PDA

View Full Version : Virtumonde problems


Dalmation
2009-08-23, 21:20
Hello

Spybot detected Vurtumonde trojans that don't seem to go away. Previous owner had Limewire installed. I could only uninstall it by updating it then doing uninstall.

I did NOT run the fix on Spybot yet.

Symptoms:

1. Pop-up windows while on the web.

2. Won't let me install Windows XP updates.

3. Having trouble updating Spybot definitions too.

Thanks in advance for any help you can give me.

Spybot and Hijack this report follows:

--- Search result list ---
Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP

Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)
C:\WINDOWS\system32\BdMmWHQr.ini2
Properties.size=27285
Properties.md5=A0A0B6C134136EE669B1941CF1912A4E
Properties.filedate=1251049353
Properties.filedatetext=2009-08-23 12:42:33

Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)
C:\WINDOWS\system32\BdMmWHQr.ini
Properties.size=27285
Properties.md5=F0D782E42326083097A98B883D514D68
Properties.filedate=1251049495
Properties.filedatetext=2009-08-23 12:44:54

DoubleClick: Tracking cookie (Internet Explorer: Iris la rosa) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-08-16 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-07-30 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-08-04 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-08-04 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-11 Includes\Malware.sbi (*)
2009-08-11 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-08-06 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-07-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-08-11 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-11 Includes\Trojans.sbi (*)
2009-08-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922760)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925454)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928090)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB941644)
/ Windows XP / SP3: Security Update for Windows XP (KB941693)
/ Windows XP / SP3: Security Update for Windows XP (KB943055)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ Windows XP / SP3: Security Update for Windows XP (KB943485)
/ Windows XP / SP3: Security Update for Windows XP (KB944338)
/ Windows XP / SP3: Security Update for Windows XP (KB944653)
/ Windows XP / SP3: Security Update for Windows XP (KB945553)
/ Windows XP / SP3: Security Update for Windows XP (KB946026)
/ Windows XP / SP3: Security Update for Windows XP (KB948590)
/ Windows XP / SP3: Security Update for Windows XP (KB950749)
/ Windows XP / SP4: Update for Windows XP (KB942763)
/ Windows XP / SP4: Security Update for Windows XP (KB950759)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)


--- Startup entries list ---
Located: HK_LM:Run, AOLDialer
command: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
file: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
size: 71216
MD5: B9B78F0D9AEBCA8F717680FBABBB5FF4

Located: HK_LM:Run, eugbmlhn
command: C:\WINDOWS\system32\ywalmocc.exe
file: C:\WINDOWS\system32\ywalmocc.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, HostManager
command: C:\Program Files\Common Files\AOL\1119719136\ee\AOLSoftware.exe
file: C:\Program Files\Common Files\AOL\1119719136\ee\AOLSoftware.exe
size: 50736
MD5: C482C535CBFEFE722EC1EB7F11F680A3

Located: HK_LM:Run, LXSUPMON
command: C:\WINDOWS\system32\LXSUPMON.EXE RUN
file: C:\WINDOWS\system32\LXSUPMON.EXE
size: 885760
MD5: BDBD516E37761ED51E602A54873D24CD

Located: HK_LM:Run, MCAgentExe
command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
file: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 245760
MD5: C281CB23DDDFE24464652BB52DDC61A5

Located: HK_LM:Run, MCUpdateExe
command: C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
file: C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
size: 180224
MD5: 27385955E28E1E08461A1CC5C95D1DA8

Located: HK_LM:Run, Pure Networks Port Magic
command: "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
file: C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
size: 99480
MD5: BA99C608A075C44026720D5383F3D75B

Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 65024
MD5: 58ADA3BEEFE33FB8E4875A7848B1FAE4

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
size: 144784
MD5: E8C086DA635EB410FEF106CB279ADFBF

Located: HK_LM:Run, VirusScan Online
command: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
file: c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 163840
MD5: 3FE1E841ED8483F7A75A1E86F6FC2216

Located: HK_LM:Run, VSOCheckTask
command: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
file: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
size: 122880
MD5: 90CF41E5D4E8D3A88D8630DA5C3B7A3A

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: F34EB5D4F145ED5FE50033CA3A41ED24

Located: HK_CU:Run, DigiFast
where: PE_C_ANGELA...
command: C:\Documents and Settings\Angela\Application Data\digifast\digifast.exe
file: C:\Documents and Settings\Angela\Application Data\digifast\digifast.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, MsnMsgr
where: PE_C_ANGELA...
command: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
file: C:\Program Files\MSN Messenger\MsnMsgr.Exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Power2GoExpress
where: PE_C_ANGELA...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, swg
where: PE_C_ANGELA...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE

Located: HK_CU:Run, LDM
where: S-1-5-21-2907212217-3545232299-329427124-1006...
command: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
file: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, msnmsgr
where: S-1-5-21-2907212217-3545232299-329427124-1006...
command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: C:\Program Files\MSN Messenger\msnmsgr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Power2GoExpress
where: S-1-5-21-2907212217-3545232299-329427124-1006...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, swg
where: S-1-5-21-2907212217-3545232299-329427124-1006...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE

Located: HK_CU:Run, Yahoo! Pager
where: S-1-5-21-2907212217-3545232299-329427124-1006...
command: "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
file: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, SpybotSD TeaTimer (DISABLED)
where: S-1-5-21-2907212217-3545232299-329427124-1006...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1

Located: Startup (common), Push Client.LNK
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Interwise\Student\pull.exe
file: C:\Program Files\Interwise\Student\pull.exe
size: 802816
MD5: ED2B0520DB9FAFF176B46B2FA4DA48E2

Located: Startup (user), ERUNT AutoBackup.lnk
where: C:\Documents and Settings\Iris la rosa\Start Menu\Programs\Startup...
command: C:\Program Files\ERUNT\AUTOBACK.EXE
file: C:\Program Files\ERUNT\AUTOBACK.EXE
size: 38912
MD5: E00DE20F0F6BED5CD2160247DDC9443B

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 11/3/2003 1:17:44 PM
Date (last access): 8/23/2009 12:20:10 PM
Date (last write): 11/3/2003 1:17:44 PM
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 6.0.1.1091

