View Full Version : Problem with virtumonde and others
Slayer_MK
2007-12-10, 21:37
hello, thank your for takin your time to read this.
I've been having problems lately with popups while browsing and error boxes popping up telling me that i'm infected. i read the *Before you Post* sticky and folowed all the directions.
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:57 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\RACLE~1\nslookup.exe
C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3516
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ivlwwmyt.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\COMMON~1\RACLE~1\nslookup.exe" -vt ndrv
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video Access ActiveX Object\isamntr.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197260567796
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 8018 bytes
and Kaspersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 10, 2007 12:16:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/12/2007
Kaspersky Anti-Virus database records: 478764
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 136126
Number of viruses found: 15
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 01:16:39
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007121020071211\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D55.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D55.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D5A.tmp/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D5A.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D5A.tmp/stream Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D5A.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NeroDemo12065\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_d0c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\O7E3G5OP\warningiepage[1].htm Infected: not-virus:Hoax.JS.Agent.a skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF1804.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2FHE9VBX\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2FHE9VBX\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7LBCO9IU\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Agent.fuc skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M9Z12F3V\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PVEU680G\!update-4395[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RQCBVXYC\upd32_v14[1] Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Οracle\nslookup.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\Program Files\Outerinfo\FF\components\FF.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1\A0000024.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP2\change.log Object is locked skipped
C:\torrentDl's\Nero 7.7.5.1 Ultra\Nero 7.7.5.1 Ultra.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\torrentDl's\Nero 7.7.5.1 Ultra\Nero 7.7.5.1 Ultra.exe RAR: infected - 1 skipped
C:\WINDOWS\AVGNT.exe Infected: Trojan-Dropper.Win32.Autoit.c skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu72.exe Infected: Trojan-Downloader.Win32.Agent.fuc skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\euyknrhl.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\gttmjiih.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ibmdvmze.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\WINDOWS\system32\ivlwwmyt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\spalamuq.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Thank you in advance!
-Bill
Hello Slayer_MK
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen
You have TWO nasty infections on this system, I am going to give you some programs to run, take your time and run them in order and I need to see the reports when your done.
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
=========================================
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
=========================================
Download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Boot your computer into Safemode
Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to SAFEMODE
Then press the Enter on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
=======================================
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
These reports wont fit in one reply so take as many Submit Replies as you need.
I need to see....
1. SAS log
2. Combofix log
3. Smitfraud log
4. New HJT log renamed please
Slayer_MK
2007-12-11, 19:11
Thank you for your fast response!!!!
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/11/2007 at 10:56 AM
Application Version : 3.9.1008
Core Rules Database Version : 3359
Trace Rules Database Version: 1358
Scan type : Complete Scan
Total Scan Time : 00:33:42
Memory items scanned : 353
Memory threats detected : 5
Registry items scanned : 5194
Registry threats detected : 126
File items scanned : 30821
File threats detected : 501
Trojan.WinFixer
C:\WINDOWS\SYSTEM32\DDCYX.DLL
C:\WINDOWS\SYSTEM32\DDCYX.DLL
HKLM\Software\Classes\CLSID\{02C32DEC-2C2E-49CB-B1DC-0E1FF3B929E8}
HKCR\CLSID\{02C32DEC-2C2E-49CB-B1DC-0E1FF3B929E8}
HKCR\CLSID\{02C32DEC-2C2E-49CB-B1DC-0E1FF3B929E8}\InprocServer32
HKCR\CLSID\{02C32DEC-2C2E-49CB-B1DC-0E1FF3B929E8}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02C32DEC-2C2E-49CB-B1DC-0E1FF3B929E8}
Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\AJRQNUCS.DLL
C:\WINDOWS\SYSTEM32\AJRQNUCS.DLL
HKLM\Software\Classes\CLSID\{e855c728-5387-49bc-bc16-bae69651270e}
HKCR\CLSID\{E855C728-5387-49BC-BC16-BAE69651270E}
HKCR\CLSID\{E855C728-5387-49BC-BC16-BAE69651270E}\InprocServer32
HKCR\CLSID\{E855C728-5387-49BC-BC16-BAE69651270E}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e855c728-5387-49bc-bc16-bae69651270e}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP3\A0000107.DLL
C:\WINDOWS\SYSTEM32\GTTMJIIH.DLL
Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\SSFXYTWE.DLL
C:\WINDOWS\SYSTEM32\SSFXYTWE.DLL
Adware.eZula
C:\WINDOWS\SYSTEM32\DMMQKBPH.EXE
C:\WINDOWS\SYSTEM32\DMMQKBPH.EXE
C:\WINDOWS\Prefetch\DMMQKBPH.EXE-2AC43009.pf
Adware.ClickSpring/Resident
C:\WINDOWS\SYSTEM32\IBMDVMZE.DLL
C:\WINDOWS\SYSTEM32\IBMDVMZE.DLL
Adware.ClickSpring
[Cpue] C:\PROGRA~1\COMMON~1\RACLE~1\NSLOOKUP.EXE
C:\PROGRA~1\COMMON~1\RACLE~1\NSLOOKUP.EXE
HKLM\Software\Classes\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}
HKCR\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}
HKCR\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}\InprocServer32
HKCR\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}\InprocServer32#ThreadingModel
HKCR\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}\Programmable
HKCR\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}\TypeLib
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E389D34F-45AB-490B-DE28-3EE6768203EA}
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\!UPDATE.EXE
C:\Documents and Settings\Owner\My Documents\RACLE~1\DXPLOR~1.EXE
C:\PROGRAM FILES\COMMON FILES\RACLE~1\NSLOOKUP.EXE
