PDA

View Full Version : can't seem to get rid of virtumonde.bxg



hopoe
2008-01-29, 14:45
First of all, thank you to all the folks that make this forum work.... My problem is virtumonde bxg. I've tried everything I can to get rid of it, and it keep soming back. I've included the HJT log, and I also have a Kaspersky log....

lease Help?

thanks a ton



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:49 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\WINDOWS\eHome\ehRecvr.exe
G:\WINDOWS\eHome\ehSched.exe
G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
G:\WINDOWS\Explorer.EXE
g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
G:\Program Files\McAfee\MPF\MPFSrv.exe
G:\PROGRA~1\McAfee\MPS\mps.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\WinZip E-Mail Companion\loadwzco.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
g:\PROGRA~1\mcafee.com\agent\mcagent.exe
g:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
G:\Program Files\McAfee\MPS\mpsevh.exe
G:\Program Files\Palm\HOTSYNC.EXE
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\WINDOWS\system32\dllhost.exe
G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "G:\Program Files\WinZip E-Mail Companion\loadwzco.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: HotSync Manager.lnk = G:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mailcenter.comcast.net
O15 - Trusted IP range: http://208.56.133.196
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198935850437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198935759843
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - G:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - G:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - G:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - G:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - G:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9472 bytes

hopoe
2008-01-29, 15:29
I'm stumped. I've tried everything I know...
I have Kaspersky log (took over 10 hours to run though..), as well as the HJT log (below).
I seem to be getting a lot of other infections all of a sudden too - I don't know if this is a result of the virtumonde - it keeps opening up new IE windows. I am runnin spybot s&D, windows defender, the comcast version of Mcaffee, and Kaspersky anti virus 6...

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:49 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\WINDOWS\eHome\ehRecvr.exe
G:\WINDOWS\eHome\ehSched.exe
G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
G:\WINDOWS\Explorer.EXE
g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
G:\Program Files\McAfee\MPF\MPFSrv.exe
G:\PROGRA~1\McAfee\MPS\mps.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\WinZip E-Mail Companion\loadwzco.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
g:\PROGRA~1\mcafee.com\agent\mcagent.exe
g:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
G:\Program Files\McAfee\MPS\mpsevh.exe
G:\Program Files\Palm\HOTSYNC.EXE
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\WINDOWS\system32\dllhost.exe
G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "G:\Program Files\WinZip E-Mail Companion\loadwzco.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: HotSync Manager.lnk = G:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mailcenter.comcast.net
O15 - Trusted IP range: http://208.56.133.196
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198935850437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198935759843
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - G:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - G:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - G:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - G:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - G:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9472 bytes

ken545
2008-01-30, 03:48
Hello hopoe

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Please reply to this thread only by using the Submit Reply and not start a New Topic or your posts will be all over the forum and we won't be able to keep track of you

The thieves that have written Vundo have written it to go undected by Hijackthis so we need to rename it to something else so those entries will show up on your log.

This is important , do this and post a new Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Safer.exe


Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


======================================

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**


Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
Please do not re-connect your machine back to the Internet until Combofix has completely finished.





1. Post the Vundofix log
2. Post the Combofix log
3. Then run HJT renamed to Safer.exe and post a new log please

hopoe
2008-01-30, 05:53
First of all, thanks again for the help... Here are the log files: First is Vundo, then ComboFix, then HJT (ORder they were run). Due to size, I'm going to split them into multiple replies...
-Thanks again James


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 9:38:35 PM 1/29/2008

Listing files found while scanning....

G:\WINDOWS\system32\frymasvf.dll
G:\WINDOWS\system32\gjjlm.ini
G:\WINDOWS\system32\gjjlm.ini2
G:\WINDOWS\system32\hjhgqqqc.dll
G:\WINDOWS\system32\jbwhjcgv.dll
G:\windows\system32\jbwhjcgv.dllbox
G:\WINDOWS\system32\mljjg.dll
G:\WINDOWS\system32\nqhasbnb.dll
G:\WINDOWS\system32\rqrrsqo.dll
G:\WINDOWS\system32\sbfdraxm.dll
G:\WINDOWS\system32\trqddoyb.dll

Beginning removal...

