View Full Version : Virtumonde and I am computer illiterate - HELP!
alsmommy21
2007-08-28, 01:42
Spybot finds virtumonde on every scan and cannot remove it. I have run kaspersky and HJT trying to follow the instructions posted above. I apologize in advance if I have done something incorrectly. This is my first time doing this kind of thing.
Kaspersky:
Monday, August 27, 2007 8:30:36 AMOperating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)Kaspersky Online Scanner version: 5.0.93.0Kaspersky Anti-Virus database last update: 27/08/2007Kaspersky Anti-Virus database records: 392810
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINNTC:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 26695
Number of viruses found 5
Number of infected objects 6
Number of suspicious objects 0
Duration of the scan process 00:35:39
Infected Object Name Virus Name Last Action
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\f10WtR\f10WtR1099.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINNT\system32\xlibgfl254.dll Infected: Trojan-Downloader.Win32.Agent.bfj skipped
C:\WINNT\Temp\2wswlog\2PortalMon_Debug.txt Object is locked skipped
C:\WINNT\tk58.exe Infected: Trojan.Win32.BHO.ab skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\0HUZ81UV\is68146[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.lk skipped
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\W9QNW1QZ\WinAntiSpyware2007FreeInstall[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WinAntiSpyware 2007 FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
Scan process completed.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:00 PM, on 8/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\howyj22011.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINNT\system32\tmp3.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {8FC1E183-A62B-4DA6-46A5-EDF822FA5535} - C:\Program Files\Accessories\labumuces.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [howyj] C:\Program Files\Common Files\howyj22011.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunOnce: [SpybotDeletingB1758] command /c del "C:\WINNT\system32\igfshl.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3888] cmd /c del "C:\WINNT\system32\igfshl.dll_tobedeleted"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188152850593
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfshl - C:\WINNT\SYSTEM32\igfshl.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\prokybovur.html
--
End of file - 5713 bytes
Please help me if you can. If I need to give more info, let me know. Again, I apologize if the wrong info is posted. It has taken me all day to get this done with all the issues with Virtumonde running.
Hello alsmommy21
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
Post a new HJT log with it renamed please
alsmommy21
2007-08-28, 02:38
Is this now done correctly? Thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:20 PM, on 8/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINNT\system32\tmp3.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {8FC1E183-A62B-4DA6-46A5-EDF822FA5535} - C:\Program Files\Accessories\labumuces.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [howyj] C:\Program Files\Common Files\howyj22011.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188152850593
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfshl - C:\WINNT\SYSTEM32\igfshl.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\prokybovur.html
--
End of file - 5408 bytes
Nope it not done right. :sad:Just so you know why we ask you to do this , the thieves that have written the Vundo Trojan had written it to evade a HJT scan and by renaming it , if your infected with Vundo those entries will show up on your HJT log.
This is easy to do.
Go to My Computer > Then click on your C: Drive > Then click on the Program Files folder> Then click on the Trendmicro folder> Then click on the Hijackthis folder to open it and inside the folder you will see the icon for HJT, looks like a man with a hat holding a spyglass. Just right click on that icon and when the menu opens, click on Rename and type in Scanner.exe.
To see if you did it correctly , run HJt to scan and save a log file and look for this.
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <-- this is what you have.
C:\Program Files\Trend Micro\HijackThis\Scanner.exe <-- This is what we need
When you have it correct, post the new log please
alsmommy21
2007-08-28, 04:07
Hope this is finally correct. Thank you for spelling it out for me! I am learning a lot here (even if the reason I am having to learn is a dumb virus!).
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:06 PM, on 8/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINNT\system32\tmp3.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {8FC1E183-A62B-4DA6-46A5-EDF822FA5535} - C:\Program Files\Accessories\labumuces.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [howyj] C:\Program Files\Common Files\howyj22011.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA1062] command /c del "C:\WINNT\system32\igfshl.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6068] cmd /c del "C:\WINNT\system32\igfshl.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunOnce: [SpybotDeletingB6518] command /c del "C:\WINNT\system32\igfshl.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8892] cmd /c del "C:\WINNT\system32\igfshl.dll_tobedeleted"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188152850593
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfshl - C:\WINNT\SYSTEM32\igfshl.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\prokybovur.html
--
End of file - 6008 bytes
You did well :bigthumb:
I am not looking at any Vundo on your log. Lets do a few things, you may want to print this out to follow along.