C:\WINDOWS\Prefetch\NSLOOKUP.EXE-2ACEF363.pf
Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\InprocServer32
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQROOM.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1\A0000024.DLL
Unclassified.Unknown Origin
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}
Trojan.Downloader-Gen/DDC
HKLM\System\ControlSet001\Services\DomainService
HKLM\System\ControlSet002\Services\DomainService
HKLM\System\CurrentControlSet\Services\DomainService
C:\SYSTEM VOLUME INFORMATION\_RESTORE{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP2\A0000070.EXE
Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@www.animeporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@pornbilly[1].txt
C:\Documents and Settings\Owner\Cookies\owner@redorbit[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cs.sexcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@CATR0O0B.txt
C:\Documents and Settings\Owner\Cookies\owner@www.hornyoldfuckers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.dragonball-xxx[2].txt
C:\Documents and Settings\Owner\Cookies\owner@web-stat[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@roiservice[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad1.clickhype[1].txt
C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@iteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@altastat[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.softwareonline[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adprofile[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adecn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.cpmstar[2].txt
C:\Documents and Settings\Owner\Cookies\owner@try.screensavers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.couplesseduceteens[3].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[4].txt
C:\Documents and Settings\Owner\Cookies\owner@travelnetsolutions.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@vip.clickzs[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bdsm-artwork[3].txt
C:\Documents and Settings\Owner\Cookies\owner@teensforcash[1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.teensforcash[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adultreviews[2].txt
C:\Documents and Settings\Owner\Cookies\owner@traffic.el-ladies[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adultswim[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.iteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@creaminteen[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tremor.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@programs.wegcash[2].txt
C:\Documents and Settings\Owner\Cookies\owner@audit.median[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.porndvddirect[1].txt
C:\Documents and Settings\Owner\Cookies\owner@pornaccess[2].txt
C:\Documents and Settings\Owner\Cookies\owner@couplesseduceteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.labpixies[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[3].txt
C:\Documents and Settings\Owner\Cookies\owner@www.ticketsnow[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adultcomix[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teenmoviezone[2].txt
C:\Documents and Settings\Owner\Cookies\owner@paycounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@grandpasfuckteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@stats.privacyprotector[1].txt
C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.creaminteen[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.hardporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adultadworld[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media.funpic[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hardporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.pornoverview[2].txt
C:\Documents and Settings\Owner\Cookies\owner@youngdumbteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.xxx-homemade[1].txt
C:\Documents and Settings\Owner\Cookies\owner@stan1.teenmoviezone[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.addfreestats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@yadro[2].txt
C:\Documents and Settings\Owner\Cookies\owner@valueclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@paypal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cartoonnetwork.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ticketsnow[1].txt
C:\Documents and Settings\Owner\Cookies\owner@qnsr[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adult-sex-searcher[1].txt
C:\Documents and Settings\Owner\Cookies\owner@clickthrough.wegcash[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.adreactor[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adlegend[2].txt
C:\Documents and Settings\Owner\Cookies\owner@sexyfuckgames[2].txt
C:\Documents and Settings\Owner\Cookies\owner@vipxxxcartoons[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@18virginsex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@offers.clickbooth[2].txt
C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@anat.tacoda[1].txt
C:\Documents and Settings\Owner\Cookies\owner@toplist[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.pornbilly[1].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@nextag[2].txt
C:\Documents and Settings\Owner\Cookies\owner@porndvddirect[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adinterax[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hypertracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@free.cartoonpornguide[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.mysexgames[1].txt
C:\Documents and Settings\Owner\Cookies\owner@3.adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@filthytoonfuckers[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@4.adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@67.15.239[3].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@precisionclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@youngporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sexonhawaii[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.hornymatches[2].txt
C:\Documents and Settings\Owner\Cookies\owner@partner2profit[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.allporntoons[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adsrevenue[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mo-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.thepornart[1].txt
C:\Documents and Settings\Owner\Cookies\owner@snagajob.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@xxxcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sexy-cartoon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adultswim[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.amateursexhunters[1].txt
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@reduxads.valuead[2].txt
C:\Documents and Settings\Owner\Cookies\owner@shortmedia.us.intellitxt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.viva-xxx[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.cartoon-sex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.xxxmsncam[1].txt