Attempting to delete G:\WINDOWS\system32\frymasvf.dll
G:\WINDOWS\system32\frymasvf.dll Has been deleted!

Attempting to delete G:\WINDOWS\system32\gjjlm.ini
G:\WINDOWS\system32\gjjlm.ini Has been deleted!

Attempting to delete G:\WINDOWS\system32\gjjlm.ini2
G:\WINDOWS\system32\gjjlm.ini2 Has been deleted!

Attempting to delete G:\WINDOWS\system32\hjhgqqqc.dll
G:\WINDOWS\system32\hjhgqqqc.dll Has been deleted!

Attempting to delete G:\WINDOWS\system32\jbwhjcgv.dll
G:\WINDOWS\system32\jbwhjcgv.dll Has been deleted!

Attempting to delete G:\windows\system32\jbwhjcgv.dllbox
G:\windows\system32\jbwhjcgv.dllbox Has been deleted!

Attempting to delete G:\WINDOWS\system32\mljjg.dll
G:\WINDOWS\system32\mljjg.dll Has been deleted!

Attempting to delete G:\WINDOWS\system32\nqhasbnb.dll
G:\WINDOWS\system32\nqhasbnb.dll Has been deleted!

Attempting to delete G:\WINDOWS\system32\rqrrsqo.dll
G:\WINDOWS\system32\rqrrsqo.dll Could not be deleted.

Attempting to delete G:\WINDOWS\system32\sbfdraxm.dll
G:\WINDOWS\system32\sbfdraxm.dll Has been deleted!

Attempting to delete G:\WINDOWS\system32\trqddoyb.dll
G:\WINDOWS\system32\trqddoyb.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:03:03 PM 1/29/2008

Listing files found while scanning....

No infected files were found.

