View Full Version : "Command Service, WinAntiSpyware, and Virtumonde"
I run Spybot, and it removes most of the files except Command Service 3 entries. Any help is appreciated greatly.
I've read some threads, and I'll post a log from Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:25 AM, on 9/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\kenstkyp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jose\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{4A-A0-00-0F-ZN}] C:\DOCUME~1\Jose\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\DOCUME~1\Jose\LOCALS~1\Temp\winaspsnet.exe" -nag
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\qpotlexd.dll",sitypnow
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "D:\steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Jose\Local Settings\Temp\thinksnet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9zZQ\command.exe (file missing)
O23 - Service: DomainService - - C:\WINDOWS\System32\kenstkyp.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\rtemehdowu.html
--
End of file - 7984 bytes
Hello blitz
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
Its important that HJT resides in its own folder. Go to your C:\ Drive and create a new folder and name it Hijackthis, then go to your desktop and right click on Hijackthis and select CUT, then open the new folder you just created and inside that folder select PASTE.
We need to disable the Tea Timer in Spybot Search and Destroy as to not interfere with the fix.
Open Spybot and go to Mode> Advanced Mode> Tools> Resident and take the checkmark out of Tea Timer
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
ComboFix 07-09-21.2 - "Jose" 2007-09-26 9:53:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.663 [GMT -5:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\Jose\APPLIC~1\macromedia\Flash Player\#SharedObjects\J2VD68AM\www.broadcaster.com
C:\DOCUME~1\Jose\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Jose\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Jose\APPLIC~1\WinAntiSpyware 2007
C:\DOCUME~1\Jose\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\Jose\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\Jose\STARTM~1\Programs\Startup\ta_start.lnk
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\WindowsUpdate\rtemehdowu.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aayeqovl.exe
C:\WINDOWS\system32\ajuwxyel.exe
C:\WINDOWS\system32\aoecnmcu.exe
C:\WINDOWS\system32\bevmbdtw.exe
C:\WINDOWS\system32\bfqasmpi.exe
C:\WINDOWS\system32\chqocoeg.ini
C:\WINDOWS\system32\cpwmddnm.exe
C:\WINDOWS\system32\cydjwfpb.exe
C:\WINDOWS\system32\douodmag.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\dsawwlnq.exe
C:\WINDOWS\system32\edgeoouj.exe
C:\WINDOWS\system32\ehngpnis.exe
C:\WINDOWS\system32\eughdbgw.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\facvffaq.exe
C:\WINDOWS\system32\ffhkj.bak1
C:\WINDOWS\system32\ffhkj.bak2
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\ffhkj.tmp
C:\WINDOWS\system32\ffwtjdtd.exe
C:\WINDOWS\system32\fkffqwqx.exe
C:\WINDOWS\system32\geocoqhc.dll
C:\WINDOWS\system32\hdfgpjfr.exe
C:\WINDOWS\system32\hurplpia.exe
C:\WINDOWS\system32\ipiletdb.exe
C:\WINDOWS\system32\iqcwsdgu.exe
C:\WINDOWS\system32\ivcjdhuv.exe
C:\WINDOWS\system32\janyjbhx.exe
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkkheda.dll
C:\WINDOWS\system32\kenstkyp.exe
C:\WINDOWS\system32\kqmlbgor.ini
C:\WINDOWS\system32\lfevhgmf.exe
C:\WINDOWS\system32\ljswbuwq.exe
C:\WINDOWS\system32\ljwvqehp.exe
C:\WINDOWS\system32\lqoubtbe.exe
C:\WINDOWS\system32\lqxwtlcf.exe
C:\WINDOWS\system32\mefecsbp.exe
C:\WINDOWS\system32\nbiyhilx.exe
C:\WINDOWS\system32\obmnmotg.exe
C:\WINDOWS\system32\ocolpscr.exe
C:\WINDOWS\system32\ocoqdtro.exe
C:\WINDOWS\system32\olehlcvh.exe
C:\WINDOWS\system32\onaxcory.dll
C:\WINDOWS\system32\qhvskksx.exe
C:\WINDOWS\system32\qoqdvcyy.exe
C:\WINDOWS\system32\qrigakqh.exe
C:\WINDOWS\system32\qvqjfcbr.exe
C:\WINDOWS\system32\qxhthxct.exe
C:\WINDOWS\system32\rogblmqk.dll
C:\WINDOWS\system32\shsnkfoa.exe
C:\WINDOWS\system32\spaehgdj.exe
C:\WINDOWS\system32\tgtfpgat.exe
C:\WINDOWS\system32\twgqttfi.exe
C:\WINDOWS\system32\umnirchu.exe
C:\WINDOWS\system32\usxvyumi.exe
C:\WINDOWS\system32\vemgbnee.exe
C:\WINDOWS\system32\vnrredxi.exe
C:\WINDOWS\system32\wnurqdga.exe
C:\WINDOWS\system32\xbwobonn.exe
C:\WINDOWS\system32\xxyyyww.dll
C:\WINDOWS\system32\yghdudxi.exe
C:\WINDOWS\system32\yhiynkro.exe
C:\WINDOWS\system32\yxgowymd.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.
