View Full Version : Kaspersky scan results, what now?!?
Tuesday, May 20, 2008 10:33:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/05/2008
Kaspersky Anti-Virus database records: 788663
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 74408
Number of viruses found 6
Number of infected objects 25
Number of suspicious objects 0
Duration of the scan process 03:00:06
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05192008-122019.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\ddoctorv2\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Brett Baxter\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Application Data\Last.fm\Client\iTunesPlugin.log Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{91BE518A-C18F-4E43-9F51-5722FCD92404} Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Application Data\SupportSoft\ddoctorv2\Brett Baxter\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Temp\tmp34.tmp/data0003 Infected: Trojan.Win32.BHO.cmd skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Temp\tmp34.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Temp\~DF4AE2.tmp Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Temp\~DF7327.tmp Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Temp\~DF73A3.tmp Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Temporary Internet Files\Content.IE5\RO6P8ZZM\myss_install_2[1].exe/data0003 Infected: Trojan.Win32.BHO.cmd skipped
C:\Documents and Settings\Brett Baxter\Local Settings\Temporary Internet Files\Content.IE5\RO6P8ZZM\myss_install_2[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Brett Baxter\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Brett Baxter\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Brett Baxter\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\winvi\update.exe/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\Program Files\winvi\update.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\Program Files\winvi\update.exe NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{025299E7-433D-4D84-B432-C34DF8594535}\RP498\A0045317.exe/stream/data0006 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{025299E7-433D-4D84-B432-C34DF8594535}\RP498\A0045317.exe/stream Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{025299E7-433D-4D84-B432-C34DF8594535}\RP498\A0045317.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045633.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045633.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045806.exe/stream/data0006 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045806.exe/stream Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045806.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{025299E7-433D-4D84-B432-C34DF8594535}\RP507\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\g66.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g66.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g66.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MUI2\GI-dot4c.exe Infected: Trojan.Win32.Agent.lom skipped
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe NSIS: infected - 4 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\{0821c49a-4f23-335d-ff81-6b576ccab385}.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\WINDOWS\Temp\mcmsc_FqKgM5vNx0kDceX Object is locked skipped
C:\WINDOWS\Temp\mcmsc_hzXNfd9FIHMfp7p Object is locked skipped
C:\WINDOWS\Temp\sqlite_JeNzoRqDxrHgYed Object is locked skipped
C:\WINDOWS\Temp\sqlite_qsYpGXv6drz2chZ Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
Scan process completed.
Hello bmbax1
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:00 AM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?systempopup=true&affid=105-36&dtag=546cb71
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {10DDF526-E927-4DC7-BB9D-F90F0B8550B6} - (no file)
O2 - BHO: (no name) - {340C701D-A8AF-4CB9-BF38-20C4C14EE047} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F41FD65-EEE9-451E-B774-2D2B1877ECDE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\geBrSjIC.dll
O2 - BHO: (no name) - {93D99894-A2C5-4354-BFE9-E8CF869FFB4D} - C:\WINDOWS\system32\ssqNEvsS.dll (file missing)
O2 - BHO: (no name) - {97EF74F7-8A9F-4DED-9900-7EB5C8844B75} - (no file)
O2 - BHO: (no name) - {9A59B9D9-7F65-4F1F-AA18-35F1B3F95DB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B024C68A-DE05-47B4-9165-FEA200C9A5E6} - (no file)
O2 - BHO: (no name) - {C143FEDE-72F4-47CF-9FB2-2B0157E17C94} - (no file)
O2 - BHO: (no name) - {C46D6977-5C7F-4D3B-B498-A8208E4C8628} - C:\WINDOWS\system32\urqOIbXP.dll
O2 - BHO: (no name) - {CC11617C-259E-429c-9063-7D70B8355EBD} - (no file)
O2 - BHO: (no name) - {D72CF69D-5660-49CA-93B5-961592AB7F7B} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RecordPadRun] "C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [8c519886] rundll32.exe "C:\WINDOWS\system32\vfylkgce.dll",b
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Brett Baxter\Application Data\Deskbar_{ACB8005A-C7B0-40b6-B364-7A732714D6B5}\starter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM8f62ab1a] Rundll32.exe "C:\WINDOWS\system32\vwsuoxpr.dll",s
O4 - HKCU\..\Run: [BitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: geBrSjIC - C:\WINDOWS\SYSTEM32\geBrSjIC.dll
O23 - Service: McAfee Application Installer Cleanup (0149681211462980) (0149681211462980mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\014968~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
--
End of file - 11510 bytes
Hello,
You have a very heavily infected computer, its a real mess. I am looking at multiple infections on this system.