hopoe
2008-01-30, 05:54
ComboFix 08-01-30.1 - James 2008-01-29 22:27:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1499 [GMT -5:00]
Running from: G:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\WINDOWS\system32\bnbsahqn.ini
G:\WINDOWS\system32\ewqwfnnh.ini
G:\WINDOWS\system32\gyvyfsju.ini
G:\WINDOWS\system32\mxardfbs.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-29 21:38 . 2008-01-29 22:02 <DIR> d-------- G:\VundoFix Backups
2008-01-28 15:15 . 2008-01-29 22:33 10,099,744 --ahs---- G:\WINDOWS\system32\drivers\fidbox.dat
2008-01-28 15:15 . 2008-01-29 22:33 1,171,744 --ahs---- G:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-28 15:15 . 2008-01-29 22:32 137,336 --ahs---- G:\WINDOWS\system32\drivers\fidbox.idx
2008-01-28 15:15 . 2008-01-29 22:32 111,920 --ahs---- G:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-28 15:12 . 2008-01-28 15:12 <DIR> d-------- G:\Program Files\Kaspersky Lab
2008-01-28 15:11 . 2008-01-28 15:11 <DIR> d-------- G:\KAV
2008-01-27 22:05 . 2007-02-20 16:04 2,463,976 --a------ G:\WINDOWS\system32\NPSWF32.dll
2008-01-27 22:05 . 2007-02-20 16:04 190,696 --a------ G:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-27 20:44 . 2008-01-27 20:44 <DIR> d-------- G:\Program Files\PowerISO
2008-01-27 13:39 . 2008-01-29 12:18 <DIR> d-------- G:\Program Files\Bonjour
2008-01-27 13:32 . 2008-01-27 13:32 <DIR> d-------- G:\Program Files\Common Files\Macrovision Shared
2008-01-27 07:13 . 2008-01-27 07:13 <DIR> d-------- G:\Program Files\Trend Micro
2008-01-26 16:47 . 2008-01-29 22:33 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-26 16:46 . 2008-01-26 16:46 <DIR> d-------- G:\WINDOWS\system32\Kaspersky Lab
2008-01-26 14:00 . 2008-01-28 09:13 374 --a------ G:\WINDOWS\wininit.ini
2008-01-25 14:41 . 2008-01-25 14:48 <DIR> d-------- G:\Documents and Settings\James\Application Data\Download Manager
2008-01-20 02:07 . 2008-01-20 02:07 33,292 --a------ G:\WINDOWS\system32\drivers\scdemu.sys
2008-01-19 21:08 . 2008-01-20 10:52 <DIR> d-------- G:\Documents and Settings\James\Application Data\U3
2008-01-15 19:50 . 2008-01-27 09:32 <DIR> d-------- G:\Program Files\IDM Computer Solutions
2008-01-15 19:50 . 2008-01-15 19:50 <DIR> d-------- G:\Documents and Settings\James\Application Data\IDMComp
2008-01-11 10:27 . 2008-01-11 10:27 <DIR> d-------- G:\Documents and Settings\James\Application Data\Microsoft Web Folders
2008-01-11 10:25 . 2008-01-11 10:25 <DIR> d-------- G:\WINDOWS\Twain32
2008-01-10 20:01 . 2008-01-10 20:01 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\WinZipEC
2008-01-10 19:59 . 2008-01-10 20:01 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\WinZip
2008-01-10 19:35 . 2008-01-10 20:01 <DIR> d-------- G:\Program Files\WinZip E-Mail Companion
2008-01-10 10:51 . 2008-01-10 10:51 63 --a------ G:\WINDOWS\mdm.ini
2008-01-10 10:51 . 2008-01-10 10:51 0 --a------ G:\WINDOWS\NSREX.INI
2008-01-09 09:15 . 2008-01-25 15:27 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-30 09:48 . 2007-12-30 09:48 <DIR> d-------- G:\Program Files\MSECache
2007-12-30 09:46 . 2007-12-30 09:46 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-28 14:47 . 2007-12-28 15:30 23 --a------ G:\WINDOWS\popcinfot.dat
2007-12-27 18:57 . 2007-12-27 18:57 8 --a------ G:\WINDOWS\system32\nvModes.dat
2007-12-27 18:55 . 2007-12-27 18:55 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-27 18:53 . 2007-12-27 18:53 <DIR> d-------- G:\WINDOWS\nview
2007-12-27 18:52 . 2007-12-27 18:52 <DIR> d-------- G:\NVIDIA
2007-12-27 18:52 . 2007-12-05 02:53 356,352 --a------ G:\WINDOWS\system32\NVUNINST.EXE
2007-12-27 18:07 . 2008-01-14 11:56 <DIR> d-------- G:\Program Files\Steam
2007-12-14 11:10 . 2007-12-14 11:11 <DIR> d-------- G:\Program Files\Robolab29
2007-12-10 12:23 . 2007-12-10 12:23 <DIR> d-------- G:\Program Files\Common Files\Avery
2007-12-10 12:23 . 2008-01-04 12:30 <DIR> d-------- G:\Program Files\Avery Wizard 3.1
2007-12-07 13:46 . 2007-12-07 13:46 <DIR> d-------- G:\Documents and Settings\James\Application Data\LEGO Company
2007-12-07 13:45 . 2007-12-07 13:45 <DIR> d-------- G:\Program Files\LEGO Company
2007-12-06 12:28 . 2007-12-06 12:28 <DIR> d-------- G:\Program Files\LEGO Software
2007-12-06 12:27 . 2007-12-06 12:27 <DIR> d-------- G:\VXIPNP
2007-12-06 12:27 . 2007-12-06 12:27 <DIR> d-------- G:\Program Files\National Instruments

