\\db-vash\\day of defeat\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\db-vash\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\GPotato\\SpaceCowboy\\SpaceCowboy.exe"="C:\\Program Files\\GPotato\\SpaceCowboy\\SpaceCowboy.exe:*:Enabled:SpaceCowboy"
"C:\\Program Files\\GPotato\\SpaceCowboy\\Launcher.atm"="C:\\Program Files\\GPotato\\SpaceCowboy\\Launcher.atm:*:Enabled:SCLauncher"
"C:\\Program Files\\Cabal_ENG\\update\\ESTdnheadless.exe"="C:\\Program Files\\Cabal_ENG\\update\\ESTdnheadless.exe:*:Enabled:EST! download engine"
"J:\\Valve\\Steam\\SteamApps\\ippo makunochi\\team fortress classic\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\ippo makunochi\\team fortress classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Documents and Settings\\Derek\\Desktop\\Darkness\\Emulators\\SNES\\snes9x.exe"="C:\\Documents and Settings\\Derek\\Desktop\\Darkness\\Emulators\\SNES\\snes9x.exe:*:Enabled:Snes9XW"
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"="C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme:*:Enabled:GunBound"
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\NyxLauncher.exe"="C:\\ijji\\ENGLISH\\Gunbound Revolution\\NyxLauncher.exe:*:Enabled:Gunbound Revolution"
"J:\\Valve\\Steam\\SteamApps\\ippo makunochi\\half-life\\hl.exe"="J:\\Valve\\Steam\\SteamApps\\ippo makunochi\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Derek\\Desktop\\Day Of Defeat Source\\hl2.exe"="C:\\Documents and Settings\\Derek\\Desktop\\Day Of Defeat Source\\hl2.exe:*:Enabled:hl2"
"C:\\PacSteam\\SteamApps\\likeuberfree\\day of defeat source\\hl2.exe"="C:\\PacSteam\\SteamApps\\likeuberfree\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"="C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe:*:Enabled:soldierfront"
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\Mooblar.exe"="C:\\ijji\\ENGLISH\\Gunbound Revolution\\Mooblar.exe:*:Enabled:GunBound"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"="C:\\Program Files\\Motorola\\RSD Lite\\SDL.exe:*:Enabled:SDL"
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"="C:\\Program Files\\Motorola\\Software Update\\msu.exe:*:Enabled:msu"
"C:\\Program Files\\Motorola\\PST\\pst.exe"="C:\\Program Files\\Motorola\\PST\\pst.exe:*:Enabled:PST"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:P2P service of Orbit Downloader"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\FlashFXP\\flashfxp.exe"="C:\\Program Files\\FlashFXP\\flashfxp.exe:*:Enabled:FlashFXP v3"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll
C:\Bundle\PictureIt\PIP\LAUNCHER.EXE
C:\Documents and Settings\Derek\Application Data\Hangame\hgstarterjp.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
Finished
VundoFix V6.5.6
Checking Java version...
Scan started at 6:52:48 AM 8/2/2007
Listing files found while scanning....
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini
C:\WINDOWS\system32\sstqn.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\nqtss.ini
C:\WINDOWS\system32\nqtss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\sstqn.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.5.6
Checking Java version...
Scan started at 7:02:34 AM 8/2/2007
Listing files found while scanning....
No infected files were found.
Apologies for the breaking up of the post (was too long).
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:21 AM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Derek\Desktop\VundoFix.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {051BA2D6-6A4E-4EE9-9D4A-40C311BAB3F9} - C:\WINDOWS\system32\sstqn.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\efcccbx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\wrdymcsj.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll (file missing)
O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\jdfdmcke.dll",forkonce
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "j:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0CBF7EDC-17EC-442C-8AE9-5E804707B6CA} (NeffyClient Class) - http://dist.cdnetworks.co.kr/cdndist/neffy/Neffy.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin8USA.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} (HGPluginJP23 Class) - http://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O20 - Winlogon Notify: efcccbx - C:\WINDOWS\SYSTEM32\efcccbx.dll
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\projyfsi.html
--
End of file - 11463 bytes
pskelley
2007-08-02, 16:32
Thanks for returning your information. No problems breaking up the logs, it has to be done. You are doing great, this is a lot to do and a lot to think about, I am here for you 100% of the way!