C:\Documents and Settings\Owner\Cookies\owner@pro-market[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.lon.liveperson[3].txt
C:\Documents and Settings\Owner\Cookies\owner@cgm.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hornymatches[1].txt
C:\Documents and Settings\Owner\Cookies\owner@galleries.bannedfamilyporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@a.websponsors[2].txt
C:\Documents and Settings\Owner\Cookies\owner@teenxonline[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.allhomesex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.anime-porn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sexyteens.megapornmall[2].txt
C:\Documents and Settings\Owner\Cookies\owner@forums.sexyandfunny[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.couplesseduceteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www2.adultreviews[4].txt
C:\Documents and Settings\Owner\Cookies\owner@focalex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.free-adult-anime[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www5.addfreestats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.porno-city[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@vhost.oddcast[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@clicktorrent[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sex-3d[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fishsexgames[2].txt
C:\Documents and Settings\Owner\Cookies\owner@myhornycartoons[2].txt
C:\Documents and Settings\Owner\Cookies\owner@list[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.cartoonporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.evil-fucking[2].txt
C:\Documents and Settings\Owner\Cookies\owner@banners.gipsta[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sick-porn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www6.addfreestats[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt
C:\Documents and Settings\Owner\Cookies\owner@wrigley.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hornyteens.megapornmall[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hentaicounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.amateurs-xxx-teens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@dash.revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@prosexxx[2].txt
C:\Documents and Settings\Owner\Cookies\owner@drunkenteenorgies[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fortunecity[2].txt
C:\Documents and Settings\Owner\Cookies\owner@freecodesource.advertserve[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.drawn-sex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@xxx.fuck-toons[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hentai-sex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.monster[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.disney-xxx[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.porncartoon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@xxx.freepornotoons[1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@eas.apm.emediate[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cupolaventures.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.herfirstlesbiansex[
Slayer_MK
2007-12-11, 19:13
2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.fullpornlinks[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.xctrk[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fucked-in-space.nichepass[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.pstats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@join.porndvddirect[1].txt
C:\Documents and Settings\Owner\Cookies\owner@webpower[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.teengee[2].txt
C:\Documents and Settings\Owner\Cookies\owner@teenhitchhikers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adtech[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atlas.entrepreneur[1].txt
C:\Documents and Settings\Owner\Cookies\owner@xxx.toonshentai[2].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.3d-porn-thumbs[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.abum[1].txt
C:\Documents and Settings\Owner\Cookies\owner@top.disneyporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.sex-cartoons[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.mpogonline[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.allrealitypass[1].txt
C:\Documents and Settings\Owner\Cookies\owner@admin.teenrevenue[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teenhitchhikcock[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
C:\Documents and Settings\Owner\Cookies\owner@traffic-h[2].txt
C:\Documents and Settings\Owner\Cookies\owner@click.dofantasy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.adultcartoon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.uncensored-sex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.allporncomics[2].txt
C:\Documents and Settings\Owner\Cookies\owner@metacafe.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.disney-sex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hentaixxxtreme[1].txt
C:\Documents and Settings\Owner\Cookies\owner@orgysexparties[2].txt
C:\Documents and Settings\Owner\Cookies\owner@superpornovoyeur[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hotlog[2].txt
C:\Documents and Settings\Owner\Cookies\owner@67.15.239[4].txt
C:\Documents and Settings\Owner\Cookies\owner@superbteensnatch[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.clubteenpix[2].txt
C:\Documents and Settings\Owner\Cookies\owner@top.comicsporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@67.15.239[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ltds.freeporn4you[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cartoonporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.incentaclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.universalteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@3d-adult-world[1].txt
C:\Documents and Settings\Owner\Cookies\owner@exitexchange[1].txt
C:\Documents and Settings\Owner\Cookies\owner@chokertraffic[2].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@67.15.239[5].txt
C:\Documents and Settings\Owner\Cookies\owner@animesexy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.levelclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.adultanime[2].txt
C:\Documents and Settings\Owner\Cookies\owner@clickaider[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teens-girls[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.momsgotofuck[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.crackthrust[1].txt
C:\Documents and Settings\Owner\Cookies\owner@crazytoons.porno-private[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.bdsmreality[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bestsellerantivirus[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.cartoonporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.glispa[1].txt