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 03:05 --------- d-----w G:\Program Files\Common Files\Adobe
2008-01-22 19:04 --------- d-----w G:\Documents and Settings\James\Application Data\AdobeUM
2008-01-21 13:44 --------- d-----w G:\Program Files\McAfee
2008-01-20 17:01 --------- d-----w G:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-11 18:31 --------- d-----w G:\Program Files\Microsoft Works
2008-01-11 18:25 --------- d-----w G:\Program Files\GemMaster
2008-01-11 17:06 --------- d-----w G:\Program Files\MSBuild
2008-01-11 17:01 --------- d-----w G:\Program Files\Microsoft Visual Studio 8
2008-01-10 15:45 --------- d-----w G:\Program Files\microsoft frontpage
2008-01-07 14:18 --------- d-----w G:\Documents and Settings\James\Application Data\ZoomBrowser EX
2008-01-07 13:26 --------- d-----w G:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-12-24 15:25 63 ----a-w G:\WINDOWS\Fonts\Readme.txt
2007-12-05 06:41 7,435,392 ----a-w G:\WINDOWS\system32\drivers\nv4_mini.sys
2007-11-16 19:46 251 ----a-w G:\Program Files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{019CCE5B-A29B-43F6-A9D5-C3B2BFE0CB92}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2001DB3A-8A54-4D55-A11E-BC30E5CD53FB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2265512F-DD97-4308-B38B-E5CA69A047F3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{520FE30E-327A-40C9-8F79-DE505CDEA1F0}]
G:\WINDOWS\system32\mljjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BED1F14-57E9-4E35-943F-CE1688F6CB4E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{915C18B0-7D06-40EE-836F-12A6A816AADA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F7AED5E-CE9B-4474-9F98-A63F7A382042}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA4FF881-CFAB-4BFB-BE57-B9F9B07AB40E}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"WinZip E-Mail Companion OEAPI"="G:\Program Files\WinZip E-Mail Companion\loadwzco.exe" [2007-11-19 02:00 75136]
"Acrobat Assistant 8.0"="G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"AVP"="G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
"Windows Defender"="G:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"combofix"="G:\ComboFix\kmd.exe" [2004-08-10 06:00 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 03:18 437160]

G:\Documents and Settings\James\Start Menu\Programs\Startup\
HotSync Manager.lnk - G:\Program Files\Palm\HOTSYNC.EXE [2003-07-16 19:37:26 299008]

G:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-15 09:21:10 113664]
HP Digital Imaging Monitor.lnk.disabled [2007-11-14 13:29:53 1808]
HP Image Zone Fast Start.lnk.disabled [2007-11-14 13:31:28 798]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= G:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= G:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyyy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=G:\WINDOWS\system32\NeroCheck.exe
"HP Software Update"="G:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

S3 FANTOM;LEGO MINDSTORMS NXT Driver;G:\WINDOWS\system32\DRIVERS\fantom.sys [2006-03-10 15:55]
S3 NAL;Nal Service ;G:\WINDOWS\system32\Drivers\iqvw32.sys [2004-11-02 15:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ab557ca-c6fc-11dc-bcc6-00123f6eec75}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 06:00:02 G:\WINDOWS\Tasks\McDefragTask.job"
- g:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-11-14 16:52:29 G:\WINDOWS\Tasks\McQcTask.job"
- g:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-01-30 03:36:12 G:\WINDOWS\Tasks\MP Scheduled Scan.job"
- G:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-30 03:35:34 G:\WINDOWS\Tasks\User_Feed_Synchronization-{0A413023-EE18-484D-AE15-5A6230015C49}.job"
- G:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 22:33:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\WINDOWS\eHome\ehRecvr.exe
G:\WINDOWS\eHome\ehSched.exe
G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
G:\Program Files\McAfee\MPF\MPFSrv.exe
G:\PROGRA~1\McAfee\MPS\mps.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\WINDOWS\ehome\mcrdsvc.exe
G:\Program Files\McAfee\MPS\mpsevh.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\WINDOWS\system32\dllhost.exe
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\WinZip E-Mail Companion\loadwzco.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\Palm\HOTSYNC.EXE
g:\PROGRA~1\mcafee.com\agent\mcagent.exe
G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-01-29 22:38:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 03:38:23
ComboFix2.txt 2008-01-26 21:37:47