DO THIS FIRST
Disable the TeaTimer, you can re enable it when were done if you wish
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.
Lets attack this one first. This program needs to be run from Safemode to be effective.
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
SDFix: Version 1.184
Run by Brett Baxter on Thu 05/22/2008 at 09:28 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Rebooting
Checking Files :
Trojan Files Found:
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\tmpvc14\dllvc.log - Deleted
C:\Program Files\dbar\basis.xml - Deleted
C:\Program Files\dbar\channel.tmpl - Deleted
C:\Program Files\dbar\content.tmpl - Deleted
C:\Program Files\dbar\date.tmpl - Deleted
C:\Program Files\dbar\dbaruninst.exe - Deleted
C:\Program Files\dbar\deskbar.crc - Deleted
C:\Program Files\dbar\deskbar.inf - Deleted
C:\Program Files\dbar\edit_rss.tmpl - Deleted
C:\Program Files\dbar\local.xml - Deleted
C:\Program Files\dbar\nav1.bmp - Deleted
C:\Program Files\dbar\nav2.bmp - Deleted
C:\Program Files\dbar\new_alert.tmpl - Deleted
C:\Program Files\dbar\version.ini - Deleted
C:\Program Files\dbar\version.txt - Deleted
C:\Program Files\QdrPack\dicts.gz - Deleted
C:\Program Files\QdrPack\trgts.gz - Deleted
C:\Program Files\winvi\Uninst.exe - Deleted
C:\Program Files\winvi\update.exe - Deleted
C:\Program Files\winvi\version.ini - Deleted
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js - Deleted
C:\Program Files\winvi\dsktp\desktop.html - Deleted
C:\Program Files\winvi\dsktp\internetDetection.swf - Deleted
C:\Program Files\winvi\dsktp\settings.sol - Deleted
C:\Program Files\winvi\icons\bufferthis.ico - Deleted
C:\Program Files\winvi\icons\flashfunpages.ico - Deleted
C:\Program Files\winvi\icons\funnies.ico - Deleted
C:\Program Files\winvi\icons\funnyfunpages.ico - Deleted
C:\Program Files\winvi\icons\goodcleanvideos.ico - Deleted
C:\Program Files\winvi\icons\newfunpages.ico - Deleted
C:\Program Files\winvi\icons\positivethoughts.ico - Deleted
C:\Program Files\winvi\icons\removespyware.ico - Deleted
C:\Program Files\winvi\icons\thissiterocks.ico - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
Folder C:\Program Files\dbar - Removed
Folder C:\Program Files\QdrPack - Removed
Folder C:\Program Files\winvi - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tmpvc14 - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 22:01:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:Last.fm"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\ESTsoft\\ALFTP\\ALFTP.exe"="C:\\Program Files\\ESTsoft\\ALFTP\\ALFTP.exe:*:Enabled:ALFTP"
"C:\\Program Files\\Yahoo! Games\\Rock and Roll JEOPARDY!\\Rock & Roll JEOPARDY!.exe"="C:\\Program Files\\Yahoo! Games\\Rock and Roll JEOPARDY!\\Rock & Roll JEOPARDY!.exe:*:Enabled:Rock & Roll JEOPARDY!"
"C:\\Program Files\\Shockwave.com\\Rock and Roll JEOPARDY\\product\\Rock & Roll JEOPARDY!.exe"="C:\\Program Files\\Shockwave.com\\Rock and Roll JEOPARDY\\product\\Rock & Roll JEOPARDY!.exe:*:Disabled:Rock & Roll JEOPARDY!"