C:\Documents and Settings\Owner\Cookies\owner@3d-animated-incest.orporno[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ah-teens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@htmlgear.tripod[1].txt
C:\Documents and Settings\Owner\Cookies\owner@incestartsex.colinsfreehost[2].txt
C:\Documents and Settings\Owner\Cookies\owner@webstat[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sexmovieset[2].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportalbeetoffice2007.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@divx.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@finnteen[1].txt
C:\Documents and Settings\Owner\Cookies\owner@67.15.239[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adv.dmv[1].txt
C:\Documents and Settings\Owner\Cookies\owner@world-sex-pics[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.gamesbannernet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@findwhat[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.dark-xxx-factory[1].txt
C:\Documents and Settings\Owner\Cookies\owner@top.porn-comics[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.linuxjournal[2].txt
C:\Documents and Settings\Owner\Cookies\owner@drunk-sex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@h.starware[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fhg.best-sex-galleries[2].txt
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[2].txt
C:\Documents and Settings\Owner\Cookies\owner@icc.intellisrv[2].txt
C:\Documents and Settings\Owner\Cookies\owner@da-tracking[2].txt
C:\Documents and Settings\Owner\Cookies\owner@the18teens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.petitenudeteen[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.xplusone[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.directnetadvertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.lon.liveperson[1].txt
C:\Documents and Settings\Owner\Cookies\owner@younggirlsxxx[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.sexyteenonline[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.hardfucked[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.toon-sex-blog[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[6].txt
C:\Documents and Settings\Owner\Cookies\owner@drawn-sex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@nextbdsm[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.bdsm-gallery[2].txt
C:\Documents and Settings\Owner\Cookies\owner@sexnemo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.xxx-69-xxx[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.teensforcash[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tinyteenmodels[1].txt
C:\Documents and Settings\Owner\Cookies\owner@coolsavings[2].txt
C:\Documents and Settings\Owner\Cookies\owner@free.cartoonsxxxworld[1].txt
C:\Documents and Settings\Owner\Cookies\owner@eyewonder[2].txt
C:\Documents and Settings\Owner\Cookies\owner@comix.cartoonxxx[1].txt
C:\Documents and Settings\Owner\Cookies\owner@nagfuck[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media1.onlinewelten[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adultdisneyporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@incest3d.porn-host[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.sexdisney[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.bunnyteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediamax[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.petiteteenlist[1].txt
C:\Documents and Settings\Owner\Cookies\owner@best-3d-incest.orporno[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.littlevirginteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@stats.myspacesupport[2].txt
C:\Documents and Settings\Owner\Cookies\owner@partywildnaked[2].txt
C:\Documents and Settings\Owner\Cookies\owner@loanweb.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.entrepreneur[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hornyteenharlots[2].txt
C:\Documents and Settings\Owner\Cookies\owner@drawn-bdsm[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hqthefilmsxxx[4].txt
C:\Documents and Settings\Owner\Cookies\owner@top.fuck-toons[1].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgk4siajaaq.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@giftcertificatescom.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@leads.specificmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@extra-teens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.anime-adult[1].txt
C:\Documents and Settings\Owner\Cookies\owner@dirtyteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.incestsextoons[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads2.ljworld[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cartoonsexlist[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.freepornhentai[1].txt
C:\Documents and Settings\Owner\Cookies\owner@galleries.drunkenteenorgies[1].txt
C:\Documents and Settings\Owner\Cookies\owner@try.starware[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tds.traffic-drive[1].txt
C:\Documents and Settings\Owner\Cookies\owner@count1.exitexchange[2].txt
C:\Documents and Settings\Owner\Cookies\owner@teenaday[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fuckfamily[1].txt
C:\Documents and Settings\Owner\Cookies\owner@incest.3d-sex-comics[2].txt
C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.calltoactionmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@efashionsolutions.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[8].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.outerinfoads[2].txt
C:\Documents and Settings\Owner\Cookies\owner@CALYR0AJ.txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-eset.hitbox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@theteenslut[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fluidaudionetworks.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmiumczoco.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tripod[1].txt
C:\Documents and Settings\Owner\Cookies\owner@viacomedycentralrl.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@top100sexgames[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CAETQDDT.txt
C:\Documents and Settings\Owner\Cookies\owner@xxxpower[1].txt
C:\Documents and Settings\Owner\Cookies\owner@3dsexclub[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.sexyhumorgames[1].txt
C:\Documents and Settings\Owner\Cookies\owner@keywordmax[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[11].txt
C:\Documents and Settings\Owner\Cookies\owner@www.3dpornlinks[1].txt
C:\Documents and Settings\Owner\Cookies\owner@stampscom.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teens-hard[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.extra-teens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@validporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads4.blastro[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.easyad[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.webpagecounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver5.teracent[1].txt