hopoe
2008-01-30, 05:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:54 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\WINDOWS\eHome\ehRecvr.exe
G:\WINDOWS\eHome\ehSched.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
G:\Program Files\McAfee\MPF\MPFSrv.exe
G:\PROGRA~1\McAfee\MPS\mps.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\McAfee\MPS\mpsevh.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\WINDOWS\system32\dllhost.exe
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\WinZip E-Mail Companion\loadwzco.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\Palm\HOTSYNC.EXE
g:\PROGRA~1\mcafee.com\agent\mcagent.exe
G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
G:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {019CCE5B-A29B-43F6-A9D5-C3B2BFE0CB92} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2001DB3A-8A54-4D55-A11E-BC30E5CD53FB} - (no file)
O2 - BHO: (no name) - {2265512F-DD97-4308-B38B-E5CA69A047F3} - (no file)
O2 - BHO: (no name) - {520FE30E-327A-40C9-8F79-DE505CDEA1F0} - G:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - g:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {915C18B0-7D06-40EE-836F-12A6A816AADA} - (no file)
O2 - BHO: (no name) - {9F7AED5E-CE9B-4474-9F98-A63F7A382042} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FA4FF881-CFAB-4BFB-BE57-B9F9B07AB40E} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "G:\Program Files\WinZip E-Mail Companion\loadwzco.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AVP] "G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: HotSync Manager.lnk = G:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mailcenter.comcast.net
O15 - Trusted IP range: http://208.56.133.196
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198935850437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198935759843
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ddccyyy - G:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - G:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - G:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - G:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - G:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - G:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - G:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10463 bytes

hopoe
2008-01-30, 05:58
If it isn't clear, I actually ran Vundo twice - the first time it did a bunch of removals, but had to reboot. after reboot, it ran again automagically, and the second scan resulted in no infected files found, so the last 3 lines of the log are the results of hte second scan...
Thanks again!
-JAmes

ken545
2008-01-30, 12:08
Good Morning,

Your doing well, lets do a few more things.


Disable the TeaTimer, you can re enable it when were done if you wish

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.




Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {019CCE5B-A29B-43F6-A9D5-C3B2BFE0CB92} - (no file)
O2 - BHO: (no name) - {2001DB3A-8A54-4D55-A11E-BC30E5CD53FB} - (no file)
O2 - BHO: (no name) - {2265512F-DD97-4308-B38B-E5CA69A047F3} - (no file)
O2 - BHO: (no name) - {520FE30E-327A-40C9-8F79-DE505CDEA1F0} - G:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: (no name) - {915C18B0-7D06-40EE-836F-12A6A816AADA} - (no file)
O2 - BHO: (no name) - {9F7AED5E-CE9B-4474-9F98-A63F7A382042} - (no file)
O2 - BHO: (no name) - {FA4FF881-CFAB-4BFB-BE57-B9F9B07AB40E} - (no file)

O20 - Winlogon Notify: ddccyyy - G:\WINDOWS\



Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!





Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java Runtime Environment (JRE) 6 Update 4 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future



Let me see a new HJT log and let me know how your system is running now??

hopoe
2008-01-30, 15:28
Good morning...
things are looking a lot better. About the only symptom I see now is that when I boot, I get a spybot alert that NvcpiD(aemon?) is trying to modify the registry and is being blocked. It flashes by too fast for me to actually get the whole string....