2007-09-26 09:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 09:43 84,032 --a------ C:\WINDOWS\system32\arbpatvd.dll
2007-09-26 09:34 <DIR> d----c--- C:\Hijackthis
2007-09-26 09:23 84,032 --a------ C:\WINDOWS\system32\akyircxj.dll
2007-09-26 08:54 84,032 --a------ C:\WINDOWS\system32\ualdaheq.dll
2007-09-26 08:39 84,032 --a------ C:\WINDOWS\system32\prwiwmaq.dll
2007-09-26 08:28 84,032 --a------ C:\WINDOWS\system32\aufmcjus.dll
2007-09-26 08:23 84,032 --a------ C:\WINDOWS\system32\ffspjrxv.dll
2007-09-25 23:51 <DIR> d-------- C:\DOCUME~1\Jose\APPLIC~1\BearShare
2007-09-25 23:43 84,032 --a------ C:\WINDOWS\system32\trwdtjcy.dll
2007-09-25 20:52 84,032 --a------ C:\WINDOWS\system32\pfgmlelf.dll
2007-09-25 20:48 84,032 --a------ C:\WINDOWS\system32\hgitqddt.dll
2007-09-25 17:01 84,032 --a------ C:\WINDOWS\system32\twvvfmkj.dll
2007-09-21 02:03 87,616 --a------ C:\WINDOWS\system32\qpotlexd.dll
2007-09-21 01:29 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-09-21 01:29 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-21 01:29 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-20 23:33 87,616 --a------ C:\WINDOWS\system32\sfimocgg.dll
2007-09-17 04:26 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-09-12 23:39 <DIR> d-------- C:\DOCUME~1\Jose\Contacts
2007-09-12 23:38 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-08 04:49 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-08 01:19 <DIR> d--hs---- C:\WINDOWS\Sm9zZQ
2007-09-08 01:19 <DIR> d----c--- C:\Temp
2007-09-08 01:19 <DIR> d-------- C:\WINDOWS\system32\drvr2
2007-09-08 01:19 <DIR> d-------- C:\WINDOWS\system32\cfig322
2007-09-08 01:19 <DIR> d-------- C:\WINDOWS\system32\capcam
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 23:39 --------- d-------- C:\Program Files\MSN Messenger
2007-02-23 21:55 1397554 --a--c--- C:\DOCUME~1\Jose\WoW-2.0.8.6403-to-0.0.10.6422-enUS-patch.exe
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\Sm9zZQ\mA6Wtk.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15796FF7-15D9-43CD-AF84-D800DF6A548A}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1355058-F949-4302-B0C1-C4AE780303E6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2003-11-12 06:54]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 00:00]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 20:56]
"sHotKey"="C:\Program Files\SONY\sHotKey\sHotKey.exe" [2003-08-22 12:22]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 19:32]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 12:43 C:\WINDOWS\AGRSMMSG.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SearchIndexer"="C:\WINDOWS\System32\arbpatvd.dll" [2007-09-26 09:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ares"="D:\Program Files\Ares\Ares.exe" [2006-02-11 17:37]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"Steam"="D:\steam\Steam.exe" [2007-06-28 00:33]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkkii]
pmnkkii.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
R0 SonyLSM;LED State Service;C:\WINDOWS\System32\Drivers\SonyLSM.sys
R3 P17;Creative SB Audigy LS;C:\WINDOWS\System32\drivers\P17.sys
R3 smrt;Sony MPEG RealTime encoder board;C:\WINDOWS\System32\DRIVERS\smrt.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-26 14:41:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-01-19 23:11:59 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 09:58:40
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-26 10:00:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 10:00
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:07 AM, on 9/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15796FF7-15D9-43CD-AF84-D800DF6A548A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O2 - BHO: (no name) - {E1355058-F949-4302-B0C1-C4AE780303E6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\arbpatvd.dll",sitypnow
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "D:\steam\Steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: pmnkkii - pmnkkii.dll (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7903 bytes
Sorry about the late response. I've been busy lately but I bookmarked this page.
No problem blitz,
You have done very well, Combofix removed a ton of bad files.
Go to your Add Remove Programs in the Control Panel and uninstall anything to do with Viewpoint It's not malicious but installs without your knowledge or consent and uses up system resources.
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 2 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {15796FF7-15D9-43CD-AF84-D800DF6A548A} - (no file)
O2 - BHO: (no name) - {E1355058-F949-4302-B0C1-C4AE780303E6} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\RunApp.exe
O20 - Winlogon Notify: pmnkkii - pmnkkii.dll (file missing)
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
A lot of the files removed by Combofix where related to the Vundo Trojan, the thieves that have written this trojan have written it to evade a HJT scan and by renaming it , if there is anymore Vundo on your system it will show up on your HJT log, so do this, its important.
C:\Hijackthis\HijackThis.exe <-- Go here and right click on the HJT icon ( looks like a man with a spyglass ) and rename it to Scanner.exe
Let me see the Vundo log and a new HJT log renamed to Scanner.exe please.
VundoFix V6.5.9
Checking Java version...
Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.
Scan started at 1:31:02 PM 9/26/2007
Listing files found while scanning....
C:\WINDOWS\System32\eavbhmpx.ini
C:\WINDOWS\System32\qommllm.dll
C:\WINDOWS\System32\rkuhtpty.dll
C:\WINDOWS\System32\xpmhbvae.dll
Beginning removal...