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINNT\system32\tmp3.tmp.dll
O4 - HKLM\..\RunOnce: [SpybotDeletingA1062] command /c del "C:\WINNT\system32\igfshl.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6068] cmd /c del "C:\WINNT\system32\igfshl.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6518] command /c del "C:\WINNT\system32\igfshl.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8892] cmd /c del "C:\WINNT\system32\igfshl.dll_tobedeleted"
O20 - Winlogon Notify: igfshl - C:\WINNT\SYSTEM32\igfshl.dll
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to Delete:
C:\WINNT\SYSTEM32\igfshl.dll
C:\WINNT\system32\tmp3.tmp.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Go to Start / Run and type "cleanmgr" without quotes ....have it clean Temp. Internet files, and Temp files.
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
alsmommy21, this may be a mouthful for you but do like I said and print this out and keep it handy to follow along. Take your time and follow all the instructions, if there is anything your not clear on by all means post back and ask. There is still more to do but I don't want to overwhelm you so we can do a little at a time.
Ken:yes:
alsmommy21
2007-08-28, 16:32
Ken,
Thanks so much for making the instructions so clear. I think I should be able to handle this.
I have gotten to the Avenger step and have a problem. I don't have whatever program it typically opens with. What do I need to open this zip file? I am sure this is common knowledge :sad:
Thankyou!
Jill
http://www.winzip.com/prod_down.htm
Just download and install the original version, just the trial.
alsmommy21
2007-08-28, 19:31
Ok, here we go...
Avenger
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ixjbjsep
*******************
Script file located at: \??\C:\Documents and Settings\ydlpaqtf.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINNT\SYSTEM32\igfshl.dll deleted successfully.
File C:\WINNT\system32\tmp3.tmp.dll deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:03 PM, on 8/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\howyj22011.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\notepad.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {8FC1E183-A62B-4DA6-46A5-EDF822FA5535} - C:\Program Files\Accessories\labumuces.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [howyj] C:\Program Files\Common Files\howyj22011.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188152850593
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfshl - igfshl.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\prokybovur.html
--
End of file - 5795 bytes
Thanks again, Ken!
Jill
Jill,
and I am computer illiterate <-- I don't think so , your doing great.:bigthumb:
Remove this with HJT, the file has been deleted so it should go.
O20 - Winlogon Notify: igfshl - igfshl.dll (file missing)
I still need you to run Super Anti Spyware and post the log, and after every scan or fix we make with HJT, I need to see a new HJT also to see where we are at.
Do you have any idea what these are ?? Google is not picking anything up and when they won't Google almost 100% of the time there bad.
C:\Program Files\Accessories\labumuces.dll
C:\Program Files\Common Files\howyj22011.exe
If you know what they are and know them to be safe then thats fine, if not I would like you to upload them to this site for analysis .
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Go to this site Jotti Upload (http://virusscan.jotti.org/) and under the browse feature, browse to these files. Do them one at a time
C:\Program Files\Accessories\labumuces.dll
C:\Program Files\Common Files\howyj22011.exe
Then click on upload and it will give you a report, post the report in your next reply.
Ok, let me see the Super Anti Spyware Report, the report for both files that you uploaded and a New HJT log.
alsmommy21
2007-08-28, 20:55
Ken,
Thanks for not thinking I am totally stupid. I was good friends with the network admin at my former job so I felt I didn't have to "get it" and he would help me. Now I am a stay at home mom so I never have to do this kind of thing!
I was running the SuperAntiSpyware when you posted this so I will post that log and the new HJT.
I don't recognize those 2 files. The "howyj" one opens a little program error window about every 5 minutes - it is a thorn in my side:rolleyes:
I will take these next steps and post back...hopefully before my kids wake up from nap.
Jill
alsmommy21
2007-08-28, 20:56
It won't let me post the SuperAntiSpyware one. Says it is too long. what to do?
alsmommy21
2007-08-28, 21:05
Jotti for labumuces
Service load: 0% 100%
File: labumuces
Status: OK
MD5: dc98f597037f1bc8e9c94b3cd332b417
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 28 Aug 2007 19:00:19 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
I couldn't find the other one when I browsed from Jotti. Is it gone?
New HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:30 PM, on 8/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {8FC1E183-A62B-4DA6-46A5-EDF822FA5535} - C:\Program Files\Accessories\labumuces.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188152850593
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 5493 bytes
alsmommy21
2007-08-28, 21:12
Here is SAS in 2 posts. Duh.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/28/2007 at 01:35 PM
Application Version : 3.9.1008
Core Rules Database Version : 3293
Trace Rules Database Version: 1304
Scan type : Complete Scan
Total Scan Time : 00:58:15
Memory items scanned : 336
Memory threats detected : 1
Registry items scanned : 3908
Registry threats detected : 10
File items scanned : 20540
File threats detected : 302
Trojan.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\HOWYJ22011.EXE
C:\PROGRAM FILES\COMMON FILES\HOWYJ22011.EXE
[howyj] C:\PROGRAM FILES\COMMON FILES\HOWYJ22011.EXE
Adware.k8l
C:\PROGRAM FILES\ACCESSORIES\PROKYBOVUR.HTML
HKU\S-1-5-21-2052111302-2000478354-839522115-500\Software\Microsoft\Internet Explorer\Desktop\Components\0
HKU\S-1-5-21-2052111302-2000478354-839522115-500\Software\Microsoft\Internet Explorer\Desktop\Components\0#Source
HKU\S-1-5-21-2052111302-2000478354-839522115-500\Software\Microsoft\Internet Explorer\Desktop\Components\0#SubscribedURL
HKU\S-1-5-21-2052111302-2000478354-839522115-500\Software\Microsoft\Internet Explorer\Desktop\Components\0#FriendlyName
HKU\S-1-5-21-2052111302-2000478354-839522115-500\Software\Microsoft\Internet Explorer\Desktop\Components\0#Flags
HKU\S-1-5-21-2052111302-2000478354-839522115-500\Software\Microsoft\Internet Explorer\Desktop\Components\0#Position
HKU\S-1-5-21-2052111302-2000478354-839522115-500\Software\Microsoft\Internet Explorer\Desktop\Components\0#CurrentState
HKU\S-1-5-21-2052111302-2000478354-839522115-500\Software\Microsoft\Internet Explorer\Desktop\Components\0#OriginalStateInfo
HKU\S-1-5-21-2052111302-2000478354-839522115-500\Software\Microsoft\Internet Explorer\Desktop\Components\0#RestoredStateInfo
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clicksor[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@roiservice[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.ppctracking[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1070599954[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@buzznet.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@buycom.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@m1.webstats.motigo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@data2.perf.overture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1072714170[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adsby.zwoops[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@lynxtrack[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.belointeractive[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@entrepreneur[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@overture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1071315835[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@eas.apm.emediate[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@counter.surfcounters[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@screensavers[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.k8l[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@gcc[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tremor.adbureau[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.evtv1[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media.top-banners[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@heavycom.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@keywordmax[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.adtrak[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@indiads[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clicksfeed[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.joinaxxess[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[10].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[11].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[6].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[7].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[8].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[9].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clicksector[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@drivecleaner[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediatraffic[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediatraffic[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@2.adbrite[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@3.adbrite[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@a.websponsors[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.iconadserver[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.interclick[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.uolmg[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.xplusone[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad4.bannerbank[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adbrite[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adecn[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adknowledge[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adlegend[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adopt.euroclick[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adopt.specificclick[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adrevolver[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adrevolver[3].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.adbrite[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.addynamix[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.adgoto[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.belointeractive[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.cnn[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.glispa[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.humornsex[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.k8l[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.monster[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.pointroll[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.rampidads[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.realcastmedia[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.realtechnetwork[1].txt
alsmommy21
2007-08-28, 21:14
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.us.e-planning[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adserver[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adserving.cpxinteractive[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adsrevenue[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adtech[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adultadworld[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adultfriendfinder[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adv.webmd[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@advertising[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@aff.primaryads[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@anad.tacoda[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@anat.tacoda[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@as-eu.falkag[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@atwola[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@azjmp[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@babyuniverse.112.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@bannerads[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@banner[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@belnk[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@besthomesex[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@bheinz.sitetracker[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@bizrate[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@bluelavagroup.122.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@bluestreak[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@bs.serving-sys[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@burstnet[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@buzznet.112.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@c5.zedo[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@cbs.112.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@citi.bridgetrack[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@clickbank[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@clicksor[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@clicktracks.aristotle[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@cnn.122.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@coolsavings[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@cpvfeed[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@cratebarrel.112.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@cs.sexcounter[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@cz7.clickzs[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@data1.perf.overture[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@dillards.112.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@directtrack[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@doubleclick[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@drivecleaner[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@e-2dj6wjk4cldjikp.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@e-2dj6wjk4qodpgho.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@e-2dj6wjkysodjmbp.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@e-2dj6wjmyamdjoao.