I see a lot of "no file, no name" registry enties in the log... I have McAffee which includes a registry cleanup tool that I normally run every week or so. I've not run it because I didn't wnat to interfere with this round of fixes. I think (assume?) that it would take care of them, but I'm not sure...
Thank you again for all your help - this is truly amazing
-James
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:58 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\WinZip E-Mail Companion\loadwzco.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\Palm\HOTSYNC.EXE
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\WINDOWS\eHome\ehRecvr.exe
G:\WINDOWS\eHome\ehSched.exe
G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
G:\Program Files\McAfee\MPF\MPFSrv.exe
G:\PROGRA~1\McAfee\MPS\mps.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\McAfee\MPS\mpsevh.exe
g:\PROGRA~1\mcafee.com\agent\mcagent.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
G:\WINDOWS\system32\dllhost.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {019CCE5B-A29B-43F6-A9D5-C3B2BFE0CB92} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2001DB3A-8A54-4D55-A11E-BC30E5CD53FB} - (no file)
O2 - BHO: (no name) - {2265512F-DD97-4308-B38B-E5CA69A047F3} - (no file)
O2 - BHO: (no name) - {520FE30E-327A-40C9-8F79-DE505CDEA1F0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - g:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {915C18B0-7D06-40EE-836F-12A6A816AADA} - (no file)
O2 - BHO: (no name) - {9F7AED5E-CE9B-4474-9F98-A63F7A382042} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FA4FF881-CFAB-4BFB-BE57-B9F9B07AB40E} - (no file)
O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "G:\Program Files\WinZip E-Mail Companion\loadwzco.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AVP] "G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: HotSync Manager.lnk = G:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mailcenter.comcast.net
O15 - Trusted IP range: http://208.56.133.196
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198935850437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198935759843
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ddccyyy - G:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - G:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - G:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - G:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - G:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - G:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - G:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10540 bytes

ken545
2008-01-30, 19:17
Hello,

You still have the TeaTimer in Spybot Search and Destroy enabled and that can prevent the fixes from taking.


Disable the TeaTimer, you can re enable it when were done if you wish

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.

Make sure you reboot your system for this to take effect


Then remove these entries with HJT.
O2 - BHO: (no name) - {019CCE5B-A29B-43F6-A9D5-C3B2BFE0CB92} - (no file)
O2 - BHO: (no name) - {2001DB3A-8A54-4D55-A11E-BC30E5CD53FB} - (no file)
O2 - BHO: (no name) - {2265512F-DD97-4308-B38B-E5CA69A047F3} - (no file)
O2 - BHO: (no name) - {520FE30E-327A-40C9-8F79-DE505CDEA1F0} - (no file)
O2 - BHO: (no name) - {915C18B0-7D06-40EE-836F-12A6A816AADA} - (no file)
O2 - BHO: (no name) - {9F7AED5E-CE9B-4474-9F98-A63F7A382042} - (no file)

O20 - Winlogon Notify: ddccyyy - G:\WINDOWS\





Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.


Post the SAS report and a New HJT log please

hopoe
2008-01-30, 21:19
OK, I had turned teatimer off, but then runed uit back on when I was done. I'll do it again and leave it off until we're completely done....
thanks again
-James

hopoe
2008-01-31, 03:09
Hello again, I've done everything (and left teatimer off this time). Here are the logs (Superantispyware, then HJT)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2008 at 06:13 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 03:40:57

Memory items scanned : 560
Memory threats detected : 0
Registry items scanned : 7594
Registry threats detected : 8
File items scanned : 265206
File threats detected : 48