Attempting to delete C:\WINDOWS\System32\eavbhmpx.ini
C:\WINDOWS\System32\eavbhmpx.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\qommllm.dll
C:\WINDOWS\System32\qommllm.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\rkuhtpty.dll
C:\WINDOWS\System32\rkuhtpty.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\xpmhbvae.dll
C:\WINDOWS\System32\xpmhbvae.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\System32\qommllm.dll
C:\WINDOWS\System32\qommllm.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\rkuhtpty.dll
C:\WINDOWS\System32\rkuhtpty.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:40 PM, on 9/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISM\ISMModule4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Hijackthis\Scanner.exe.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: 0 - {055F1C8D-372F-44A6-7E93-C77183DF3972} - C:\Program Files\WindowsUpdate\qudasud954.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4b7c213c-b627-4975-af76-1b8aa21a66b3} - C:\WINDOWS\System32\wxeusvn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive4.dll
O2 - BHO: (no name) - {95DE7BC3-FE30-4525-B79D-0D77457C4FB5} - C:\Program Files\Common Files\meroz83122.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\qommllm.dll
O2 - BHO: (no name) - {D1589126-DD1C-48D1-99B4-2E4DCF341021} - C:\Program Files\Common Files\meroz4444.dll
O2 - BHO: (no name) - {DCE02A44-A8C1-49E2-BC2D-47E00AF9E073} - C:\WINDOWS\System32\ssqrr.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "D:\steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: pmnkkii - pmnkkii.dll (file missing)
O20 - Winlogon Notify: qommllm - C:\WINDOWS\SYSTEM32\qommllm.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9zZQ\command.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\bqlrtxjl.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\rtemehdowu.html
--
End of file - 8984 bytes
blitz,
I don't know whats going on on your system, your picking up stuff as fast as we are removing them. I suggest you stay off the internet except for posting here .
Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: 0 - {055F1C8D-372F-44A6-7E93-C77183DF3972} - C:\Program Files\WindowsUpdate\qudasud954.dll
O2 - BHO: (no name) - {4b7c213c-b627-4975-af76-1b8aa21a66b3} - C:\WINDOWS\System32\wxeusvn.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive4.dll
O2 - BHO: (no name) - {95DE7BC3-FE30-4525-B79D-0D77457C4FB5} - C:\Program Files\Common Files\meroz83122.dll
O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\qommllm.dll
O2 - BHO: (no name) - {D1589126-DD1C-48D1-99B4-2E4DCF341021} - C:\Program Files\Common Files\meroz4444.dll
02 - BHO: (no name) - {DCE02A44-A8C1-49E2-BC2D-47E00AF9E073} - C:\WINDOWS\System32\ssqrr.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O20 - Winlogon Notify: pmnkkii - pmnkkii.dll (file missing)
O20 - Winlogon Notify: qommllm - C:\WINDOWS\SYSTEM32\qommllm.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9zZQ\command.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\bqlrtxjl.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\system32\qommllm.dll
C:\WINDOWS\System32\ssqrr.dll
C:\Program Files\Common Files\meroz83122.dll
C:\Program Files\Common Files\meroz4444.dll
Folder::
C:\Program Files\ISM
C:\Program Files\WindowsUpdate
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
ComboFix 07-09-21.2 - "Jose" 2007-09-26 21:46:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.686 [GMT -5:00]
* Created a new restore point
FILE::
C:\WINDOWS\system32\qommllm.dll
C:\WINDOWS\System32\ssqrr.dll
C:\Program Files\Common Files\meroz83122.dll
C:\Program Files\Common Files\meroz4444.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\Program Files\ISM
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule4.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\network monitor
C:\Program Files\TTC.dll
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.4\wbuninst.exe
C:\Program Files\web buying\v1.8.4\webbuying.exe
C:\Program Files\WindowsUpdate
C:\Program Files\WindowsUpdate\qudasud.dll
C:\Program Files\WindowsUpdate\qudasud162.dll
C:\Program Files\WindowsUpdate\qudasud231.dll
C:\Program Files\WindowsUpdate\qudasud247.dll
C:\Program Files\WindowsUpdate\qudasud389.dll
C:\Program Files\WindowsUpdate\qudasud459
C:\Program Files\WindowsUpdate\qudasud459.dll
C:\Program Files\WindowsUpdate\qudasud513.dll
C:\Program Files\WindowsUpdate\qudasud750.dll
C:\Program Files\WindowsUpdate\qudasud843.dll
C:\Program Files\WindowsUpdate\qudasud954
C:\Program Files\WindowsUpdate\qudasud954.dll
C:\Program Files\WindowsUpdate\rtemehdowu.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\C2
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\qommllm.dll
C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z1\mid2dll.exe
C:\WINDOWS\system32\Z2
C:\WINDOWS\system32\Z2\mon33dll.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService
-------\Network Monitor
((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.