C:\Documents and Settings\Owner\Cookies\owner@premiumtv.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@giftscom.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teen-titans.cartoonpornguide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[7].txt
C:\Documents and Settings\Owner\Cookies\owner@a.websponsors[1].txt
C:\Documents and Settings\Owner\Cookies\owner@screensavers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.cartoon-sex-seek[2].txt
C:\Documents and Settings\Owner\Cookies\owner@gms.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@crazyxxx3dworld[3].txt
C:\Documents and Settings\Owner\Cookies\owner@www2.addfreestats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@naked-cartoon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@click.fantasypromotion[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.adult-empire[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.gangbangedteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.bdsm-comics[2].txt
C:\Documents and Settings\Owner\Cookies\owner@teensex101[1].txt
C:\Documents and Settings\Owner\Cookies\owner@richmedia.yahoo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@go.sexprofit[3].txt
C:\Documents and Settings\Owner\Cookies\owner@toonc.porn-host[2].txt
C:\Documents and Settings\Owner\Cookies\owner@newmotioninc.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@1.tracking4rev[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.fpctraffic2[1].txt
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bridgetrack[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tagiq.clickforensics[1].txt
C:\Documents and Settings\Owner\Cookies\owner@kaboose.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www1.addfreestats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@uncensored-sex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@egoteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@rambler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.midgetteen[2].txt
C:\Documents and Settings\Owner\Cookies\owner@zoo-toons.xxxtopsex[3].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[6].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CA7GFW5F.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.joinaxxess[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www2.adultreviews[3].txt
C:\Documents and Settings\Owner\Cookies\owner@counter.surfcounters[1].txt
C:\Documents and Settings\Owner\Cookies\owner@s4.trafficmaxx[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fresh-sex-girls[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[9].txt
C:\Documents and Settings\Owner\Cookies\owner@stat.onestat[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.dirtyteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@stats.sellmosoft[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.admedia365[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CA2YZV81.txt
C:\Documents and Settings\Owner\Cookies\owner@sitestat.mayoclinic[2].txt
C:\Documents and Settings\Owner\Cookies\owner@gcc-08.googleadservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.associatedcontent[2].txt
C:\Documents and Settings\Owner\Cookies\owner@banned3dsex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pubmatic[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.toons-fuck[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.momsonsex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[2].txt
C:\Documents and Settings\Owner\Cookies\owner@entrepreneur[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[3].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@crazy3dxxx.cartoons-xxx[
Slayer_MK
2007-12-11, 19:14
1].txt
C:\Documents and Settings\Owner\Cookies\owner@data2.perf.overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@3d-incest.porn-host[1].txt
C:\Documents and Settings\Owner\Cookies\owner@orifreeporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.gametoplist[1].txt
C:\Documents and Settings\Owner\Cookies\owner@got-fucked[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[10].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.incgamers[2].txt
C:\Documents and Settings\Owner\Cookies\owner@classifiedventures1.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[7].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CAZNZHXH.txt
C:\Documents and Settings\Owner\Cookies\owner@sitestat.mayoclinic[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[3].txt
C:\Documents and Settings\Owner\Cookies\owner@optimost[1].txt
C:\Documents and Settings\Owner\Cookies\owner@lynxtrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.hotfamilysex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@microsoftwlmessengermkt.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@CAQY8831.txt
C:\Documents and Settings\Owner\Cookies\owner@taboo.crazyxxx3dworld[1].txt
C:\Documents and Settings\Owner\Cookies\owner@path.pureadstracking[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sex-mango[1].txt
C:\Documents and Settings\Owner\Cookies\owner@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@brightcove.112.2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@eyesex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficroup[1].txt
C:\Documents and Settings\Owner\Cookies\owner@optimizer.intermarkmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@momsonsex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\owner@knorton13.tripod[1].txt
C:\Documents and Settings\Owner\Cookies\owner@gcc-00.googleadservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CA295GR1.txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@a.websponsors[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad1.clickhype[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.addynamix[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.monster[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.revsci[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads1.revenue[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@belnk[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@dist.belnk[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@gamestats[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@media.fastclick[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@overture[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@qnsr[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@revenue[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tribalfusion[2].txt
Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
Trojan.Media-Codec
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#user32.dll [ C:\Program Files\Video Access ActiveX Object\isamntr.exe ]Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo\FF\chrome.manifest
C:\Program Files\Outerinfo\FF\components\FF.dll