{1E7B10DA-D4B1-4E38-B29F-7F8C6AFD9444} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{2D9D98DE-AE44-4061-88D7-FE6267EAA9AB} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{41AF4BD9-8230-4FE3-8474-8F07F699B3DD} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 8/16/2009 2:34:50 PM
Date (last access): 8/23/2009 12:13:18 PM
Date (last write): 1/26/2009 3:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14

{6cbd815f-2cba-48f6-bc20-4ae5e0c91309} ({90319c0e-5ea4-02cb-6f84-abc2f518dbc6})
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: {90319c0e-5ea4-02cb-6f84-abc2f518dbc6}
CLSID name:
Path: C:\WINDOWS\system32\
Long name: yjopkb.dll
Short name:
Date (created): 8/6/2009 10:00:00 AM
Date (last access): 8/23/2009 12:26:36 PM
Date (last write): 8/6/2009 10:00:00 AM
Filesize: 129024
Attributes: archive
MD5: D1E1F6A6C850A285E7D0DC13429B8C03
CRC32: 91EBE3D2

{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_06\bin\
Long name: ssv.dll
Short name:
Date (created): 7/3/2008 12:21:26 PM
Date (last access): 8/23/2009 12:22:18 PM
Date (last write): 3/25/2008 4:28:02 AM
Filesize: 509328
Attributes: archive
MD5: CA1E733B9B003530C38390EDF7E05B61
CRC32: 980493E3
Version: 6.0.60.2

{86453EB5-A7DD-4556-8EF9-098146718C55} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{9394EDE7-C8B5-483E-8773-474BF36AF6E4} (ST)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: ST
Path: C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\
Long name: stmain.dll
Short name:
Date (created): 10/29/2005 11:44:26 AM
Date (last access): 8/23/2009 11:59:40 AM
Date (last write): 8/13/2004 5:42:00 PM
Filesize: 155648
Attributes: archive
MD5: 0DA1349495955CB41A5899047C5A1267
CRC32: C050EECD
Version: 1.2.3000.1001

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: C:\Program Files\Google\Google Toolbar\
Long name: GoogleToolbar.dll
Short name: GOOGLE~1.DLL
Date (created): 5/20/2009 1:38:50 PM
Date (last access): 8/23/2009 12:22:18 PM
Date (last write): 8/16/2009 2:31:04 PM
Filesize: 259696
Attributes: archive
MD5: B2A3EE0D6570BAE9BD90892E0009A6AB
CRC32: 230192E8
Version: 6.1.1715.1442

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\
Long name: swg.dll
Short name:
Date (created): 5/20/2009 1:39:18 PM
Date (last access): 8/23/2009 12:22:18 PM
Date (last write): 5/20/2009 1:39:18 PM
Filesize: 668656
Attributes: archive
MD5: D1585B06DED161E13B905DC4FFBF7F12
CRC32: 88D5BAA5
Version: 5.1.1309.3572

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (MSNToolBandBHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: MSNToolBandBHO
Path: C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-us\
Long name: msntb.dll
Short name:
Date (created): 2/12/2006 12:38:58 AM
Date (last access): 8/23/2009 12:22:18 PM
Date (last write): 1/17/2006 5:04:16 PM
Filesize: 282624
Attributes: archive
MD5: 6B3B0C6657B3DFEAD7ABC5BFEE45B347
CRC32: 1DF31317
Version: 1.2.5000.1021

{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} (Google Dictionary Compression sdch)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Google Dictionary Compression sdch
CLSID name: Google Dictionary Compression sdch
Path: C:\Program Files\Google\Google Toolbar\Component\
Long name: fastsearch_A8904FB862BD9564.dll
Short name: FASTSE~1.DLL
Date (created): 4/29/2009 3:47:18 PM
Date (last access): 8/23/2009 12:22:18 PM
Date (last write): 4/29/2009 3:47:18 PM
Filesize: 470512
Attributes: archive
MD5: E35BCCB1D1D96F8E5B09C72AF70EC3F6
CRC32: 73C702FE
Version: 1.0.610.27482

{DB92C8AF-10C0-497C-8DAE-5AB2C573E4EB} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{DE86799A-E656-486F-A1E7-0FDC4ABC751F} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: rQHWmMdB.dll
Short name:
Date (created): 1/5/2009 12:10:48 AM
Date (last access): 8/23/2009 12:10:40 PM
Date (last write): 1/5/2009 12:10:56 AM
Filesize: 302592
Attributes: archive
MD5: 5BA82F9F36286A6D38A1A8C74EFBF169
CRC32: 1D7193A2

{E5855943-36AC-4CCC-BFAF-3360BE38C8AB} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{2B323CD9-50E3-11D3-9466-00A0C9700498} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\yacscom.inf
Codebase: http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
description: Yahoo Audio Conferencing
classification: Legitimate
known filename: YACSCOM.DLL
info link:
info source: Patrick M. Kolla

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_06
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_06\bin\
Long name: npjpi160_06.dll
Short name: NPJPI1~1.DLL
Date (created): 3/25/2008 2:37:02 AM
Date (last access): 7/4/2008 3:10:10 PM
Date (last write): 3/25/2008 4:28:02 AM
Filesize: 132496
Attributes: archive
MD5: 5522AFEAB77DD6D401F3FE5C0A46122E
CRC32: F643B062
Version: 6.0.60.2

{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Path: C:\Program Files\Java\j2re1.4.2\bin\
Long name: NPJPI142.dll
Short name:
Date (created): 6/25/2005 12:02:54 PM
Date (last access): 7/4/2008 3:10:10 PM
Date (last write): 6/25/2005 12:02:54 PM
Filesize: 65636
Attributes: archive
MD5: 4ACFBF6AB1BBE79DBD665C186B3B5AFD
CRC32: BE89D675
Version: 1.4.2.0

{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_06
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_06\bin\
Long name: npjpi160_06.dll
Short name: NPJPI1~1.DLL
Date (created): 3/25/2008 2:37:02 AM
Date (last access): 8/23/2009 12:45:06 PM
Date (last write): 3/25/2008 4:28:02 AM
Filesize: 132496
Attributes: archive
MD5: 5522AFEAB77DD6D401F3FE5C0A46122E
CRC32: F643B062
Version: 6.0.60.2