2007-09-26 13:32 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-09-26 13:31 <DIR> d----c--- C:\VundoFix Backups
2007-09-26 10:31 <DIR> d-------- C:\WINDOWS\system32\GB9
2007-09-26 10:31 <DIR> d-------- C:\WINDOWS\system32\DL1
2007-09-26 10:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-09-26 09:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 09:43 84,032 --a------ C:\WINDOWS\system32\arbpatvd.dll
2007-09-26 09:34 <DIR> d----c--- C:\Hijackthis
2007-09-26 09:23 84,032 --a------ C:\WINDOWS\system32\akyircxj.dll
2007-09-26 08:54 84,032 --a------ C:\WINDOWS\system32\ualdaheq.dll
2007-09-26 08:39 84,032 --a------ C:\WINDOWS\system32\prwiwmaq.dll
2007-09-26 08:28 84,032 --a------ C:\WINDOWS\system32\aufmcjus.dll
2007-09-26 08:23 84,032 --a------ C:\WINDOWS\system32\ffspjrxv.dll
2007-09-25 23:51 <DIR> d-------- C:\DOCUME~1\Jose\APPLIC~1\BearShare
2007-09-25 23:43 84,032 --a------ C:\WINDOWS\system32\trwdtjcy.dll
2007-09-25 20:52 84,032 --a------ C:\WINDOWS\system32\pfgmlelf.dll
2007-09-25 20:48 84,032 --a------ C:\WINDOWS\system32\hgitqddt.dll
2007-09-25 17:01 84,032 --a------ C:\WINDOWS\system32\twvvfmkj.dll
2007-09-21 02:03 87,616 --a------ C:\WINDOWS\system32\qpotlexd.dll
2007-09-21 01:29 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-09-21 01:29 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-21 01:29 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-20 23:33 87,616 --a------ C:\WINDOWS\system32\sfimocgg.dll
2007-09-17 04:26 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-09-12 23:39 <DIR> d-------- C:\DOCUME~1\Jose\Contacts
2007-09-12 23:38 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-08 04:49 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-08 01:19 <DIR> d--hs---- C:\WINDOWS\Sm9zZQ
2007-09-08 01:19 <DIR> d----c--- C:\Temp
2007-09-08 01:19 <DIR> d-------- C:\WINDOWS\system32\drvr2
2007-09-08 01:19 <DIR> d-------- C:\WINDOWS\system32\cfig322
2007-09-08 01:19 <DIR> d-------- C:\WINDOWS\system32\capcam
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 13:14 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-26 13:14 --------- d-------- C:\Program Files\Viewpoint
2007-09-12 23:39 --------- d-------- C:\Program Files\MSN Messenger
2007-02-23 21:55 1397554 --a--c--- C:\DOCUME~1\Jose\WoW-2.0.8.6403-to-0.0.10.6422-enUS-patch.exe
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\Sm9zZQ\mA6Wtk.vbs
.
((((((((((((((((((((((((((((( snapshot_2007-09-26_ 95950.26 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-07-12 06:22:00 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-07-12 06:22:04 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-07-12 07:22:38 C:\WINDOWS\system32\javaws.exe
----a-w 169,147 2007-08-03 00:44:02 C:\WINDOWS\system32\DL1\MMEMDT83122.exe
----a-w 9,814 2007-09-23 14:13:54 C:\WINDOWS\system32\GB9\wrdrvrdl23.exe
.
-c--a-w 24,673 2003-08-20 00:41:26 C:\WINDOWS\system32\java.exe
-c--a-w 28,771 2003-08-20 00:41:28 C:\WINDOWS\system32\javaw.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4b7c213c-b627-4975-af76-1b8aa21a66b3}]
C:\WINDOWS\System32\wxeusvn.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2003-11-12 06:54]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 00:00]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 20:56]
"sHotKey"="C:\Program Files\SONY\sHotKey\sHotKey.exe" [2003-08-22 12:22]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 19:32]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 12:43 C:\WINDOWS\AGRSMMSG.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ares"="D:\Program Files\Ares\Ares.exe" [2006-02-11 17:37]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"Steam"="D:\steam\Steam.exe" [2007-06-28 00:33]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkkii]
pmnkkii.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
R0 SonyLSM;LED State Service;C:\WINDOWS\System32\Drivers\SonyLSM.sys
R3 P17;Creative SB Audigy LS;C:\WINDOWS\System32\drivers\P17.sys
R3 smrt;Sony MPEG RealTime encoder board;C:\WINDOWS\System32\DRIVERS\smrt.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-26 14:41:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-01-19 23:11:59 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 21:50:32
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-26 21:52:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 21:52
C:\ComboFix2.txt ... 2007-09-26 10:00
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:27 PM, on 9/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ISM\ISMModule4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Hijackthis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4b7c213c-b627-4975-af76-1b8aa21a66b3} - C:\WINDOWS\System32\wxeusvn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O2 - BHO: 0 - {C06FC324-5F0F-4EA7-2B8B-FDA93DE1676F} - C:\Program Files\WindowsUpdate\qudasud459.dll
O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\qommllm.dll
O2 - BHO: (no name) - {FF328047-E67B-48DC-9090-A072FF6AC353} - C:\WINDOWS\System32\ssqrr.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "D:\steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: pmnkkii - pmnkkii.dll (file missing)
O20 - Winlogon Notify: qommllm - C:\WINDOWS\SYSTEM32\qommllm.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9zZQ\command.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\bqlrtxjl.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\rtemehdowu.html
--
End of file - 8486 bytes
Thanks for all the help, ken545. I really appreciate it.
A lot of this stuff won't go away :red: This is going to take some more work to remove this stuff.