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\Outerinfo\FF\components
C:\Program Files\Outerinfo\FF\install.rdf
C:\Program Files\Outerinfo\FF
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
Malware.SpyDawn
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}\1.0
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}\1.0\0
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}\1.0\0\win32
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}\1.0\FLAGS
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}\1.0\HELPDIR
HKCR\Interface\{080C3EC1-AB54-40F3-88BE-E6FACE068CF0}
HKCR\Interface\{080C3EC1-AB54-40F3-88BE-E6FACE068CF0}\ProxyStubClsid
HKCR\Interface\{080C3EC1-AB54-40F3-88BE-E6FACE068CF0}\ProxyStubClsid32
HKCR\Interface\{080C3EC1-AB54-40F3-88BE-E6FACE068CF0}\TypeLib
HKCR\Interface\{080C3EC1-AB54-40F3-88BE-E6FACE068CF0}\TypeLib#Version
HKCR\Interface\{101981F9-8BA3-4064-949B-3C5BEB867134}
HKCR\Interface\{101981F9-8BA3-4064-949B-3C5BEB867134}\ProxyStubClsid
HKCR\Interface\{101981F9-8BA3-4064-949B-3C5BEB867134}\ProxyStubClsid32
HKCR\Interface\{101981F9-8BA3-4064-949B-3C5BEB867134}\TypeLib
HKCR\Interface\{101981F9-8BA3-4064-949B-3C5BEB867134}\TypeLib#Version
HKCR\Interface\{16992424-7AC2-47F6-8799-BF4E8EBBECC1}
HKCR\Interface\{16992424-7AC2-47F6-8799-BF4E8EBBECC1}\ProxyStubClsid
HKCR\Interface\{16992424-7AC2-47F6-8799-BF4E8EBBECC1}\ProxyStubClsid32
HKCR\Interface\{16992424-7AC2-47F6-8799-BF4E8EBBECC1}\TypeLib
HKCR\Interface\{16992424-7AC2-47F6-8799-BF4E8EBBECC1}\TypeLib#Version
HKCR\Interface\{28DC003F-7396-4B9D-8D0C-E40D8F4E3F4A}
HKCR\Interface\{28DC003F-7396-4B9D-8D0C-E40D8F4E3F4A}\ProxyStubClsid
HKCR\Interface\{28DC003F-7396-4B9D-8D0C-E40D8F4E3F4A}\ProxyStubClsid32
HKCR\Interface\{28DC003F-7396-4B9D-8D0C-E40D8F4E3F4A}\TypeLib
HKCR\Interface\{28DC003F-7396-4B9D-8D0C-E40D8F4E3F4A}\TypeLib#Version
HKCR\Interface\{3A9CCAF6-08B8-4163-8DD8-3D9200314533}
HKCR\Interface\{3A9CCAF6-08B8-4163-8DD8-3D9200314533}\ProxyStubClsid
HKCR\Interface\{3A9CCAF6-08B8-4163-8DD8-3D9200314533}\ProxyStubClsid32
HKCR\Interface\{3A9CCAF6-08B8-4163-8DD8-3D9200314533}\TypeLib
HKCR\Interface\{3A9CCAF6-08B8-4163-8DD8-3D9200314533}\TypeLib#Version
HKCR\Interface\{3F109E21-D00A-4222-9A42-4A7611122CF1}
HKCR\Interface\{3F109E21-D00A-4222-9A42-4A7611122CF1}\ProxyStubClsid
HKCR\Interface\{3F109E21-D00A-4222-9A42-4A7611122CF1}\ProxyStubClsid32
HKCR\Interface\{3F109E21-D00A-4222-9A42-4A7611122CF1}\TypeLib
HKCR\Interface\{3F109E21-D00A-4222-9A42-4A7611122CF1}\TypeLib#Version
HKCR\Interface\{4DB7B2C0-C3BE-4A1D-915B-9B04981CF4B4}
HKCR\Interface\{4DB7B2C0-C3BE-4A1D-915B-9B04981CF4B4}\ProxyStubClsid
HKCR\Interface\{4DB7B2C0-C3BE-4A1D-915B-9B04981CF4B4}\ProxyStubClsid32
HKCR\Interface\{4DB7B2C0-C3BE-4A1D-915B-9B04981CF4B4}\TypeLib
HKCR\Interface\{4DB7B2C0-C3BE-4A1D-915B-9B04981CF4B4}\TypeLib#Version
HKCR\Interface\{5FC90027-65C3-4E0C-91C7-E3D3296E3763}
HKCR\Interface\{5FC90027-65C3-4E0C-91C7-E3D3296E3763}\ProxyStubClsid
HKCR\Interface\{5FC90027-65C3-4E0C-91C7-E3D3296E3763}\ProxyStubClsid32
HKCR\Interface\{5FC90027-65C3-4E0C-91C7-E3D3296E3763}\TypeLib
HKCR\Interface\{5FC90027-65C3-4E0C-91C7-E3D3296E3763}\TypeLib#Version
HKCR\Interface\{63948A86-9227-4DAB-8AA6-CCD2111264A0}
HKCR\Interface\{63948A86-9227-4DAB-8AA6-CCD2111264A0}\ProxyStubClsid
HKCR\Interface\{63948A86-9227-4DAB-8AA6-CCD2111264A0}\ProxyStubClsid32
HKCR\Interface\{63948A86-9227-4DAB-8AA6-CCD2111264A0}\TypeLib
HKCR\Interface\{63948A86-9227-4DAB-8AA6-CCD2111264A0}\TypeLib#Version
HKCR\Interface\{7A7CA289-6E1E-4A00-AA81-C5D252945645}
HKCR\Interface\{7A7CA289-6E1E-4A00-AA81-C5D252945645}\ProxyStubClsid
HKCR\Interface\{7A7CA289-6E1E-4A00-AA81-C5D252945645}\ProxyStubClsid32
HKCR\Interface\{7A7CA289-6E1E-4A00-AA81-C5D252945645}\TypeLib
HKCR\Interface\{7A7CA289-6E1E-4A00-AA81-C5D252945645}\TypeLib#Version
HKCR\Interface\{7DE844A5-DC96-4CD5-B4EE-1C7AE0B5E62A}
HKCR\Interface\{7DE844A5-DC96-4CD5-B4EE-1C7AE0B5E62A}\ProxyStubClsid
HKCR\Interface\{7DE844A5-DC96-4CD5-B4EE-1C7AE0B5E62A}\ProxyStubClsid32
HKCR\Interface\{7DE844A5-DC96-4CD5-B4EE-1C7AE0B5E62A}\TypeLib
HKCR\Interface\{7DE844A5-DC96-4CD5-B4EE-1C7AE0B5E62A}\TypeLib#Version
HKCR\Interface\{929FC56A-EE5C-436C-BC73-68D583233485}
HKCR\Interface\{929FC56A-EE5C-436C-BC73-68D583233485}\ProxyStubClsid
HKCR\Interface\{929FC56A-EE5C-436C-BC73-68D583233485}\ProxyStubClsid32
HKCR\Interface\{929FC56A-EE5C-436C-BC73-68D583233485}\TypeLib
HKCR\Interface\{929FC56A-EE5C-436C-BC73-68D583233485}\TypeLib#Version
HKCR\Interface\{94596FC9-CBF8-4F61-8A02-AACBB86B51BA}
HKCR\Interface\{94596FC9-CBF8-4F61-8A02-AACBB86B51BA}\ProxyStubClsid
HKCR\Interface\{94596FC9-CBF8-4F61-8A02-AACBB86B51BA}\ProxyStubClsid32
HKCR\Interface\{94596FC9-CBF8-4F61-8A02-AACBB86B51BA}\TypeLib
HKCR\Interface\{94596FC9-CBF8-4F61-8A02-AACBB86B51BA}\TypeLib#Version
HKCR\Interface\{A048440C-9495-4757-8FB3-0383ADE9E89D}
HKCR\Interface\{A048440C-9495-4757-8FB3-0383ADE9E89D}\ProxyStubClsid
HKCR\Interface\{A048440C-9495-4757-8FB3-0383ADE9E89D}\ProxyStubClsid32
HKCR\Interface\{A048440C-9495-4757-8FB3-0383ADE9E89D}\TypeLib
HKCR\Interface\{A048440C-9495-4757-8FB3-0383ADE9E89D}\TypeLib#Version
HKCR\Interface\{CC09AC3E-AA61-4CBD-A351-DF435C8FE5C2}
HKCR\Interface\{CC09AC3E-AA61-4CBD-A351-DF435C8FE5C2}\ProxyStubClsid
HKCR\Interface\{CC09AC3E-AA61-4CBD-A351-DF435C8FE5C2}\ProxyStubClsid32
HKCR\Interface\{CC09AC3E-AA61-4CBD-A351-DF435C8FE5C2}\TypeLib
HKCR\Interface\{CC09AC3E-AA61-4CBD-A351-DF435C8FE5C2}\TypeLib#Version
HKCR\Interface\{CC61280D-617C-4007-9D21-3F6F7BBA81FE}
HKCR\Interface\{CC61280D-617C-4007-9D21-3F6F7BBA81FE}\ProxyStubClsid
HKCR\Interface\{CC61280D-617C-4007-9D21-3F6F7BBA81FE}\ProxyStubClsid32
HKCR\Interface\{CC61280D-617C-4007-9D21-3F6F7BBA81FE}\TypeLib
HKCR\Interface\{CC61280D-617C-4007-9D21-3F6F7BBA81FE}\TypeLib#Version
Adware.AdSponsor/ISM
HKU\S-1-5-21-4106870390-2351743502-3898326784-1003\Software\antica
Trojan.Unclassifed/Loader-Suspicious
C:\PROGRAM FILES\GGTD2\RA 3.3\LOADER.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\SHORTCUT TO LOADER.LNK
C:\WINDOWS\Prefetch\LOADER.EXE-1FB3DD85.pf
Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\OWNER\FAVORITES\BILL\ONLINE SECURITY TEST.URL
Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP2\A0000072.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP2\A0000078.DLL
C:\WINDOWS\SYSTEM32\EUYKNRHL.DLL
Trojan.Downloader-Gen/Win
C:\WINDOWS\MROFINU72.EXE
Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\WNSINTSV32.EXE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:31 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!
Slayer_MK
2007-12-11, 19:15
\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ajrqnucs.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197260567796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqroom - ssqroom.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 8389 bytes
Thank your for your fast reply, rest is comin very soon
-Bill
If you can, post the HJT log renamed in one post , I need to look at that all together .