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@edge.ru4[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ehg-adaptivemarketing.hitbox[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ehg-foxsports.hitbox[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ehg-hollywood.hitbox[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ehg-knightridder.hitbox[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ehg-minglematch.hitbox[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ehg-warnerbrothers.hitbox[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ehg.hitbox[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@electronicarts.112.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@elitecarseats[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@enhance[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@entrepreneur[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@exitexchange[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@fastclick[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@findwhat[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@focalex[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@goclick[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@h.starware[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@hc2.humanclick[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@heavycom.122.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@hitbox[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@humornsex[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@hurricanedigitalmedia[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@hypertracker[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@i.screensavers[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@icc.intellisrv[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@image.masterstats[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@indextools[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@jamster[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@kanoodle[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@keywordmax[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@login.tracking101[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@mcclatchy.112.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@media.top-banners[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@mediaplex[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@mediatraffic[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@nextag[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@nfm.directtrack[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@overture[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@partner2profit[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@partners.agamimedia[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@partygaming.122.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@partypoker[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@perf.overture[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@pro-market[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@pt.crossmediaservices[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@publishers.clickbooth[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@qnsr[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@questionmarket[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@realmedia[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@redirect.clickshield[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@reunioncom.112.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@revenuesense[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@revenue[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@revsci[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@riptownmedia.122.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@robeez.122.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@roiservice[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@rotator.adjuggler[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@rotator.its.adjuggler[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@s.clickability[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@sales.liveperson[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@sav.coolsavings[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@screensavers[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@server.iad.liveperson[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@serving-sys[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@serving-sys[3].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@sexyandfunny[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@sexycoolwink[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@sitestat.mayoclinic[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@specificclick[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@stat.dealtime[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@stat.onestat[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@statcounter[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@statse.webtrendslive[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@superstats[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tacoda[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@track.searchignite[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tracking.foxnews[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@track[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tradedoubler[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@trafficmp[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tremor.adbureau[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@try.screensavers[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@try.starware[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ulta.122.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@valueclick[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@vhost.oddcast[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@waterfrontmedia.112.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@web4.realtracker[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@windowsmedia[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.adtrak[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.azoogleads[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.burstbeacon[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.burstnet[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.coolsavings[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.elitecarseats[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.rowise[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.sexycoolwink[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.trackerboats[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.trackermarine[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.windowsmedia[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.xctrk[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@xiti[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@z1.adserver[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@zedo[2].txt
Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\W9QNW1QZ\WINANTISPYWARE2007FREEINSTALL[1].EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\WINANTISPYWARE 2007 FREEINSTALL.EXE
Adware.Vundo Variant
C:\WINNT\GEEBBY.DLL
C:\WINNT\YAAYWU.DLL
Trojan.Downloader-XLIB
C:\WINNT\SYSTEM32\XLIBGFL254.DLL
alsmommy21
2007-08-28, 21:15
Trace.Known Threat Sources
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QNW1QZ\footer_gray_bg[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\G9QROHYV\ncp[1].css
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QNW1QZ\yikers_ballpark1_medium[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HUZ81UV\topframe_close_btn[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QNW1QZ\CA0PSH4F.php
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\G9QROHYV\CA238LI7.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HUZ81UV\yikers_hot_girl_gets_fruity_large[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HUZ81UV\zango_bg[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HUZ81UV\CAJEO77D.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\G9QROHYV\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HUZ81UV\contentAccess_eula_top[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QNW1QZ\btn_uci_no[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QNW1QZ\EulaGateway[1].aspx
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\G9QROHYV\yikers_paris_flashes_again_large[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\G9QROHYV\zango_logo[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\PGNEF7HJ\minify[1].php
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\PGNEF7HJ\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\PGNEF7HJ\minify[2].php
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HUZ81UV\yikers_paris_flashes_again_medium[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HUZ81UV\seekmo_logo[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QNW1QZ\topframe_bg[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\PGNEF7HJ\btn_uci_yes[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\OJUHKXA1\160x600-wavp2007-download-v2-en[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\CTG72NKB\index[1].php
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\LYISLQBF\banner1026n[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\S9AZODYF\index[1].php
UGH! I hope you really needed all that mess.....sorry if you didn't!