Open a command prompt
Start > Run
Type cmd
Press Enter
Type
sc delete cmdservice
sc delete DomainService
sc delete Network Monitor
You will have to do these one at a time
Press enter
Type exit and press enter to exit the command prompt
Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {4b7c213c-b627-4975-af76-1b8aa21a66b3} - C:\WINDOWS\System32\wxeusvn.dll (file missing)
O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\qommllm.dll
O2 - BHO: (no name) - {FF328047-E67B-48DC-9090-A072FF6AC353} - C:\WINDOWS\System32\ssqrr.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O20 - Winlogon Notify: pmnkkii - pmnkkii.dll (file missing)
O20 - Winlogon Notify: qommllm - C:\WINDOWS\SYSTEM32\qommllm.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9zZQ\command.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\bqlrtxjl.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\rtemehdowu.html
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to Delete:
C:\WINDOWS\system32\qommllm.dll
C:\WINDOWS\System32\ssqrr.dll
C:\WINDOWS\retadpu1000106.exe
Folders to delete:
C:\Program Files\ISM
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
I need the log from SAS and a new HJT log please
Sorry, been busy. Trying to do this as much as I can. ><
I stopped doing the directions when you told me to open DOS because when I typed in the first thing you told me to it said:
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
I don't know what to think of it, so I decided to wait for a reply since I don't want to mess around with things I don't know a lot about.
OK, just remove those entries with HJT and then run the Avenger to delete those files. Then run SAS, its a great free program.
Post a new log, the SAS report and also the Avenger Report
Ken:)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:51 PM, on 10/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Hijackthis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4b7c213c-b627-4975-af76-1b8aa21a66b3} - C:\WINDOWS\System32\wxeusvn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "D:\steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnkkii - pmnkkii.dll (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
--
End of file - 7718 bytes
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mkmeipxc
*******************
Script file located at: \??\C:\Documents and Settings\lsxwxbvv.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\qommllm.dll not found!
Deletion of file C:\WINDOWS\system32\qommllm.dll failed!
Could not process line:
C:\WINDOWS\system32\qommllm.dll
Status: 0xc0000034
File C:\WINDOWS\System32\ssqrr.dll not found!
Deletion of file C:\WINDOWS\System32\ssqrr.dll failed!
Could not process line:
C:\WINDOWS\System32\ssqrr.dll
Status: 0xc0000034
File C:\WINDOWS\retadpu1000106.exe not found!
Deletion of file C:\WINDOWS\retadpu1000106.exe failed!
Could not process line:
C:\WINDOWS\retadpu1000106.exe
Status: 0xc0000034
Folder C:\Program Files\ISM not found!
Deletion of folder C:\Program Files\ISM failed!
Could not process line:
C:\Program Files\ISM
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/08/2007 at 09:30 PM
Application Version : 3.9.1008
Core Rules Database Version : 3321
Trace Rules Database Version: 1322
Scan type : Complete Scan
Total Scan Time : 01:01:50
Memory items scanned : 388
Memory threats detected : 0
Registry items scanned : 5819
Registry threats detected : 3
File items scanned : 36948
File threats detected : 206
Adware.Tracking Cookie
C:\Documents and Settings\Jose\Cookies\jose@revsci[2].txt
C:\Documents and Settings\Jose\Cookies\jose@atwola[1].txt
C:\Documents and Settings\Jose\Cookies\jose@serving-sys[2].txt
C:\Documents and Settings\Jose\Cookies\jose@ad.yieldmanager[1].txt
C:\Documents and Settings\Jose\Cookies\jose@zedo[2].txt
C:\Documents and Settings\Jose\Cookies\jose@ads.k8l[1].txt
C:\Documents and Settings\Jose\Cookies\jose@2o7[2].txt
C:\Documents and Settings\Jose\Cookies\jose@html[1].txt
C:\Documents and Settings\Jose\Cookies\jose@cgi-bin[1].txt
C:\Documents and Settings\Jose\Cookies\jose@adrevolver[2].txt
C:\Documents and Settings\Jose\Cookies\jose@media.adrevolver[2].txt
C:\Documents and Settings\Jose\Cookies\jose@atdmt[2].txt
C:\Documents and Settings\Jose\Cookies\jose@mediaplex[1].txt
C:\Documents and Settings\Jose\Cookies\jose@bs.serving-sys[2].txt
C:\Documents and Settings\Jose\Cookies\jose@advertising[1].txt
C:\Documents and Settings\Jose\Cookies\jose@doubleclick[1].txt
C:\Documents and Settings\Jose\Cookies\jose@adrevolver[3].txt
Adware.AdSponsor
HKCR\AppId\AdBand.DLL
HKCR\AppId\AdBand.DLL#AppID
Adware.AdSponsor/ISM
HKU\S-1-5-21-3504141195-3040112619-1337730830-1004\Software\BndDrive
C:\Documents and Settings\Jose\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Jose\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Jose\Start Menu\Programs\Internet Speed Monitor
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\BNDLOADER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\ISM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\ISMMODULE4.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175339.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175340.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175341.EXE
Unclassified.Unknown Origin
C:\HIJACKTHIS\BACKUPS\BACKUP-20070926-213549-715.DLL
C:\HIJACKTHIS\BACKUPS\BACKUP-20070926-213549-885.DLL
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\TTC.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1167170.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1168169.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1170169.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1171169.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1172169.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1172179.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1173169.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1173303.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1174309.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1175319.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1175320.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175338.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\SNAPSHOT\MFEX-1.DAT
Adware.Vundo Variant
C:\HIJACKTHIS\BACKUPS\BACKUP-20070926-213549-851.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JKKHEDA.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166151.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166166.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175356.DLL
C:\VUNDOFIX BACKUPS\QOMMLLM.DLL.BAD
Adware.WebBuying Assistant-Installer
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.4\WBUNINST.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.4\WEBBUYING.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1167169.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175343.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175344.EXE
Trojan.ZQuest
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD162.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD231.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD247.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD389.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD459.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD513.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD750.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD843.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD954.DLL.VIR
Adware.eZula
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AAYEQOVL.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AJUWXYEL.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AOECNMCU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BEVMBDTW.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BFQASMPI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\CPWMDDNM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\CYDJWFPB.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DOUODMAG.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DSAWWLNQ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EDGEOOUJ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EHNGPNIS.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EUGHDBGW.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FACVFFAQ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FFWTJDTD.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FKFFQWQX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HDFGPJFR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HURPLPIA.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IPILETDB.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IQCWSDGU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IVCJDHUV.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JANYJBHX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KENSTKYP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LFEVHGMF.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LJSWBUWQ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LJWVQEHP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LQOUBTBE.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LQXWTLCF.