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{D96FDEB0-E93C-4D69-98AB-C8A66869802E}
HKCR\CLSID\{D96FDEB0-E93C-4D69-98AB-C8A66869802E}
HKCR\CLSID\{D96FDEB0-E93C-4D69-98AB-C8A66869802E}\InprocServer32
HKCR\CLSID\{D96FDEB0-E93C-4D69-98AB-C8A66869802E}\InprocServer32#ThreadingModel
G:\WINDOWS\SYSTEM32\MLJJG.DLL
HKLM\Software\Classes\CLSID\{EBD3589D-6B18-4C87-B39E-4E2ADBB8C738}
HKCR\CLSID\{EBD3589D-6B18-4C87-B39E-4E2ADBB8C738}
HKCR\CLSID\{EBD3589D-6B18-4C87-B39E-4E2ADBB8C738}\InprocServer32
HKCR\CLSID\{EBD3589D-6B18-4C87-B39E-4E2ADBB8C738}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
G:\Documents and Settings\James\Cookies\james@2o7[2].txt
G:\Documents and Settings\James\Cookies\james@doubleclick[1].txt
G:\Documents and Settings\James\Cookies\james@mediaplex[2].txt
G:\Documents and Settings\James\Cookies\james@msnportal.112.2o7[1].txt
G:\Documents and Settings\James\Cookies\james@adopt.euroclick[2].txt
G:\Documents and Settings\James\Cookies\james@ads.pointroll[1].txt
G:\Documents and Settings\James\Cookies\james@fastclick[1].txt
G:\Documents and Settings\James\Cookies\james@apmebf[1].txt
G:\Documents and Settings\James\Cookies\james@uclick[2].txt
G:\Documents and Settings\James\Cookies\james@tribalfusion[2].txt
G:\Documents and Settings\James\Cookies\james@anad.tacoda[1].txt
G:\Documents and Settings\James\Cookies\james@tacoda[2].txt
G:\Documents and Settings\James\Cookies\james@collective-media[2].txt
G:\Documents and Settings\James\Cookies\james@specificclick[1].txt
G:\Documents and Settings\James\Cookies\james@atdmt[2].txt
H:\Documents and Settings\Alicia\Cookies\alicia@statse.webtrendslive[2].txt
H:\Documents and Settings\JD\Cookies\jd@247realmedia[1].txt
H:\Documents and Settings\JD\Cookies\jd@adinterax[1].txt
H:\Documents and Settings\JD\Cookies\jd@adlegend[2].txt
H:\Documents and Settings\JD\Cookies\jd@adopt.euroclick[1].txt
H:\Documents and Settings\JD\Cookies\jd@adopt.specificclick[2].txt
H:\Documents and Settings\JD\Cookies\jd@ads.bridgetrack[1].txt
H:\Documents and Settings\JD\Cookies\jd@ads.pointroll[2].txt
H:\Documents and Settings\JD\Cookies\jd@advertising[1].txt
H:\Documents and Settings\JD\Cookies\jd@anad.tacoda[1].txt
H:\Documents and Settings\JD\Cookies\jd@atdmt[1].txt
H:\Documents and Settings\JD\Cookies\jd@atwola[1].txt
H:\Documents and Settings\JD\Cookies\jd@bizrate[1].txt
H:\Documents and Settings\JD\Cookies\jd@bs.serving-sys[2].txt
H:\Documents and Settings\JD\Cookies\jd@msnportal.112.2o7[2].txt
H:\Documents and Settings\JD\Cookies\jd@msnportalbeetoffice2007.112.2o7[1].txt
H:\Documents and Settings\JD\Cookies\jd@oasc02.247realmedia[1].txt
H:\Documents and Settings\JD\Cookies\jd@partner2profit[2].txt
H:\Documents and Settings\JD\Cookies\jd@questionmarket[2].txt
H:\Documents and Settings\JD\Cookies\jd@revsci[1].txt
H:\Documents and Settings\JD\Cookies\jd@richmedia.yahoo[1].txt
H:\Documents and Settings\JD\Cookies\jd@semdirector.112.2o7[1].txt
H:\Documents and Settings\JD\Cookies\jd@server.iad.liveperson[2].txt
H:\Documents and Settings\JD\Cookies\jd@serving-sys[2].txt
H:\Documents and Settings\JD\Cookies\jd@specificclick[1].txt
H:\Documents and Settings\JD\Cookies\jd@tacoda[1].txt
H:\Documents and Settings\JD\Cookies\jd@tremor.adbureau[2].txt
H:\Documents and Settings\JD\Cookies\jd@tribalfusion[2].txt
H:\Documents and Settings\JD\Cookies\jd@uclick[1].txt
H:\Documents and Settings\Tori\Cookies\tori@tacoda[1].txt
H:\Documents and Settings\Tori\Cookies\tori@www.burstbeacon[1].txt