Ken
Slayer_MK
2007-12-11, 19:29
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:31 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!
\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ajrqnucs.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/gam...ts/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1197260567796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqroom - ssqroom.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 8389 bytes
Slayer_MK
2007-12-11, 19:30
ComboFix 07-12-09.1 - Owner 2007-12-11 11:16:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.118 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator.BILLNSARAH\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator.BILLNSARAH\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator.BILLNSARAH\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Owner\My Documents\RACLE~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~1\?racle\
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.
2007-12-11 09:39 . 2007-12-11 11:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-11 09:39 . 2007-12-11 09:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-11 09:39 . 2007-12-11 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-10 13:31 . 2007-12-11 09:15 758 ---hs---- C:\WINDOWS\system32\scunqrja.ini
2007-12-10 13:25 . 2007-12-10 13:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 12:22 . 2006-06-30 23:30 <DIR> d-------- C:\Documents and Settings\Administrator.BILLNSARAH\WINDOWS
2007-12-10 12:22 . 2006-07-31 11:03 <DIR> d-------- C:\Documents and Settings\Administrator.BILLNSARAH\Application Data\You've Got Pictures Screensaver
2007-12-10 12:22 . 2006-07-31 11:11 <DIR> d-------- C:\Documents and Settings\Administrator.BILLNSARAH\Application Data\SampleView
2007-12-10 08:24 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-10 08:24 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-09 22:32 . 2007-12-09 22:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-09 22:32 . 2007-12-09 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-09 20:01 . 2007-12-09 20:01 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-09 13:34 . 2007-12-10 13:23 638 ---hs---- C:\WINDOWS\system32\tymwwlvi.ini
2007-12-08 14:43 . 2007-12-08 14:43 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2007-12-08 08:48 . 2007-12-11 10:57 455,437 --ahs---- C:\WINDOWS\system32\xycdd.ini2
2007-12-08 08:48 . 2007-12-11 10:59 455,437 --ahs---- C:\WINDOWS\system32\xycdd.ini
2007-11-14 20:48 . 2007-11-14 20:48 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-14 20:47 . 2007-12-11 09:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 22:34 . 2007-12-10 21:18 <DIR> d-------- C:\Program Files\GGTD2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 04:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ventrilo
2007-12-09 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-08 15:28 --------- d-----w C:\Program Files\ggtrades
2007-12-05 01:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-12-03 19:23 --------- d-----w C:\Program Files\Diablo II
2007-11-24 20:42 4,254 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92bc260c-897a-41f8-8ac3-2ab645b41ec9}]
2007-11-18 11:20 1502232 --a------ C:\Program Files\ggtrades\tbggt1.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba04d9ab-6dc6-4998-8060-60a627792e8c}]
2007-11-18 11:20 1502232 --a------ C:\Program Files\Mystical_Knights\tbMys0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BA04D9AB-6DC6-4998-8060-60A627792E8C}"= C:\Program Files\Mystical_Knights\tbMys0.dll [2007-11-18 11:20 1502232]
"{92BC260C-897A-41F8-8AC3-2AB645B41EC9}"= C:\Program Files\ggtrades\tbggt1.dll [2007-11-18 11:20 1502232]
[HKEY_CLASSES_ROOT\clsid\{ba04d9ab-6dc6-4998-8060-60a627792e8c}]
[HKEY_CLASSES_ROOT\clsid\{92bc260c-897a-41f8-8ac3-2ab645b41ec9}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BA04D9AB-6DC6-4998-8060-60A627792E8C}"= C:\Program Files\Mystical_Knights\tbMys0.dll [2007-11-18 11:20 1502232]
"{92BC260C-897A-41F8-8AC3-2AB645B41EC9}"= C:\Program Files\ggtrades\tbggt1.dll [2007-11-18 11:20 1502232]
[HKEY_CLASSES_ROOT\clsid\{ba04d9ab-6dc6-4998-8060-60a627792e8c}]
[HKEY_CLASSES_ROOT\clsid\{92bc260c-897a-41f8-8ac3-2ab645b41ec9}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Myeek"="C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 18:44 C:\WINDOWS\RTHDCPL.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 03:52]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 19:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-31 11:03]
"9cf56b43"="C:\WINDOWS\system32\ajrqnucs.dll" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" []
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqroom]
ssqroom.dll
R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09f816e9-20c0-11db-a73d-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a001031-20b3-11db-b386-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\Owner\LOCALS~1\Temp\qwfhldynAH.dll
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 11:23:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 11:24:48 - machine was rebooted
.
--- E O F ---
HJT in next post
Slayer_MK
2007-12-11, 19:31
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:24 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ajrqnucs.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197260567796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqroom - ssqroom.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 8581 bytes
goin to do smitfraud step next.
-Bill
Slayer_MK
2007-12-11, 19:45
SmitFraudFix v2.261
Scan done at 11:40:38.32, Tue 12/11/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{63D96295-905D-4680-8CD9-05F36CEF2D74}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{63D96295-905D-4680-8CD9-05F36CEF2D74}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{63D96295-905D-4680-8CD9-05F36CEF2D74}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Slayer_MK
2007-12-11, 19:46
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:42 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ajrqnucs.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197260567796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqroom - ssqroom.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 7618 bytes
ok, im off to do the ATF Cleaner step.
-Bill
Slayer_MK
2007-12-11, 19:52
Ok. i completed the ATF Cleaner and said everything had been cleared.
Heres a HJT log from right after :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:06 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ajrqnucs.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197260567796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqroom - ssqroom.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 7512 bytes
Thank you for all of your help and time. i await your reply!