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MEFECSBP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NBIYHILX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OBMNMOTG.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OCOLPSCR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OCOQDTRO.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OLEHLCVH.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QHVSKKSX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QOQDVCYY.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QRIGAKQH.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QVQJFCBR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QXHTHXCT.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SHSNKFOA.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SPAEHGDJ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TGTFPGAT.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TWGQTTFI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\UMNIRCHU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\USXVYUMI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VEMGBNEE.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VNRREDXI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNURQDGA.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\XBWOBONN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YGHDUDXI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YHIYNKRO.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YXGOWYMD.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP328\A1139913.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP329\A1141021.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP331\A1163997.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166099.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166100.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166101.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166102.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166103.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166104.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166105.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166106.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166107.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166108.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166109.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166110.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166111.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166112.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166113.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166114.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166115.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166116.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166117.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166118.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166119.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166120.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166121.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166122.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166123.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166124.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166125.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166126.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166127.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166128.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166129.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166130.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166131.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166132.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166133.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166134.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166135.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166136.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166137.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166138.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166139.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166140.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166141.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166142.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166143.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166144.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166145.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166146.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166147.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166148.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166149.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1173170.EXE
Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\Z1\MID2DLL.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1173171.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175345.EXE
Trojan.ZQuest-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\TK58.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1167178.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1169176.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1170177.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1171177.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1172177.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP334\A1173293.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1173316.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1175316.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175348.EXE
Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\TTC-4444.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP323\A1118878.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1167177.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1169175.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1170176.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1171176.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1172176.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP334\A1173292.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1173315.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1175315.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175337.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175349.EXE
C:\WINDOWS\SM9ZZQ\MA6WTK.VBS
C:\WINDOWS\SYSTEM32\DL1\MMEMDT83122.EXE
Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP323\A1118880.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP323\A1118881.DLL
Trojan.WinAntiSpyware 2007
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP329\A1148014.EXE
Trojan.NetMon/DNSChange
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1172180.EXE
Adware.WebBuying Assistant/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1173172.DLL
BearShare File Sharing Client
D:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE
C:\WINDOWS\Prefetch\BEARSHARE.EXE-302796FB.pf
Good Morning,
Remove both these entries with HJT, check your HJT log after you remove them and if there still present you will have to boot to safemode to remove them.
O2 - BHO: (no name) - {4b7c213c-b627-4975-af76-1b8aa21a66b3} - C:\WINDOWS\System32\wxeusvn.dll (file missing)
O20 - Winlogon Notify: pmnkkii - pmnkkii.dll (file missing)
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Delete the Combofix program that you downloaded and download it again as its updated every few days and run it and post a new Combolog and a new HJT log.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
The rest of your log looks good, just want to make sure that there is nothing left on your system that needs to go.
Ken :)
This topic has been archived due to lack of a response. :sick:
If you need it re-opened, please send me a private message (pm) and provide a link to the thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.
Thank you ken545.
Re-opened upon request. :)
Hey, sorry about the really late response, been busy. I'm really appreciating all you're doing ken.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:02 AM, on 10/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "D:\steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
--
End of file - 7537 bytes
ComboFix 07-10-21.1** - Jose 2007-10-21 1:20:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.688 [GMT -5:00]
Running from: C:\Documents and Settings\Jose\Desktop\ComboFix(2).exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\WINDOWS\system32\akyircxj.dll
C:\WINDOWS\system32\arbpatvd.dll
C:\WINDOWS\system32\aufmcjus.dll
C:\WINDOWS\system32\dvtapbra.ini
C:\WINDOWS\system32\dxeltopq.ini
C:\WINDOWS\system32\ffspjrxv.dll
C:\WINDOWS\system32\flelmgfp.ini
C:\WINDOWS\system32\ggcomifs.ini
C:\WINDOWS\system32\hgitqddt.dll
C:\WINDOWS\system32\jkmfvvwt.ini
C:\WINDOWS\system32\jxcriyka.ini
C:\WINDOWS\system32\pfgmlelf.dll
C:\WINDOWS\system32\prwiwmaq.dll
C:\WINDOWS\system32\qehadlau.ini
C:\WINDOWS\system32\qpotlexd.dll
C:\WINDOWS\system32\sfimocgg.dll
C:\WINDOWS\system32\sujcmfua.ini
C:\WINDOWS\system32\tddqtigh.ini
C:\WINDOWS\system32\trwdtjcy.dll
C:\WINDOWS\system32\twvvfmkj.dll
C:\WINDOWS\system32\ualdaheq.dll
.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.