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9.ocx
Short name:
Date (created): 6/22/2006 1:44:22 PM
Date (last access): 8/23/2009 8:38:36 AM
Date (last write): 6/22/2006 1:44:22 PM
Filesize: 2201224
Attributes: readonly archive
MD5: 99F80CA1EBE95677668F54CAC6F4AD6D
CRC32: B7385E3B
Version: 9.0.16.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 420 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 472 ( 420) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 504 ( 420) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 548 ( 504) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 560 ( 504) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 732 ( 548) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 796 ( 548) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 848 ( 548) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 912 ( 548) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 988 ( 548) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1180 ( 548) C:\WINDOWS\system32\LEXBCES.EXE
size: 299008
MD5: AEEDACC6FB20FDBA95213AD3BB009B7D
PID: 1228 (1176) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1264 (1180) C:\WINDOWS\system32\LEXPPS.EXE
size: 174592
MD5: F350EE5D5761CB9A0C8B0DA8C463DE1D
PID: 1272 ( 548) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1440 ( 548) C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
size: 46640
MD5: 85180CF88C5EBAD73B452A43A004CA51
PID: 1520 ( 548) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
size: 100016
MD5: 7FB54900AA9792AB6307C699EC1859D4
PID: 1568 ( 548) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 110592
MD5: 1961CB10BB48EB4D97E37DB6373E9E63
PID: 1580 (1520) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
size: 46768
MD5: CAF7C2FDDADF73A02AC84C6FB6030BBF
PID: 1600 ( 548) C:\Program Files\Bonjour\mDNSResponder.exe
size: 229376
MD5: CFD4C3352E29A8B729536648466E8DF5
PID: 1644 ( 548) c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
size: 106496
MD5: B1E94B3ED8AF23AEBBC2CCFCCADBA104
PID: 1704 ( 548) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1720 ( 548) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: AB0A7CA90D9E3D6A193905DC1715DED0
PID: 1920 (1228) C:\WINDOWS\SOUNDMAN.EXE
size: 65024
MD5: 58ADA3BEEFE33FB8E4875A7848B1FAE4
PID: 1964 (1228) C:\Program Files\Common Files\AOL\1119719136\ee\AOLSoftware.exe
size: 50736
MD5: C482C535CBFEFE722EC1EB7F11F680A3
PID: 2044 (1228) C:\WINDOWS\system32\LXSUPMON.EXE
size: 885760
MD5: BDBD516E37761ED51E602A54873D24CD
PID: 152 (1228) C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 163840
MD5: 3FE1E841ED8483F7A75A1E86F6FC2216
PID: 172 (1228) C:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 245760
MD5: C281CB23DDDFE24464652BB52DDC61A5
PID: 208 (1228) C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
size: 144784
MD5: E8C086DA635EB410FEF106CB279ADFBF
PID: 268 (1228) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
PID: 320 (1228) C:\Program Files\Interwise\Student\pull.exe
size: 802816
MD5: ED2B0520DB9FAFF176B46B2FA4DA48E2
PID: 2456 ( 848) C:\WINDOWS\system32\wscntfy.exe
size: 13824
MD5: 49911DD39E023BB6C45E4E436CFBD297
PID: 3004 (1228) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 3120 ( 548) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 3628 ( 732) C:\WINDOWS\system32\wbem\wmiprvse.exe
size: 218112
MD5: 075EA6C849AB0FE416A3D6DD65C3CF41
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 8/23/2009 12:45:04 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.raytheon.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://espanol.yahoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EA732778-3F92-4347-80B3-317CFABA3550}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EA732778-3F92-4347-80B3-317CFABA3550}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5BBC3DC8-51B9-49E5-82CE-3D28CA592C34}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5BBC3DC8-51B9-49E5-82CE-3D28CA592C34}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8A4D8388-9E61-444E-89D5-05C4FC1EFC59}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8A4D8388-9E61-444E-89D5-05C4FC1EFC59}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D84C4DCA-B52C-43F5-8D2F-AB838EB05CF3}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D84C4DCA-B52C-43F5-8D2F-AB838EB05CF3}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F104EFE5-8393-4E08-812B-723F73B5833E}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F104EFE5-8393-4E08-812B-723F73B5833E}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DC39CC74-6433-46D0-AA66-C0FF66D606FF}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DC39CC74-6433-46D0-AA66-C0FF66D606FF}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:38 PM, on 8/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1119719136\ee\AOLSoftware.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Interwise\Student\pull.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.raytheon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://espanol.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=3082
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1119719136\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [eugbmlhn] C:\WINDOWS\system32\ywalmocc.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Student\pull.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: yjopkb.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe

--
End of file - 6415 bytes
Shaba
2009-08-25, 13:28
Hi Dalmation

Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) ... by sUBs.
Save it to your desktop. Alternate download link:here (http://www.forospyware.com/sUBs/dds).
Double click the tool to run it.
A black Screen will open... read the contents but do nothing.
When DDS finishes... Notepad will open with 2 reports... DDS.txt and Attach.txt
Ignore the comments about zipping / attaching any of the report files. The 2 report files are not saved anywhere,
if you close Notepad, before copying /pasting them... you will need to run DDS again.
Copy/paste both DDS.txt and Attach.txt reports in your next reply.
Once the reports have been posted, you can delete DDS from your desktop.
Dalmation
2009-08-25, 19:33
Thanks Shaba!

Here are the reports:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Iris la rosa at 11:05:59.95 on Tue 08/25/2009
Internet Explorer: 6.0.2900.2180

============== Pseudo HJT Report ===============

uStart Page = hxxp://forums.spybot.info/index.php
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://espanol.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=3082
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {1E7B10DA-D4B1-4E38-B29F-7F8C6AFD9444} - No File
BHO: {2D9D98DE-AE44-4061-88D7-FE6267EAA9AB} - No File
BHO: {41AF4BD9-8230-4FE3-8474-8F07F699B3DD} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {90319c0e-5ea4-02cb-6f84-abc2f518dbc6}: {6cbd815f-2cba-48f6-bc20-4ae5e0c91309} - c:\windows\system32\yjopkb.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: {86453EB5-A7DD-4556-8EF9-098146718C55} - No File
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\es-us\msntb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: {DB92C8AF-10C0-497C-8DAE-5AB2C573E4EB} - No File
BHO: {de86799a-e656-486f-a1e7-0fdc4abc751f} - c:\windows\system32\rQHWmMdB.dll
BHO: {E5855943-36AC-4CCC-BFAF-3360BE38C8AB} - No File
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\es-us\msntb.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Power2GoExpress]
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [HostManager] c:\program files\common files\aol\1119719136\ee\AOLSoftware.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [eugbmlhn] c:\windows\system32\ywalmocc.exe
mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] "c:\progra~1\mcafee.com\vso\mcvsshld.exe"
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mPolicies-explorer: NoInternetIcon = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
AppInit_DLLs: yjopkb.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\rQHWmMdB