Your question about Vundofix, yes you should have run the scan until all files locate "has been deleted" as per the instruction. let's see what happened and I will know more.
SDFix deleted the really bad one for us.
Attempting to delete C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\sstqn.dll Could not be deleted.
When Vundofix reports files like this it means they have not yet been identified. Sometimes running the fix again will do it, if not that file needs to be upload as instructed so it can be added to the fix.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:09:21 AM, on 8/2/2007
O2 - BHO: (no name) - {051BA2D6-6A4E-4EE9-9D4A-40C311BAB3F9} - C:\WINDOWS\system32\sstqn.dll
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\efcccbx.dll
O20 - Winlogon Notify: efcccbx - C:\WINDOWS\SYSTEM32\efcccbx.dll
These are the Vundo files that need to be removed. The hard ones or the 020 Winlogon because they log on so early in the boot process. I want you to try the scan again and watch those 020 lines to see if they are gone or if they say (file missing) after them.
If this does not occur after you run a time or two, then do this:
Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.
These are the files to add:
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\efcccbx.dll
I would also like you to add these which will save us work later if Vundofix removes them for us:
C:\WINDOWS\system32\wrdymcsj.dll
C:\WINDOWS\system32\jdfdmcke.dll
One way or another once the 020 items are gone or say (file missing), post a new HJT log so I can see what is left to do. Please do not rush when doing this, take the time you need to be safe.
Thanks...Phil
I do believe I've succeeded. The O20 have disappeared from HJT, and the .dll files you told me to remove seem to be gone. After removing the jdfdmcke.dll, on startup of windows I recieve a RUNDLL error saying it cannot execute jdfdmcke.dll.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:12 AM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\efcccbx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {772E5899-05D5-4FDA-AB19-A33E5D9C9C32} - C:\WINDOWS\system32\sstqn.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\wrdymcsj.dll (file missing)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll (file missing)
O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\jdfdmcke.dll",forkonce
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "j:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0CBF7EDC-17EC-442C-8AE9-5E804707B6CA} (NeffyClient Class) - http://dist.cdnetworks.co.kr/cdndist/neffy/Neffy.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin8USA.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} (HGPluginJP23 Class) - http://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\projyfsi.html
--
End of file - 11117 bytes
pskelley
2007-08-02, 17:48
After removing the jdfdmcke.dll, on startup of windows I recieve a RUNDLL error saying it cannot execute jdfdmcke.dll.That's normal, the malware is complaining that you are trying to remove it...lol Let's see where we are.
Stick with me a bit longer, this was a nasty infection and we are almost there.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Disable the Service
Click Start > Run and type services.msc
Scroll down to Net Agent and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
4) C:\Program Files\Lavasoft\Ad-Aware 2007\ <<< this program may block HJT, please turn it off until you finish.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\efcccbx.dll (file missing)
O2 - BHO: (no name) - {772E5899-05D5-4FDA-AB19-A33E5D9C9C32} - C:\WINDOWS\system32\sstqn.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\wrdymcsj.dll (file missing)
(next item is not malware, but it has been damaged, if you use it, install it again once we are finished)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll (file missing)
(same with this one, see the file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\jdfdmcke.dll",forkonce
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\projyfsi.html
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
(may be gone but look carefully, don't miss them)
C:\WINDOWS\TISKY009.exe <<< delete that file
C:\WINDOWS\system32\jdfdmcke.dll <<< delete that file
C:\WINDOWS\dls0523pmw.exe <<< delete that file
C:\Program Files\Messenger\projyfsi.html <<< delete that file
(If any of those files give you a hard time, then use this tool and instructions on them)
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log. Tell me how the computer is running now.