2007-10-09 06:16 81,332 --a------ C:\WINDOWS\system32\bass.dll
2007-10-08 20:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-08 20:27 <DIR> d-------- C:\Documents and Settings\Jose\Application Data\SUPERAntiSpyware.com
2007-10-08 20:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-26 13:32 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-09-26 13:31 <DIR> d----c--- C:\VundoFix Backups
2007-09-26 13:27 <DIR> d-------- C:\Program Files\Common Files\Java
2007-09-26 10:31 <DIR> d-------- C:\WINDOWS\system32\GB9
2007-09-26 10:31 <DIR> d-------- C:\WINDOWS\system32\DL1
2007-09-26 09:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 09:34 <DIR> d----c--- C:\Hijackthis
2007-09-25 23:51 <DIR> d-------- C:\Documents and Settings\Jose\Application Data\BearShare
2007-09-21 01:29 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-21 01:29 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-21 01:29 89,088 --a------ C:\WINDOWS\system32\atl71.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 01:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-26 18:27 --------- d-----w C:\Program Files\Java
2007-09-26 18:14 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-26 18:14 --------- d-----w C:\Program Files\Viewpoint
2007-09-26 14:52 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-13 04:39 --------- d-----w C:\Program Files\MSN Messenger
2007-02-24 02:55 1,397,554 -c--a-w C:\Documents and Settings\Jose\WoW-2.0.8.6403-to-0.0.10.6422-enUS-patch.exe
.
((((((((((((((((((((((((((((( snapshot_2007-09-26_ 95950.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-20 05:47:22 109,056 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 11:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-09 01:27:46 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-10-09 01:27:46 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-10-09 01:27:46 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-09-26 01:34:08 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-10 02:13:19 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-09-26 01:34:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-10 02:13:19 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-26 01:34:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-10 02:13:19 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-23 14:13:54 9,814 ----a-w C:\WINDOWS\system32\GB9\wrdrvrdl23.exe
- 2003-08-20 00:41:26 24,673 -c--a-w C:\WINDOWS\system32\java.exe
+ 2007-07-12 06:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-08-20 00:41:28 28,771 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2007-07-12 06:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-07-12 07:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2003-07-30 12:00:00 1,388,544 ----a-w C:\WINDOWS\system32\msvbvm60.dll
+ 2002-09-04 02:33:38 1,394,688 ----a-w C:\WINDOWS\system32\msvbvm60.dll
- 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 19:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4b7c213c-b627-4975-af76-1b8aa21a66b3}]
C:\WINDOWS\System32\wxeusvn.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2003-11-12 06:54]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 00:00]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 20:56]
"sHotKey"="C:\Program Files\SONY\sHotKey\sHotKey.exe" [2003-08-22 12:22]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 19:32]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 12:43 C:\WINDOWS\AGRSMMSG.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ares"="D:\Program Files\Ares\Ares.exe" [2006-02-11 17:37]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"Steam"="D:\steam\Steam.exe" [2007-10-04 21:06]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkkii]
pmnkkii.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
R0 SonyLSM;LED State Service;C:\WINDOWS\System32\Drivers\SonyLSM.sys
R3 P17;Creative SB Audigy LS;C:\WINDOWS\System32\drivers\P17.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 14:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-01-19 23:11:59 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************
catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 01:23:53
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-21 1:25:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 21:52
C:\ComboFix2.txt ... 2007-09-26 21:52
C:\ComboFix3.txt ... 2007-09-26 10:00
.
--- E O F ---
Your back, sorry they closed this on you but if you dont respond in a week or so they close the thread.
REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4b7c213c-b627-4975-af76-1b8aa21a66b3}]
C:\WINDOWS\System32\wxeusvn.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkkii]
pmnkkii.dll
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad )
Name the file Regfix.reg and in the drop down box, save it as All Files.
Save it to your desktop.
Then Rightclick on the Regfix.reg file and click on Merge,
When it asks you to merge with the Registry, say yes.
C:\VundoFix\ Backups <-- Delete this
You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Go to this site Jotti Upload (http://virusscan.jotti.org/) and under the browse feature, browse to this file
C:\WINDOWS\system32\GB9\wrdrvrdl23.exe
Then click on upload and it will give you a report, post the report in your next reply.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Run this free online virus scanner and post the report
http://www.kaspersky.com/kos/english/kavwebscan.html
Let me see the file upload report and the Kaspersky report please
The rest of your log looks fine, how are things running now??
Go to this site Jotti Upload and under the browse feature, browse to this file
C:\WINDOWS\system32\GB9\wrdrvrdl23.exe
I'm stuck at this part, not sure what I'm supposed to do when I get the file.