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-08-23 08:31 <DIR> --d----- c:\program files\Trend Micro
2009-08-19 17:40 35,959 a--sh--- c:\windows\system32\BdMmWHQr.ini2
2009-08-17 20:28 121 a--sh--- c:\windows\system32\mugqyxnp.ini
2009-08-16 20:44 508 a------- c:\windows\wininit.ini
2009-08-16 14:34 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-16 14:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-16 14:18 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-08-16 14:18 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-08-06 09:59 129,024 a------- c:\windows\system32\yjopkb.dll
2009-08-06 09:59 129,024 a------- c:\windows\system32\ktvovysl.dll
2009-08-06 09:56 129,024 a------- c:\windows\system32\tjpkomcn.dll
2009-08-06 09:56 129,024 a------- c:\windows\system32\pywzxn.dll
2009-08-06 09:54 129,024 a------- c:\windows\system32\zgwilh.dll
2009-08-06 09:54 129,024 a------- c:\windows\system32\amndndkt.dll
2009-08-06 08:53 129,024 a------- c:\windows\system32\vhjlbz.dll
2009-08-06 08:53 129,024 a------- c:\windows\system32\bmcljcoc.dll
2009-08-06 08:51 129,024 a------- c:\windows\system32\mmwmlito.dll
2009-08-06 08:51 129,024 a------- c:\windows\system32\ayyewe.dll
2009-08-06 08:49 129,024 a------- c:\windows\system32\qotckv.dll
2009-08-06 08:49 129,024 a------- c:\windows\system32\hlfduoqt.dll

==================== Find3M ====================

2007-03-01 19:21 1,262 a------- c:\program files\common files\Shortcut to 13 money money.lnk

============= FINISH: 11:08:34.23 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/12/2005 2:28:41 PM
System Uptime: 8/23/2009 12:20:53 PM (47 hours ago)

Motherboard: | | SiS-661
Processor: Intel(R) Celeron(R) CPU 2.53GHz | Socket 478 | 2534/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 69 GiB total, 59.614 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression
Barra de Herramientas MSN
Bonjour
Cnxt 2011 D850 56K V.9x DF Modem
Comprehensive Review for NCLEX-RN, 2e
ERUNT 1.1j
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Interwise Participant
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 6
Lexmark Supplies Monitor
Lexmark Z25-Z35
Lexmark Z700-P700 Series
Macromedia Shockwave Player
McAfee SecurityCenter
McAfee VirusScan
MediaShow 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Windows Journal Viewer
MSXML3
Obtener Yahoo! Messenger
Phoenix FirstWare Vault
Power2Go 4.0
PowerDVD
PowerStarter
Pure Networks Port Magic
QuickTime
Registro del producto WebCam Instant
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Silvestri Strategies
SiS 900 PCI Fast Ethernet Adapter Driver
Spybot - Search & Destroy
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Utilidad de Efectos avanzados de vídeo
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Live Safety Scanner
Windows Media Format Runtime
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086

==== End Of File ===========================
Shaba
2009-08-25, 20:47
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Dalmation
2009-08-26, 04:13
Oh, NO - Although McAfee was disabled, it still had a script blocker running so it stopped ComboFix. When I roll the mouse over to allow the script, I get an hourglass. I can't click on it.

Any ideas?

D
Shaba
2009-08-26, 07:04
Then just restart, disable McAfee completely and re-run combofix in safe mode.
Dalmation
2009-08-26, 15:20
It seems to be improving:

ComboFix 09-08-25.04 - Iris la rosa 08/26/2009 6:33.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1247.998 [GMT -5:00]
Running from: c:\documents and settings\Iris la rosa\Desktop\ComboFix.exe
.
PEV Error: CacheFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Angela\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Angela\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Angela\Local Settings\Temporary Internet Files\fbk.sts
c:\recycler\S-1-5-21-2503378360-1962625819-3654224747-1003
c:\recycler\S-1-5-21-2577210310-3094317980-3060665137-1003
c:\recycler\S-1-5-21-2907212217-3545232299-329427124-1007
c:\recycler\S-1-5-21-319965158-3775583446-1665837685-1003
c:\recycler\S-1-5-21-3487679329-2238096287-3105277978-1003
c:\recycler\S-1-5-21-540841708-2315985936-377414094-1003
c:\windows\system32\amndndkt.dll
c:\windows\system32\ayyewe.dll
c:\windows\system32\BdMmWHQr.ini
c:\windows\system32\BdMmWHQr.ini2
c:\windows\system32\bmcljcoc.dll
c:\windows\system32\bngwccxx.dll
c:\windows\system32\bwumdmuq.dll
c:\windows\system32\bycsuahs.dll
c:\windows\system32\cexkqtdu.dll
c:\windows\system32\frlmui.dll
c:\windows\system32\fwtfxc.dll
c:\windows\system32\gupnqglp.dll
c:\windows\system32\hiptprry.dll
c:\windows\system32\hlfduoqt.dll
c:\windows\system32\hnwknn.dll
c:\windows\system32\iyhyly.dll
c:\windows\system32\jsbouuwn.dll
c:\windows\system32\ktvovysl.dll
c:\windows\system32\kxvbzr.dll
c:\windows\system32\lgjdvyvc.dll
c:\windows\system32\lgkzif.dll
c:\windows\system32\lqnrvbhq.dll
c:\windows\system32\mmwmlito.dll
c:\windows\system32\mugqyxnp.ini
c:\windows\system32\onpotk.dll
c:\windows\system32\pinolsmb.dll
c:\windows\system32\pqjwjqaf.dll
c:\windows\system32\pujrjv.dll
c:\windows\system32\pywzxn.dll
c:\windows\system32\qotckv.dll
c:\windows\system32\rQHWmMdB.dll
c:\windows\system32\sdlsdhja.dll
c:\windows\system32\tjpkomcn.dll
c:\windows\system32\tkeozp.dll
c:\windows\system32\uhhiva.dll
c:\windows\system32\vhjlbz.dll
c:\windows\system32\vwmmiq.dll
c:\windows\system32\wdlxcv.dll
c:\windows\system32\winsokhy.dll
c:\windows\system32\xejxvu.dll
c:\windows\system32\yjopkb.dll
c:\windows\system32\zgwilh.dll
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26
)))))))))))))))))))))))))))))))
.