"C:\\Program Files\\BitDownload\\BitDownload.exe"="C:\\Program Files\\BitDownload\\BitDownload.exe:*:Enabled:Warez3"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 23 Feb 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 7 May 2007 54,272 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0002.tmp"
Fri 25 May 2007 27,648 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0003.tmp"
Thu 4 Oct 2007 56,832 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0004.tmp"
Thu 12 Apr 2007 26,624 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0005.tmp"
Tue 29 May 2007 37,376 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0154.tmp"
Fri 11 May 2007 53,248 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0296.tmp"
Tue 29 May 2007 33,280 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0376.tmp"
Tue 11 Dec 2007 43,520 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0423.tmp"
Fri 5 Oct 2007 59,904 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0429.tmp"
Mon 28 May 2007 28,672 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0620.tmp"
Thu 29 Mar 2007 27,136 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0731.tmp"
Fri 5 Oct 2007 56,320 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL0781.tmp"
Fri 5 Oct 2007 56,320 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL1006.tmp"
Tue 24 Apr 2007 29,696 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL1076.tmp"
Fri 5 Oct 2007 59,904 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL1212.tmp"
Fri 5 Oct 2007 55,808 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL1290.tmp"
Fri 5 Oct 2007 58,880 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL1616.tmp"
Tue 29 May 2007 33,280 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL1758.tmp"
Fri 5 Oct 2007 59,904 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL1842.tmp"
Fri 5 Oct 2007 59,904 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL1876.tmp"
Tue 11 Dec 2007 43,520 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL2393.tmp"
Fri 5 Oct 2007 57,344 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL2483.tmp"
Fri 5 Oct 2007 56,320 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL2816.tmp"
Mon 28 May 2007 31,744 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL3096.tmp"
Tue 29 May 2007 33,280 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL3339.tmp"
Tue 29 May 2007 34,304 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL3354.tmp"
Tue 24 Apr 2007 27,648 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL3370.tmp"
Fri 5 Oct 2007 53,760 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL3568.tmp"
Fri 5 Oct 2007 58,368 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL3846.tmp"
Mon 28 May 2007 31,232 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL3926.tmp"
Mon 28 May 2007 31,232 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL3938.tmp"
Mon 28 May 2007 32,768 ...H. --- "C:\Documents and Settings\Brett Baxter\My Documents\~WRL4065.tmp"
Sat 16 Feb 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sat 16 Feb 2008 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Tue 2 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT9.tmp"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:21 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?systempopup=true&affid=105-36&dtag=546cb71
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RecordPadRun] "C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [8c519886] rundll32.exe "C:\WINDOWS\system32\vfylkgce.dll",b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM8f62ab1a] Rundll32.exe "C:\WINDOWS\system32\vwsuoxpr.dll",s
O4 - HKCU\..\Run: [BitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
--
End of file - 8699 bytes
Good Morning,
You did well, we just removed the SDbot worm and now we need to get to work on removing the Vundo Trojan. As to not overwhelm you we will run one program at time, there is still more to do.
Please download SuperAntiSpyware Free (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 05/23/2008 at 11:48 AM
Application Version : 4.1.1046
Core Rules Database Version : 3467
Trace Rules Database Version: 1458
Scan type : Complete Scan
Total Scan Time : 00:46:38
Memory items scanned : 454
Memory threats detected : 2
Registry items scanned : 5014
Registry threats detected : 32
File items scanned : 15282
File threats detected : 67
Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\GEBRSJIC.DLL
C:\WINDOWS\SYSTEM32\GEBRSJIC.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BFC5CA7-EC43-46E0-AB96-2C7C13804DD6}
HKCR\CLSID\{6BFC5CA7-EC43-46E0-AB96-2C7C13804DD6}
HKCR\CLSID\{6BFC5CA7-EC43-46E0-AB96-2C7C13804DD6}\InprocServer32
HKCR\CLSID\{6BFC5CA7-EC43-46E0-AB96-2C7C13804DD6}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}
HKCR\CLSID\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}
HKCR\CLSID\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}\InprocServer32
HKCR\CLSID\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\geBrSjIC
C:\WINDOWS\SYSTEM32\SSQQGGWP.DLL
Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\URQOIBXP.DLL
C:\WINDOWS\SYSTEM32\URQOIBXP.DLL
Adware.Tracking Cookie
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@questionmarket[1].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@serve.clickbooth[1].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@82.98.235[1].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@msnportal.112.2o7[1].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@angleinteractive.directtrack[2].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@sale.antispywaremaster[2].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@winanonymous[3].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@interclick[1].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@advertising[2].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@doubleclick[2].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@hypertracker[1].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@directtrack[1].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@statcounter[2].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@atdmt[2].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@antispywaremaster[1].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@shop.winanonymous[2].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@hornymatches[2].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@richmedia.yahoo[1].txt