Let me tell ya, your system is picking up bad files related to the Vundo Trojan as fast as we remove them, I stongly urge you outside of posting here to stay off the internet until we have you clean. Also you Windows Operating system is very outdated and is not blocking this garbage from installing, not now but after your clean you need to run windows update and install Service Pack 2 and beyond
Delete the copy of Combofix that you have and download the latest version, its updated on a regular basis.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
Folder::
C:\WINDOWS\system32\GB9
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
I've tried to install service pack 2, today actually, but it won't let me for some reason to use automatic updates. Do you have any info on what I could do to install it? Thanks.
not now but after your clean you need to run windows update and install Service Pack 2 and beyond Installing this on an infected computer can give you problems, you need to read what I take my time to post to you.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
ComboFix 07-10-21.1** - Jose 2007-10-22 23:35:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.709 [GMT -5:00]
Running from: C:\Documents and Settings\Jose\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Jose\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.
2007-10-09 06:16 81,332 --a------ C:\WINDOWS\system32\bass.dll
2007-10-08 20:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-08 20:27 <DIR> d-------- C:\Documents and Settings\Jose\Application Data\SUPERAntiSpyware.com
2007-10-08 20:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-26 13:32 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-09-26 13:27 <DIR> d-------- C:\Program Files\Common Files\Java
2007-09-26 10:31 <DIR> d-------- C:\WINDOWS\system32\GB9
2007-09-26 10:31 <DIR> d-------- C:\WINDOWS\system32\DL1
2007-09-26 09:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 09:34 <DIR> d----c--- C:\Hijackthis
2007-09-25 23:51 <DIR> d-------- C:\Documents and Settings\Jose\Application Data\BearShare
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 01:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-26 18:27 --------- d-----w C:\Program Files\Java
2007-09-26 18:14 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-26 18:14 --------- d-----w C:\Program Files\Viewpoint
2007-09-26 14:52 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-13 04:39 --------- d-----w C:\Program Files\MSN Messenger
2007-02-24 02:55 1,397,554 -c--a-w C:\Documents and Settings\Jose\WoW-2.0.8.6403-to-0.0.10.6422-enUS-patch.exe
.
((((((((((((((((((((((((((((( snapshot_2007-09-26_ 95950.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-20 05:47:22 109,056 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 11:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-09 01:27:46 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-10-09 01:27:46 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-10-09 01:27:46 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-09-26 01:34:08 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-10 02:13:19 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-09-26 01:34:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-10 02:13:19 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-23 04:34:12 1,393,213 ----a-w C:\WINDOWS\system32\GB9\ComboFix.exe
+ 2007-09-23 14:13:54 9,814 ----a-w C:\WINDOWS\system32\GB9\wrdrvrdl23.exe
- 2003-08-20 00:41:26 24,673 -c--a-w C:\WINDOWS\system32\java.exe
+ 2007-07-12 06:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-08-20 00:41:28 28,771 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2007-07-12 06:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-07-12 07:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2003-07-30 12:00:00 1,388,544 ----a-w C:\WINDOWS\system32\msvbvm60.dll
+ 2002-09-04 02:33:38 1,394,688 ----a-w C:\WINDOWS\system32\msvbvm60.dll
- 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 19:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2003-11-12 06:54]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 00:00]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 20:56]
"sHotKey"="C:\Program Files\SONY\sHotKey\sHotKey.exe" [2003-08-22 12:22]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 19:32]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 12:43 C:\WINDOWS\AGRSMMSG.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ares"="D:\Program Files\Ares\Ares.exe" [2006-02-11 17:37]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"Steam"="D:\steam\Steam.exe" [2007-10-04 21:06]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
R0 SonyLSM;LED State Service;C:\WINDOWS\System32\Drivers\SonyLSM.sys
R3 P17;Creative SB Audigy LS;C:\WINDOWS\System32\drivers\P17.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 14:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-01-19 23:11:59 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************
catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 23:36:24
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-22 23:36:49
C:\ComboFix-quarantined-files.txt ... 2007-09-26 21:52
C:\ComboFix2.txt ... 2007-10-21 01:25
C:\ComboFix3.txt ... 2007-09-26 21:52
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:33 PM, on 10/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Hijackthis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "D:\steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
--
End of file - 7647 bytes
Hello,
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\GB9
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it into your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
The rest of your log looks fine :bigthumb:
Let me see the OtMoveIt log and a new HJT log please
C:\WINDOWS\system32\GB9 moved successfully.
Created on 10/23/2007 04:09:34
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:20 AM, on 10/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ehome\ehmsas.exe
D:\Program Files\AIM95\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "D:\steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
--
End of file - 7526 bytes
Log looks fine :bigthumb:
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Now your ready to install Service Pack 2, you have to make sure all your ducks are in a row.
1. Clean System <-- You now have that.
2. Run a System Cleaner <-- See above
3. Defrag your system <-- Go to Start> All Programs> Assessories> System Tools> Defrag and defrag your C: drive.
4. Turn of all Anti Virus and Anti Spyware programs
5. Turn off your Screensaver
6. Open IE and go to Tools> Windows Update and go for it, install all critical updates including SP2 and beyond.
You can go to this site and download it directly or even order the free CD from Microsoft to install it. If you have problems installing this, Microsoft has a toll free number to call with help installing SP2, I dont have it offhand but I can find it if you need it.
http://www.microsoft.com/windowsxp/sp2/default.mspx
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.
IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Glad we could help.
Safe Surfn
Ken
Thanks A LOT for your help, ken. I've been using Firefox since it first came out, lol. ^^
Thanks again for the help getting rid of the spyware, and helping me with installing all the updates I need to keep my system running smooth.
-blitz
Your very welcome Blitz,
Stay Well,
Ken