-Bill
Things are looking better :bigthumb:
Still a bit more to do.
C:\ProgramFiles\ggtrades
C:\ProgramFiles\Mystical_Knights Both of this programs fall somewhere in the grey zone and not recommended. Unless you use them and know them to be safe, you should uninstall both these programs via the Add Remove Programs in the Control Panel. Sometimes even if the program itself is safe it what it brings with it that can be bad.
Open Hijackthis to Scan Only, close all open windows including this one , place a checkmark in the following entries and click on Fix Checked.
If you decide to keep Mystical Knights and ggtrades than do not remove the entries related to them
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O2 - BHO: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ajrqnucs.dll",b
=====================================
Samething here, remove Mystical Knights and ggtrades if you decide to keep them otherwise leave it in the fix
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space to the left and above File::
File::
C:\WINDOWS\system32\scunqrja.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\tymwwlvi.ini
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\ajrqnucs.dll
Folder::
C:\Program Files\ggtrades
C:\Program Files\Mystical_Knights
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqroom]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Slayer_MK
2007-12-11, 21:37
ComboFix 07-12-09.1 - Owner 2007-12-11 13:28:34.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.109 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\ajrqnucs.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\scunqrja.ini
C:\WINDOWS\system32\tymwwlvi.ini
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.
2007-12-11 11:40 . 2007-12-11 11:40 2,832 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-11 09:39 . 2007-12-11 11:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-11 09:39 . 2007-12-11 09:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-11 09:39 . 2007-12-11 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-10 13:25 . 2007-12-10 13:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 12:22 . 2006-06-30 23:30 <DIR> d-------- C:\Documents and Settings\Administrator.BILLNSARAH\WINDOWS
2007-12-10 12:22 . 2006-07-31 11:03 <DIR> d-------- C:\Documents and Settings\Administrator.BILLNSARAH\Application Data\You've Got Pictures Screensaver
2007-12-10 12:22 . 2006-07-31 11:11 <DIR> d-------- C:\Documents and Settings\Administrator.BILLNSARAH\Application Data\SampleView
2007-12-10 08:24 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-10 08:24 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-09 22:32 . 2007-12-09 22:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-09 22:32 . 2007-12-09 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-08 14:43 . 2007-12-08 14:43 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2007-11-14 20:48 . 2007-11-14 20:48 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-14 20:47 . 2007-12-11 09:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 22:34 . 2007-12-11 12:26 <DIR> d-------- C:\Program Files\GGTD2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 18:25 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-11 04:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ventrilo
2007-12-09 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-08 15:28 --------- d-----w C:\Program Files\ggtrades
2007-12-05 01:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-12-03 19:23 --------- d-----w C:\Program Files\Diablo II
2007-11-24 20:42 4,254 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92bc260c-897a-41f8-8ac3-2ab645b41ec9}]
2007-11-18 11:20 1502232 --a------ C:\Program Files\ggtrades\tbggt1.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba04d9ab-6dc6-4998-8060-60a627792e8c}]
2007-11-18 11:20 1502232 --a------ C:\Program Files\Mystical_Knights\tbMys0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BA04D9AB-6DC6-4998-8060-60A627792E8C}"= C:\Program Files\Mystical_Knights\tbMys0.dll [2007-11-18 11:20 1502232]
"{92BC260C-897A-41F8-8AC3-2AB645B41EC9}"= C:\Program Files\ggtrades\tbggt1.dll [2007-11-18 11:20 1502232]
[HKEY_CLASSES_ROOT\clsid\{ba04d9ab-6dc6-4998-8060-60a627792e8c}]
[HKEY_CLASSES_ROOT\clsid\{92bc260c-897a-41f8-8ac3-2ab645b41ec9}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BA04D9AB-6DC6-4998-8060-60A627792E8C}"= C:\Program Files\Mystical_Knights\tbMys0.dll [2007-11-18 11:20 1502232]
"{92BC260C-897A-41F8-8AC3-2AB645B41EC9}"= C:\Program Files\ggtrades\tbggt1.dll [2007-11-18 11:20 1502232]
[HKEY_CLASSES_ROOT\clsid\{ba04d9ab-6dc6-4998-8060-60a627792e8c}]
[HKEY_CLASSES_ROOT\clsid\{92bc260c-897a-41f8-8ac3-2ab645b41ec9}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 18:44 C:\WINDOWS\RTHDCPL.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 03:52]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 19:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-31 11:03]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" []
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09f816e9-20c0-11db-a73d-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a001031-20b3-11db-b386-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\DOCUME~1\Owner\LOCALS~1\Temp\qwfhldynAH.dll
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 13:31:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 13:32:56
C:\ComboFix2.txt ... 2007-12-11 13:19
C:\ComboFix3.txt ... 2007-12-11 11:24
.
--- E O F ---
Slayer_MK
2007-12-11, 21:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:53 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197260567796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 7433 bytes
Thank you for all of your help!!!!!!!!! Computer is running great
and the Mystical Knights and GGTrades are gaming communities that im active with and i use there toolbars for quicker access to there forums.
-Bill
Hello Bill,
Thank you for all of your help!!!!!!!!! Computer is running great
and the Mystical Knights and GGTrades are gaming communities that im active with and i use there toolbars for quicker access to there forums. :bigthumb:
Glad things are running better for you, read these links on how to prevent this from happening again.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Glad we could help
Safe Surfn
Ken
Slayer_MK
2007-12-12, 05:56
Thank you again for all the great help!
and i'll save the links for further reading.
Thank you!!!
-Bill
Your more than welcome Bill,
Take care,
Ken