Adware.ClickSpring/Yazzle
G:\WINDOWS\PREFETCH\YAZZLE1848OINADMIN.EXE-1BBAC581.PF

************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:44 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\WinZip E-Mail Companion\loadwzco.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\Program Files\Palm\HOTSYNC.EXE
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\WINDOWS\eHome\ehRecvr.exe
G:\WINDOWS\eHome\ehSched.exe
G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
G:\Program Files\McAfee\MPF\MPFSrv.exe
G:\PROGRA~1\McAfee\MPS\mps.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\McAfee\MPS\mpsevh.exe
g:\PROGRA~1\mcafee.com\agent\mcagent.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
G:\WINDOWS\system32\dllhost.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - g:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FA4FF881-CFAB-4BFB-BE57-B9F9B07AB40E} - (no file)
O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "G:\Program Files\WinZip E-Mail Companion\loadwzco.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AVP] "G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: HotSync Manager.lnk = G:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mailcenter.comcast.net
O15 - Trusted IP range: http://208.56.133.196
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198935850437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198935759843
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - G:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - G:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - G:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - G:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - G:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - G:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10314 bytes

ken545
2008-01-31, 04:04
Hi,

Remove these with HJT.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {FA4FF881-CFAB-4BFB-BE57-B9F9B07AB40E} - (no file)

If you want these in your Internet Explorer Trusted Zone then leave them be otherwise fix them also.
O15 - Trusted Zone: http://www.mailcenter.comcast.net
O15 - Trusted IP range: http://208.56.133.196

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

You still not have updated your Java, have you run CCleaner. Its a good program to run, I run it myself a few times a month.


The rest of your log looks fine, but post a HJT log one hopefully one last time and lets make sure nothing has returned

hopoe
2008-01-31, 16:13
I had updated java - I'm not sure why that l;ast bit was left, but I did delete it. I grabbed ccleaner and ran it - it didn't find anything (except the normal cookie leftovers and such).
I'm waiting to turn teatimer back on, just to be sure...

Heres the latest hjt log:

thanks again so much!
-james

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:54 AM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\WinZip E-Mail Companion\loadwzco.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\Program Files\Palm\HOTSYNC.EXE
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
G:\WINDOWS\eHome\ehRecvr.exe
G:\WINDOWS\eHome\ehSched.exe
G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
G:\Program Files\McAfee\MPF\MPFSrv.exe
G:\PROGRA~1\McAfee\MPS\mps.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\McAfee\MPS\mpsevh.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
g:\PROGRA~1\mcafee.com\agent\mcagent.exe
G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
G:\WINDOWS\system32\dllhost.exe
G:\Program Files\Trend Micro\HijackThis\Safer.exe
g:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - g:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "G:\Program Files\WinZip E-Mail Companion\loadwzco.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AVP] "G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: HotSync Manager.lnk = G:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mailcenter.comcast.net
O15 - Trusted IP range: http://208.56.133.196
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198935850437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198935759843
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - G:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - G:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - G:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - G:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - G:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - G:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - g:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - G:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - G:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - G:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9853 bytes

ken545
2008-01-31, 19:19
Hello James,

Your log looks fine,:bigthumb: but read my links for free security programs to install before you turn the Tea timer back on, its your call what to do. If you install Spyware Guard and Spyware Blaster ( Recommended ) do not enable the Tea Timer or they will conflict.


Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs


Glad we could help

Safe Surfn
Ken

hopoe
2008-01-31, 21:32
thank you so much for all of your help. I'm going to take your advice and go with spyware blaster and gaurd.
Thanks again!
-James

ken545
2008-02-01, 04:04
Your very welcome James,

Stay well,

Ken

tashi
2008-02-07, 19:19
Duplicate topic:

http://forums.spybot.info/showthread.php?t=23365

Although member did not mention in this second topic, combofix was used beforehand.

Other users reading this, we ask you not to run fixes before a log has been analyzed, and if you have to let your helper know.

Sticky topic:
NOTE:We do NOT ask Users to run fixes before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806)

Thank you. ;)