sale.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
sale.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
sale.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
sale.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
sale.antispywaremaster.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
cache.trafficmp.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
cache.trafficmp.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
ads.revsci.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.usatoday1.112.2o7.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.112.2o7.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.112.2o7.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.112.2o7.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.richmedia.yahoo.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.azjmp.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.azjmp.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
adopt.euroclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.antispywaresuite.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.adnetserver.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
stats.sphere.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
adportmedia.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.clicksor.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
m.rmbclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
.adserver.easyad.info [ C:\Documents and Settings\Brett Baxter\Application Data\Mozilla\Firefox\Profiles\ie97hr5d.default\cookies.txt ]
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@ads.react2media[1].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@advertising[1].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@specificclick[2].txt
C:\Documents and Settings\Brett Baxter\Cookies\brett_baxter@adopt.euroclick[1].txt
Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc
Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-1659004503-562591055-725345543-1003\Software\Microsoft\rdfa
Adware.Vundo-Variant/I
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045679.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045681.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045682.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045683.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045692.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP500\A0046026.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP502\A0046415.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP503\A0046478.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP503\A0046480.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP503\A0046570.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP503\A0046596.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP503\A0046600.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP503\A0046601.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP507\A0047095.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP507\A0047096.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP508\A0047240.DLL
C:\WINDOWS\SYSTEM32\DIIQETUJ.DLL
C:\WINDOWS\SYSTEM32\ENETPMEU.DLL
C:\WINDOWS\SYSTEM32\FWBHSDWJ.DLL
C:\WINDOWS\SYSTEM32\GAVOEBUE.DLL
C:\WINDOWS\SYSTEM32\HKCEALJF.DLL
C:\WINDOWS\SYSTEM32\HQCDIOLB.DLL
C:\WINDOWS\SYSTEM32\LFANGAXP.DLL
C:\WINDOWS\SYSTEM32\MCQWBMIO.DLL
C:\WINDOWS\SYSTEM32\OLUFWDAP.DLL
C:\WINDOWS\SYSTEM32\OWTQOVQA.DLL
C:\WINDOWS\SYSTEM32\UHMCISYI.DLL
C:\WINDOWS\SYSTEM32\VCDSABXC.DLL
C:\WINDOWS\SYSTEM32\XWDASXAP.DLL
Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP499\A0045680.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP503\A0046477.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP503\A0046569.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP503\A0046591.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP503\A0046597.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP508\A0047169.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP508\A0047170.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP508\A0047171.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP508\A0047172.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{025299E7-433D-4D84-B432-C34DF8594535}\RP508\A0047173.EXE
C:\WINDOWS\SYSTEM32\WSSALEXI.EXE
Rootkit.TNCore-Installer
C:\WINDOWS\SYSTEM32\MUI2\GI-DOT4C.EXE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:02 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?systempopup=true&affid=105-36&dtag=546cb71
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {10DDF526-E927-4DC7-BB9D-F90F0B8550B6} - (no file)
O2 - BHO: (no name) - {340C701D-A8AF-4CB9-BF38-20C4C14EE047} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F41FD65-EEE9-451E-B774-2D2B1877ECDE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {93D99894-A2C5-4354-BFE9-E8CF869FFB4D} - C:\WINDOWS\system32\ssqNEvsS.dll (file missing)
O2 - BHO: (no name) - {97EF74F7-8A9F-4DED-9900-7EB5C8844B75} - (no file)
O2 - BHO: (no name) - {9A59B9D9-7F65-4F1F-AA18-35F1B3F95DB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B024C68A-DE05-47B4-9165-FEA200C9A5E6} - (no file)
O2 - BHO: (no name) - {C143FEDE-72F4-47CF-9FB2-2B0157E17C94} - (no file)
O2 - BHO: (no name) - {D72CF69D-5660-49CA-93B5-961592AB7F7B} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RecordPadRun] "C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [8c519886] rundll32.exe "C:\WINDOWS\system32\fwbhsdwj.dll",b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM8f62ab1a] Rundll32.exe "C:\WINDOWS\system32\vcdsabxc.dll",s
O4 - HKCU\..\Run: [BitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
--
End of file - 10338 bytes
Hello,
Did you do this??