2009-08-26 00:59 . 2009-08-26 00:59 -------- d-----w- c:\windows\system32\LogFiles
2009-08-24 18:30 . 2009-08-24 18:30 -------- d-----w- c:\documents and
settings\NetworkService\Local Settings\Application Data\Apple
2009-08-23 13:31 . 2009-08-23 13:31 -------- d-----w- c:\program files\Trend Micro
2009-08-23 13:29 . 2009-08-23 13:30 -------- d-----w- c:\program files\ERUNT
2009-08-16 19:34 . 2009-08-17 01:31 -------- d-----w- c:\documents and settings\All
Users\Application Data\Spybot - Search & Destroy
2009-08-16 19:34 . 2009-08-16 19:35 -------- d-----w- c:\program files\Spybot - Search &
Destroy
2009-08-16 19:18 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-08-16 19:18 . 2001-08-17
18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-08-06 15:41 . 2009-08-18 01:30 -------- d-----w- c:\documents and settings\Iris la
rosa\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-21 02:30 . 2008-07-03 17:13 -------- d-----w- c:\program files\LimeWire
2007-03-02 00:21 . 2007-03-02 00:22 1262 ----a-w- c:\program files\Common Files\Shortcut
to 13 money money.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common
Files\AOL\1119719136\ee\AOLSoftware.exe" [2006-09-26 50736]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe"
[2006-10-23 71216]
"Pure Networks Port
Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08
122880]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe"
[2003-08-18 163840]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2003-08-27
245760]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2003-08-21
180224]
"SunJavaUpdateSched"="c:\program
files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-02-26
65024]

c:\documents and settings\Iris la rosa\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Push Client.LNK - c:\program files\Interwise\Student\pull.exe [2005-6-25 802816]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplicat
ions\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1119719136\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [7/26/2007 8:51 AM 23296]
R3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [1/5/2004 2:39 PM 34688]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ATWPKT2
*Deregistered* - ATWPKT2
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-08-26 c:\windows\Tasks\chopdptn.job
- c:\windows\system32\oPIXnoli.dll [2009-01-05 05:05]

2009-08-26 c:\windows\Tasks\McAfee.com Update Check (IRIS-Angela).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2007-07-26 23:10]

2009-08-26 c:\windows\Tasks\McAfee.com Update Check (IRIS-Iris la rosa).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2007-07-26 23:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1E7B10DA-D4B1-4E38-B29F-7F8C6AFD9444} - (no file)
BHO-{1ea521d0-f808-4d5a-91bb-2ad9e6253d2b} - c:\windows\system32\tkeozp.dll
BHO-{2D9D98DE-AE44-4061-88D7-FE6267EAA9AB} - (no file)
BHO-{41AF4BD9-8230-4FE3-8474-8F07F699B3DD} - (no file)
BHO-{86453EB5-A7DD-4556-8EF9-098146718C55} - (no file)
BHO-{8E7B0130-98B9-4DC6-80F5-01443EC8D812} - c:\windows\system32\rQHWmMdB.dll
BHO-{DB92C8AF-10C0-497C-8DAE-5AB2C573E4EB} - (no file)
BHO-{E5855943-36AC-4CCC-BFAF-3360BE38C8AB} - (no file)
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKCU-Run-LDM - c:\program files\Logitech\Desktop
Messenger\8876480\Program\LogitechDesktopMessenger.exe
HKCU-Run-Power2GoExpress - (no file)
HKLM-Run-eugbmlhn - c:\windows\system32\ywalmocc.exe
ShellExecuteHooks-{7e8398bc-df49-4143-aa58-e454aec8ea3f} - c:\windows\system32\tkeozp.dll
Notify-qOiIyVLd - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.juno.com/start/sp.do
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://espanol.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=3082
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 06:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3344)
c:\program files\Common Files\AOL\ACS\WLHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wdfmgr.exe
c:\program files\McAfee.com\Shared\mghtml.exe
c:\program files\McAfee.com\Shared\mcinfo.exe
c:\windows\system32\wscntfy.exe
c:\windows\SoftwareDistribution\Download\3361704fe1a0367fcfe17758efab6972\update\update.ex
e
c:\program files\Java\jre1.6.0_06\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-08-26 6:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-26 11:47

Pre-Run: 65,240,752,128 bytes free
Post-Run: 64,097,390,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition"
/noexecute=optin /fastdetect

214 --- E O F --- 2008-07-04 20:11
Dalmation
2009-08-26, 15:21
And here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:52 AM, on 8/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1119719136\ee\AOLSoftware.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/start/sp.do
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://espanol.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=3082
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -
C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-us\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} -
C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common
Files\AOL\1119719136\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"
/checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Student\pull.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL
Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common
Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc -
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common
Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates
Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks
Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. -
C:\WINDOWS\system32\PhnxCDSvr.exe

--
End of file - 7182 bytes
Shaba
2009-08-26, 17:44
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


Folder::
c:\program files\LimeWire


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Dalmation
2009-08-27, 03:57
I'm running in Safe Mode since Windows and Java wants to update and restart while AOL/McAfee wants to stop scripts. ComboFix seemed to run ok though.

Thanks again for all your help!

Here is the log:
ComboFix 09-08-25.04 - Iris la rosa 08/26/2009 19:36.2.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1247.1007 [GMT -5:00]
Running from: c:\documents and settings\Iris la rosa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Iris la rosa\Desktop\CFScript.txt
.
PEV Error: CacheFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWire
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\dnsjava.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-alpha5-20080522.192134-5.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\UnpackedJars.7z

.
((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 )))))))))))))))))))))))))))))))
.