Ok , moving right along.
Run this system cleaner.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
Let me show you how to restore from backups that HJT makes in case there is a problem.
To restore the backups:
Open HiJackThis
Click on "View the list of Backups"
Place a check mark next to anything you want to restore
Click Restore
Click Yes
Reboot your computer
Remove this with HJT since the file is missing,
O2 - BHO: 0 - {8FC1E183-A62B-4DA6-46A5-EDF822FA5535} - C:\Program Files\Accessories\labumuces.dll (file missing)
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Please run SAS again and post the log along with the Vundo log and a New HJT log
When you run SAS, make sure you do this.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
alsmommy21
2007-08-29, 02:50
Ok, here is the latest and greatest.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/28/2007 at 07:29 PM
Application Version : 3.9.1008
Core Rules Database Version : 3293
Trace Rules Database Version: 1304
Scan type : Complete Scan
Total Scan Time : 00:43:16
Memory items scanned : 308
Memory threats detected : 0
Registry items scanned : 3927
Registry threats detected : 0
File items scanned : 17236
File threats detected : 7
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.as4x.tmcs[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[1].txt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:24 PM, on 8/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188152850593
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 5361 bytes
I ran VundoFix and it found nothing. I am guessing that is a good sign?! Also ran S&D and only found a couple adware things that were easily removed.
Am I possibly done? Can it be??? :)
Jill
Am I possibly done? Can it be??? Your log looks great :2thumb:
Just remove these with HJT.
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
If you use this one and know it to be safe than leave it be
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab
How is your system running now????
alsmommy21
2007-08-29, 03:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:37 PM, on 8/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188152850593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 5039 bytes
Everything is running great. Have had a couple of pop ups, but not bad.
Whatcha think?
Have had a couple of pop ups, but not bad. Your log looks clean, what pop ups are you talking about?? Write them down and let me know. You should be getting none. We can dig deeper if we have to.
Ken
alsmommy21
2007-08-29, 04:34
I haven't had one pop up in a bit. I don't remember what it was, but it was one of those that has lots of flashing lights. I will write it down if I see it again.
I rebooted and ran S&D again to just see. I got 4 items (none of which were Virtumonde) and all were able to be removed. Should I worry about that?
Also, what do you recommend I do now to keep it clean? I have sbc yahoo online protection. What else?
My husband plays online poker quite a bit and I have recently been informed that this makes us vulnerable. What can I do?
Thanks again Ken. You have been more than helpful to me.
Jill
Good Morning Jill,
My husband plays online poker quite a bit and I have recently been informed that this makes us vulnerable. What can I do? This sometimes but not always can be a problem depending on the site. I didn't see anything on your log related to this.
Do this..
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.
IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Its been a pleasure helping you, stay safe.
Safe Surfn
Ken
alsmommy21
2007-08-29, 11:17
I tried to do the system restore, but I didn't see it in my options in my computer. This used to be my work-from-home comp and they let me keep it so it is pretty outdated. Where else should I look?
Sorry...I know you thought you were done with me:(
Thanks again,
Jill
:oops:
Forgot you had Win 2000 and I believe it does not have that feature.
Sooooooooo your good to go :bigthumb::bigthumb:
Ken
alsmommy21
2007-08-29, 13:01
Thanks again - really...thanks a ton. When my friend told me to post here to get help I was worried it would go over my head, but you were great!
Have a great day!
Jill
Your more than welcome Jill.
Stay well,
Ken