Make sure everything found has a check next to it, and press: Next <-- Important
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {10DDF526-E927-4DC7-BB9D-F90F0B8550B6} - (no file)
O2 - BHO: (no name) - {340C701D-A8AF-4CB9-BF38-20C4C14EE047} - (no file)
O2 - BHO: (no name) - {5F41FD65-EEE9-451E-B774-2D2B1877ECDE} - (no file)
O2 - BHO: (no name) - {93D99894-A2C5-4354-BFE9-E8CF869FFB4D} - C:\WINDOWS\system32\ssqNEvsS.dll (file missing)
O2 - BHO: (no name) - {97EF74F7-8A9F-4DED-9900-7EB5C8844B75} - (no file)
O2 - BHO: (no name) - {9A59B9D9-7F65-4F1F-AA18-35F1B3F95DB3} - (no file)
O2 - BHO: (no name) - {B024C68A-DE05-47B4-9165-FEA200C9A5E6} - (no file)
O2 - BHO: (no name) - {C143FEDE-72F4-47CF-9FB2-2B0157E17C94} - (no file)
O2 - BHO: (no name) - {D72CF69D-5660-49CA-93B5-961592AB7F7B} - (no file)
O4 - HKLM\..\Run: [8c519886] rundll32.exe "C:\WINDOWS\system32\fwbhsdwj.dll",b
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\vcdsabxc.dll",s
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click [b]ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
This next program will get what SAS missed. This should not take to long
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
Post the Malwarebytes log and a New HJT log please
Malwarebytes' Anti-Malware 1.12
Database version: 782
Scan type: Quick Scan
Objects scanned: 35742
Time elapsed: 24 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 13
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gooochi (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mysearchassistant (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bce784bb-9245-ab39-71d0-3e698031a4c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f8e06ca2-ef93-70f6-fafe-f4d340e617c3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\1036a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MUI2 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spoolX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winRem (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\bwfkprag.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\garpkfwb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ebgdfopj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jpofdgbe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wynsmelc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clemsnyw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{7d6dbe48-3137-3a98-1903-edd4496efade}.dll-uninst.exe (Adware.Vapsup) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gside.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{0821c49a-4f23-335d-ff81-6b576ccab385}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{0821c49a-4f23-335d-ff81-6b576ccab385}.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:04 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?systempopup=true&affid=105-36&dtag=546cb71
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RecordPadRun] "C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
--
End of file - 9438 bytes
Thanks for your help!
Just a few things to go over.
Do you use these and know them to be safe, the programs are in the process of being analyzed and there is no report back yet on them.
C:\Program Files\NCH Swift Sound
C:\Program Files\BitDownload
I want you to read this on Boonty Games, some game links are a hotbed of malware, I am not saying this is where you got infected but it could be.
http://www.castlecops.com/o23list-1744.html
Try uninstalling it via the Add Remove Programs in the Control Panel and then do this.
Go to Start> Run and type in services.msc then press Enter
Scroll down to Boonty Games
Double Click that service to open it.
Click on Stop Service.
Then change the Startup Type to Disabled.
OK your way out of the program.
Open HJT > Misc Tools > Delete an NT Service
Type in BOONTY
Then click on OK, it will ask you to reboot, do so.
C:\Program Files\Common Files\BOONTY Shared <-- Delete this folder
Reboot , run HJT and if this line is still present let me know
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
The rest of your log looks fine, how are things running now?????
HJT says BOONTY was not found in the registry. Swift Sound was recommended to help Audacity run, I think its ok. Not sure what Bit Download is, it can go probably. Thing are running much better now, thanks.
Boonty shared still appears in the common files folder, but on a new HJT log it is not listed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:50 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Last.fm\LastFMHelper.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?systempopup=true&affid=105-36&dtag=546cb71
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RecordPadRun] "C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
--
End of file - 9335 bytes
Glad things are well, your log looks fine :bigthumb:
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java Runtime Environment (JRE) 6 Update 6 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Been a pleasure ,
Safe Surfn
Ken