Thanks
Everything went well, out of the list of files you told me to remove, none were present. The only thing I didn't have the chance to do was remove the, O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing) from HJT as it wasn't listed among the services (Possibly due to step three?). The computer seems to be running great, no more pop-ups advertising some anti-virus at random intervals.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:12 AM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
J:\valve\steam\steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "j:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0CBF7EDC-17EC-442C-8AE9-5E804707B6CA} (NeffyClient Class) - http://dist.cdnetworks.co.kr/cdndist/neffy/Neffy.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin8USA.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} (HGPluginJP23 Class) - http://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9861 bytes
pskelley
2007-08-02, 19:21
Good job:bigthumb: and thanks for the feedback. I check a couple of ways to make sure nothing gets missed and the HJT log looks clean of malware.
You may use HJT to remove the dead FlashGet line if you wish.
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
IeCatch5 Class {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} L BHO jccatch.dll FlashGet
You may also rename HJT if you want. Please remove Vundofix from your computer and make sure to delete the Vundofix backups.
If you are so inclined I would like to run one more good scan to look for hidden junk.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
If you do not believe that is necessary, then finish up like this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Apologies for getting back with such delay.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 03, 2007 1:13:52 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/08/2007
Kaspersky Anti-Virus database records: 348540
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
Scan Statistics:
Total number of scanned objects: 118516
Number of viruses found: 18
Number of infected objects: 28 / 0
Number of suspicious objects: 8
Duration of the scan process: 01:32:37
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/retadpu572.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu1000106.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\002636E6.scr Infected: Backdoor.Win32.Small.ct skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06EF5408.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06EF5408.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06EF5408.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06EF5408.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06EF5408.zip CryptFF: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07766FCB.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07766FCB.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07766FCB.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07766FCB.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07766FCB.zip CryptFF: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\077919C8.tmp Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\077C43C4.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\077C43C4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\077C43C4.zip CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07E502E6 Suspicious: Exploit.Win32.IMG-ANI.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BC51AC1.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EA529B6.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FC60F64 Infected: Trojan-Downloader.JS.IstBar.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2453633B Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3175026E Infected: Trojan-Downloader.JS.IstBar.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3A7953D7.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\427A747C.htm Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\456D4766 Infected: not-virus:BadJoke.Win32.Sojfuse skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51863877.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5DB71C05.def Infected: Exploit.HTML.CodeBaseExec skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\64B77796 Infected: Trojan.Java.ClassLoader.ak skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6FA525D8.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7D413A9C Infected: Trojan.Java.ClassLoader.z skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E544ADD.exe Infected: Trojan-Dropper.Win32.Agent.bv skipped
C:\Documents and Settings\Derek\Application Data\Aim\vqflgrqg\RxChrono\cert8.db Object is locked skipped
C:\Documents and Settings\Derek\Application Data\Aim\vqflgrqg\RxChrono\key3.db Object is locked skipped
C:\Documents and Settings\Derek\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Application Data\ATI\ACE\Log\MOM-0.log Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\History\History.IE5\MSHist012007080220070803\index.dat Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Temp\~DFA212.tmp Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Temp\~DFB497.tmp Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Derek\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Derek\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP953\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E3E4C080-DB11-4E54-A1B3-886DCEC7BA54}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5725.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000636.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000637.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000638.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000639.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000640.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000641.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000642.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000643.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000644.cat Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000645.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000646.cat Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000647.cat Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000648.cat Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000649.cat Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000650.cat Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000651.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000652.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000653.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000654.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000655.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000656.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000657.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000658.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000659.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000660.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000661.inf Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000662.ver Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000663.ver Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP19\A0000664.inf Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000671.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000672.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000673.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000674.cat Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000675.inf Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000676.ver Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000677.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000678.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000679.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000680.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000681.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000682.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000683.ver Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000684.inf Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000685.cat Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000686.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000687.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000688.exe Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000689.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000690.dll Object is locked skipped
J:\System Volume Information\_restore{47190519-376C-4C81-B927-0115E3BD732D}\RP20\A0000691.exe Object is locked skipped
J:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP953\change.log Object is locked skipped
J:\Valve\Steam\Steam.log Object is locked skipped
J:\Valve\Steam\SteamApps\counter-strike.gcf Object is locked skipped
J:\Valve\Steam\SteamApps\half-life engine.gcf Object is locked skipped
J:\Valve\Steam\SteamApps\half-life.gcf Object is locked skipped
J:\Valve\Steam\SteamApps\platform.gcf Object is locked skipped
J:\Valve\Steam\SteamApps\sourceinit.gcf Object is locked skipped
J:\Valve\Steam\SteamApps\winui.gcf Object is locked skipped
J:\Valve\Steam\SteamLogs\SteamStats.log Object is locked skipped
Scan process completed.