2009-08-26 00:59 . 2009-08-26 00:59 -------- d-----w- c:\windows\system32\LogFiles
2009-08-24 18:30 . 2009-08-24 18:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-08-23 13:31 . 2009-08-23 13:31 -------- d-----w- c:\program files\Trend Micro
2009-08-23 13:29 . 2009-08-23 13:30 -------- d-----w- c:\program files\ERUNT
2009-08-16 19:34 . 2009-08-17 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-16 19:34 . 2009-08-16 19:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-16 19:18 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-08-16 19:18 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-08-06 15:41 . 2009-08-26 12:10 -------- d-----w- c:\documents and settings\Iris la rosa\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-03-02 00:21 . 2007-03-02 00:22 1262 ----a-w- c:\program files\Common Files\Shortcut to 13 money money.lnk
.

((((((((((((((((((((((((((((( SnapShot@2009-08-26_11.42.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-29 08:58 . 2008-10-22 09:47 62976 c:\windows\system32\tzchange.exe
+ 2005-06-25 16:28 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2005-06-25 16:28 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 39424 c:\windows\system32\pngfilt.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 39424 c:\windows\system32\pngfilt.dll
- 2004-08-27 17:09 . 2005-06-29 01:46 74240 c:\windows\system32\mscms.dll
+ 2004-08-27 17:09 . 2008-06-24 16:23 74240 c:\windows\system32\mscms.dll
- 2004-08-27 17:09 . 2005-01-28 18:44 96768 c:\windows\system32\logagent.exe
+ 2004-08-27 17:09 . 2008-06-10 11:52 96768 c:\windows\system32\logagent.exe
- 2004-08-27 17:09 . 2008-04-21 07:03 16384 c:\windows\system32\jsproxy.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 16384 c:\windows\system32\jsproxy.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 96256 c:\windows\system32\inseng.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 96256 c:\windows\system32\inseng.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 55808 c:\windows\system32\extmgr.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 55808 c:\windows\system32\extmgr.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 39424 c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 39424 c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-27 10:09 . 2005-06-29 01:46 74240 c:\windows\system32\dllcache\mscms.dll
+ 2004-08-27 10:09 . 2008-06-24 16:23 74240 c:\windows\system32\dllcache\mscms.dll
+ 2004-08-27 17:09 . 2008-06-10 11:52 96768 c:\windows\system32\dllcache\logagent.exe
- 2004-08-27 17:09 . 2005-01-28 18:44 96768 c:\windows\system32\dllcache\logagent.exe
+ 2004-08-27 17:09 . 2008-10-16 10:37 16384 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 16384 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 96256 c:\windows\system32\dllcache\inseng.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 96256 c:\windows\system32\dllcache\inseng.dll
- 2004-08-27 17:35 . 2008-04-17 10:52 18432 c:\windows\system32\dllcache\iedw.exe
+ 2004-08-27 17:35 . 2008-10-15 09:45 18432 c:\windows\system32\dllcache\iedw.exe
+ 2004-08-27 17:09 . 2008-10-16 10:37 55808 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 55808 c:\windows\system32\dllcache\extmgr.dll
+ 2009-08-26 11:46 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2009-08-26 11:46 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2009-08-26 11:50 . 2007-11-30 12:39 26488 c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2009-08-26 11:50 . 2007-11-30 12:39 17272 c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2008-10-23 10:17 . 2008-10-23 10:17 62976 c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2008-10-23 10:06 . 2008-10-23 10:06 62976 c:\windows\$hf_mig$\KB955839\SP3GDR\tzchange.exe
+ 2008-10-22 09:47 . 2008-10-22 09:47 62976 c:\windows\$hf_mig$\KB955839\SP2QFE\tzchange.exe
+ 2009-08-26 11:51 . 2007-11-30 12:39 26488 c:\windows\$hf_mig$\KB952954\update\spcustom.dll
+ 2009-08-26 11:51 . 2007-11-30 12:39 17272 c:\windows\$hf_mig$\KB952954\spmsg.dll
+ 2008-06-24 16:53 . 2008-06-24 16:53 74240 c:\windows\$hf_mig$\KB952954\SP3QFE\mscms.dll
+ 2008-06-24 16:43 . 2008-06-24 16:43 74240 c:\windows\$hf_mig$\KB952954\SP3GDR\mscms.dll
+ 2008-06-24 16:28 . 2008-06-24 16:28 74240 c:\windows\$hf_mig$\KB952954\SP2QFE\mscms.dll
+ 2009-08-26 11:49 . 2007-11-30 12:39 26488 c:\windows\$hf_mig$\KB950974\update\spcustom.dll
+ 2009-08-26 11:49 . 2007-11-30 12:39 17272 c:\windows\$hf_mig$\KB950974\spmsg.dll
+ 2005-06-25 16:31 . 2008-10-15 14:00 351744 c:\windows\system32\xpsp3res.dll
- 2005-06-25 16:31 . 2008-04-17 10:37 351744 c:\windows\system32\xpsp3res.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 659456 c:\windows\system32\wininet.dll
- 2004-08-27 17:09 . 2008-04-21 07:04 659456 c:\windows\system32\wininet.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 615936 c:\windows\system32\urlmon.dll
- 2004-08-27 17:09 . 2008-04-21 07:04 615936 c:\windows\system32\urlmon.dll
+ 2004-08-27 17:09 . 2008-10-03 10:15 247326 c:\windows\system32\strmdll.dll
- 2004-08-27 17:09 . 2008-04-21 07:04 474112 c:\windows\system32\shlwapi.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 474112 c:\windows\system32\shlwapi.dll
+ 2004-08-27 17:09 . 2008-10-15 16:57 332800 c:\windows\system32\netapi32.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 532480 c:\windows\system32\mstime.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 532480 c:\windows\system32\mstime.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 146432 c:\windows\system32\msrating.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 146432 c:\windows\system32\msrating.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 449024 c:\windows\system32\mshtmled.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 449024 c:\windows\system32\mshtmled.dll
+ 2004-08-27 17:35 . 2008-04-11 18:50 683520 c:\windows\system32\inetcomm.dll
- 2004-08-27 17:35 . 2007-08-21 06:15 683520 c:\windows\system32\inetcomm.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 251392 c:\windows\system32\iepeers.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 251392 c:\windows\system32\iepeers.dll
+ 2004-08-27 17:09 . 2008-10-23 13:01 283648 c:\windows\system32\gdi32.dll
+ 2004-08-27 17:31 . 2009-08-26 12:31 100640 c:\windows\system32\FNTCACHE.DAT
- 2004-08-27 17:31 . 2008-07-05 01:26 100640 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-27 17:09 . 2008-07-07 20:32 253952 c:\windows\system32\es.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 205312 c:\windows\system32\dxtrans.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 205312 c:\windows\system32\dxtrans.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 357888 c:\windows\system32\dxtmsft.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 357888 c:\windows\system32\dxtmsft.dll
+ 2004-08-27 17:09 . 2008-08-28 10:04 333056 c:\windows\system32\drivers\srv.sys
+ 2004-08-27 17:09 . 2008-10-24 11:10 453632 c:\windows\system32\drivers\mrxsmb.sys
+ 2004-08-27 17:09 . 2008-08-14 09:51 138368 c:\windows\system32\drivers\afd.sys
+ 2004-08-27 10:09 . 2008-10-16 10:37 659456 c:\windows\system32\dllcache\wininet.dll
- 2004-08-27 10:09 . 2008-04-21 07:04 659456 c:\windows\system32\dllcache\wininet.dll
- 2004-08-27 10:09 . 2008-04-21 07:04 615936 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-27 10:09 . 2008-10-16 10:37 615936 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-27 17:09 . 2008-10-03 10:15 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2004-08-27 17:09 . 2008-08-28 10:04 333056 c:\windows\system32\dllcache\srv.sys
+ 2004-08-27 10:09 . 2008-10-16 10:37 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2004-08-27 10:09 . 2008-04-21 07:04 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2004-08-27 10:09 . 2008-10-15 16:57 332800 c:\windows\system32\dllcache\netapi32.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 532480 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 532480 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 146432 c:\windows\system32\dllcache\msrating.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 146432 c:\windows\system32\dllcache\msrating.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 449024 c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-27 17:35 . 2004-08-04 09:00 331776 c:\windows\system32\dllcache\msadce.dll
+ 2004-08-27 17:35 . 2008-05-01 14:30 331776 c:\windows\system32\dllcache\msadce.dll
+ 2006-05-05 09:41 . 2008-10-24 11:10 453632 c:\windows\system32\dllcache\mrxsmb.sys
+ 2004-08-27 17:35 . 2008-04-11 18:50 683520 c:\windows\system32\dllcache\inetcomm.dll
- 2004-08-27 17:35 . 2007-08-21 06:15 683520 c:\windows\system32\dllcache\inetcomm.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 251392 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 251392 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-27 10:09 . 2008-10-23 13:01 283648 c:\windows\system32\dllcache\gdi32.dll
+ 2004-08-27 17:09 . 2008-07-07 20:32 253952 c:\windows\system32\dllcache\es.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 205312 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 205312 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 357888 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 357888 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 151040 c:\windows\system32\dllcache\cdfview.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 151040 c:\windows\system32\dllcache\cdfview.dll
+ 2004-08-27 17:09 . 2008-08-14 09:51 138368 c:\windows\system32\dllcache\afd.sys
+ 2004-08-27 17:09 . 2008-10-16 10:37 151040 c:\windows\system32\cdfview.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 151040 c:\windows\system32\cdfview.dll
+ 2005-06-25 16:28 . 2008-10-24 11:10 453632 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2009-08-26 11:46 . 2008-07-09 07:38 382840 c:\windows\$hf_mig$\KB956802\update\updspapi.dll
+ 2009-08-26 11:46 . 2008-07-09 07:38 755576 c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2009-08-26 11:46 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-10-23 12:43 . 2008-10-23 12:43 286720 c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-10-23 12:36 . 2008-10-23 12:36 286720 c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-10-23 12:51 . 2008-10-23 12:51 284160 c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
+ 2009-08-26 11:50 . 2007-11-30 12:39 382840 c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2009-08-26 11:50 . 2007-11-30 12:39 755576 c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2009-08-26 11:50 . 2007-11-30 12:39 231288 c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2009-08-26 11:51 . 2007-11-30 12:39 382840 c:\windows\$hf_mig$\KB952954\update\updspapi.dll
+ 2009-08-26 11:51 . 2007-11-30 12:39 755576 c:\windows\$hf_mig$\KB952954\update\update.exe
+ 2009-08-26 11:51 . 2007-11-30 12:39 231288 c:\windows\$hf_mig$\KB952954\spuninst.exe
+ 2009-08-26 11:49 . 2007-11-30 12:39 382840 c:\windows\$hf_mig$\KB950974\update\updspapi.dll
+ 2009-08-26 11:49 . 2007-11-30 12:39 755576 c:\windows\$hf_mig$\KB950974\update\update.exe
+ 2009-08-26 11:49 . 2007-11-30 12:39 231288 c:\windows\$hf_mig$\KB950974\spuninst.exe
+ 2008-07-07 20:23 . 2008-07-07 20:23 253952 c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
+ 2008-07-07 20:26 . 2008-07-07 20:26 253952 c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
+ 2008-07-07 20:06 . 2008-07-07 20:06 253952 c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
+ 2009-01-05 01:51 . 2008-04-15 17:54 1724416 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
+ 2004-08-27 17:09 . 2008-06-10 13:07 2376760 c:\windows\system32\WMVCore.dll
+ 2004-08-27 17:09 . 2008-06-10 12:28 1028096 c:\windows\system32\WMNetmgr.dll
+ 2004-08-27 17:09 . 2008-09-15 11:57 1846016 c:\windows\system32\win32k.sys
+ 2004-08-27 17:09 . 2008-10-16 10:37 1494528 c:\windows\system32\shdocvw.dll
- 2004-08-27 17:09 . 2008-04-21 07:04 1494528 c:\windows\system32\shdocvw.dll
- 2004-08-27 17:09 . 2007-02-28 09:10 2180352 c:\windows\system32\ntoskrnl.exe
+ 2004-08-27 17:09 . 2008-08-14 10:00 2180352 c:\windows\system32\ntoskrnl.exe
+ 2004-08-04 02:59 . 2008-08-14 09:22 2057728 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-27 17:09 . 2008-09-04 16:42 1106944 c:\windows\system32\msxml3.dll
+ 2004-08-27 17:09 . 2008-12-12 17:33 3060224 c:\windows\system32\mshtml.dll
+ 2004-08-27 17:09 . 2008-06-10 13:07 2376760 c:\windows\system32\dllcache\WMVCore.dll
+ 2004-08-27 17:09 . 2008-06-10 12:28 1028096 c:\windows\system32\dllcache\WMNetmgr.dll
+ 2004-08-27 10:09 . 2008-09-15 11:57 1846016 c:\windows\system32\dllcache\win32k.sys
- 2004-08-27 10:09 . 2008-04-21 07:04 1494528 c:\windows\system32\dllcache\shdocvw.dll
+ 2004-08-27 10:09 . 2008-10-16 10:37 1494528 c:\windows\system32\dllcache\shdocvw.dll
+ 2006-12-19 14:17 . 2008-08-14 10:00 2180352 c:\windows\system32\dllcache\ntoskrnl.exe
- 2006-12-19 14:17 . 2007-02-28 09:10 2180352 c:\windows\system32\dllcache\ntoskrnl.exe
- 2006-12-19 12:55 . 2007-02-28 08:38 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2006-12-19 12:55 . 2008-08-14 09:22 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2006-12-19 12:55 . 2008-08-14 09:22 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2006-12-19 14:15 . 2008-08-14 09:58 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2006-12-19 14:15 . 2007-02-28 09:08 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-27 17:09 . 2008-09-04 16:42 1106944 c:\windows\system32\dllcache\msxml3.dll
+ 2004-08-27 17:09 . 2008-12-12 17:33 3060224 c:\windows\system32\dllcache\mshtml.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 1054208 c:\windows\system32\dllcache\danim.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 1054208 c:\windows\system32\dllcache\danim.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 1023488 c:\windows\system32\dllcache\browseui.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 1023488 c:\windows\system32\dllcache\browseui.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 1054208 c:\windows\system32\danim.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 1054208 c:\windows\system32\danim.dll
- 2004-08-27 17:09 . 2008-04-21 07:03 1023488 c:\windows\system32\browseui.dll
+ 2004-08-27 17:09 . 2008-10-16 10:37 1023488 c:\windows\system32\browseui.dll
- 2005-06-25 16:31 . 2007-02-28 09:10 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2005-06-25 16:31 . 2008-08-14 10:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2005-06-25 16:30 . 2008-08-14 09:22 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-06-25 16:30 . 2007-02-28 08:38 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2005-06-25 16:30 . 2008-08-14 09:22 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2005-06-25 16:31 . 2008-08-14 09:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2005-06-25 16:31 . 2007-02-28 09:08 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1119719136\ee\AOLSoftware.exe" [2006-09-26 50736]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 122880]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2003-08-18 163840]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2003-08-27 245760]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2003-08-21 180224]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-02-26 65024]