pskelley
2007-08-03, 12:51
Apologies for getting back with such delay.Absolutely no problem, thanks for the scan results, let see what Kaspersky found:
KASPERSKY ONLINE SCANNER REPORT Friday, August 03, 2007 1:13:52 AM
Number of infected objects: 28
Important to note, Recovery is Spybot's quarantine and the rest are in Norton's quarantine so none are on your computer.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
These are in the "Recovery" area of Spybot. Open Spybot and click on the red cross, then delete the contents.
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\
These are quarantined in your NAV program, follow these directions and clean out the quarantine folder:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506
You should be good to go at that point, if you wish to run another scan to be sure nothing is left, post the results if you have questions.
Thanks...Phil
Thanks for clarifying the results. I do believe I'll do a follow up scan just to double check and make sure everything has been eliminated. I do have one question that someone of your expertise could most likely answer... My AVG ran it's daily test and discovered that there was a "change" to my C\:WINDOWS\System32\drivers\etc\hosts
I was wondering what, if anything, this meant? It recently showed up after the whole Vundo fiasco.
pskelley
2007-08-03, 13:58
Good morning, that: C\:WINDOWS\System32\drivers\etc\hosts
is your Host file, we may have to reset it, let me have a look first:
To view the Hosts file:
Start -> Run -> Copy the following to the box and hit enter:
C:\WINDOWS\System32\drivers\etc\HOSTS
A window opens, choose Notepad from the list and hit OK.
A notepad document opens, copy the contents to here
Thanks
Good morning to you aswell.
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhos
pskelley
2007-08-03, 14:12
Not to worrry, looks like it should. If you wish to learn more about your Host file and how it works, have a look here:
http://www.mvps.org/winhelp2002/hosts.htm
Safe Surfing:)
Phil
Many thanks pskelly, you've been more than helpful and informative. Thanks for helping me save my computer and shedding some light on how malware etc. works. If that Kaspersky detects anything new I'll post a log, but as of now, everything seems find. Again, thank you very much for your help, I appreciate it immensely.
I had really hoped to be through with this, but Kaspersky detected 2 items. Do these pose some threat?
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP953\A0103201.scr Infected: Backdoor.Win32.Small.ct skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP953\A0103202.exe Infected: Trojan-Dropper.Win32.Agent.bv skipped
pskelley
2007-08-04, 02:25
Those are in your System Restore backups, I gave you instructions in my post #11 to clean your System Restore files, here are those instructions again:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Thanks
My apologies, after that Kaspersky scan I blanked on following the other procedures. Thanks again.
pskelley
2007-08-04, 13:01
No problem at all, since I am posting I will add some good security links for you and then close the topic:
. Security At Home site
http://www.microsoft.com/athome/security/default.mspx
. Security Tips & Talk blog
http://blogs.msdn.com/securitytipstalk/default.aspx
. RSS feed: Get security information delivered to you
http://www.microsoft.com/athome/security/rss/default.mspx
. Security video tutorials
http://www.microsoft.com/athome/security/videos/default.mspx
. Security community for home users
http://www.microsoft.com/athome/security/newsgroup/default.mspx
. Support for your computer security issues
http://www.microsoft.com/athome/security/support/default.mspx
. Worldwide computer security information
http://www.microsoft.com/athome/security/worldwide/default.mspx
Thanks...Phil