c:\documents and settings\Iris la rosa\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Push Client.LNK - c:\program files\Interwise\Student\pull.exe [2005-6-25 802816]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1119719136\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [7/26/2007 8:51 AM 23296]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [1/5/2004 2:39 PM 34688]
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-08-27 c:\windows\Tasks\chopdptn.job
- c:\windows\system32\oPIXnoli.dll [2009-01-05 05:05]

2009-08-27 c:\windows\Tasks\McAfee.com Update Check (IRIS-Iris la rosa).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2007-07-26 23:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.juno.com/start/sp.do
mStart Page = hxxp://espanol.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=3082
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 19:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-27 19:42
ComboFix-quarantined-files.txt 2009-08-27 00:42
ComboFix2.txt 2009-08-26 11:47

Pre-Run: 64,939,896,832 bytes free
Post-Run: 64,904,687,616 bytes free

291 --- E O F --- 2009-08-26 11:51
Dalmation
2009-08-27, 04:01
A question: Is it safe to let Windows updates install now or should I try to wait until we are done?

D
Shaba
2009-08-27, 07:10
Please wait a bit with them.

Delete this:

c:\windows\Tasks\chopdptn.job

Empty Recycle Bin.

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Dalmation
2009-08-28, 03:50
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, August 27, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, August 27, 2009 20:39:15
Records in database: 2692678
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 51827
Threats found: 19
Infected objects found: 101
Suspicious objects found: 0
Scan duration: 02:52:59


File name / Threat / Threats count
C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\amndndkt.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ayyewe.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bmcljcoc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bngwccxx.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bwumdmuq.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bycsuahs.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cexkqtdu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\frlmui.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fwtfxc.dll.vir Infected: Trojan.Win32.Monder.alkp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gupnqglp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hiptprry.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hlfduoqt.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hnwknn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iyhyly.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jsbouuwn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ktvovysl.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kxvbzr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lgjdvyvc.dll.vir Infected: Trojan.Win32.Monder.alkp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lgkzif.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lqnrvbhq.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmwmlito.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\onpotk.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pinolsmb.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pqjwjqaf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pujrjv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pywzxn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\qotckv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sdlsdhja.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tjpkomcn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tkeozp.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\uhhiva.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vhjlbz.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vwmmiq.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wdlxcv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winsokhy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xejxvu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yjopkb.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zgwilh.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP161\A0069146.dll Infected: Trojan.Win32.Monder.alko 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP162\A0069154.dll Infected: Trojan.Win32.Monder.blxt 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP162\A0070154.dll Infected: Trojan.Win32.Monder.blxt 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP162\A0070155.dll Infected: Trojan.Win32.Monder.blxt 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP162\A0070156.dll Infected: Trojan.Win32.Monder.blxt 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP162\A0070157.dll Infected: Trojan.Win32.Monder.blxt 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP162\A0070158.dll Infected: Trojan.Win32.Monder.blxt 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP163\A0070185.dll Infected: Trojan.Win32.Monder.blxt 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP163\A0070186.dll Infected: Trojan.Win32.Monder.blxt 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP163\A0070240.exe Infected: Trojan-Downloader.Win32.Agent.bozu 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP163\A0070242.exe Infected: Trojan.Win32.Agent.bcif 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP164\A0070455.exe Infected: Trojan-Downloader.Win32.Agent.alda 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP164\A0070457.exe Infected: Trojan-Downloader.Win32.Agent.aldb 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP164\A0070458.exe Infected: Trojan-Downloader.Win32.Agent.afxv 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP164\A0070460.exe Infected: Trojan.Win32.Agent.bcak 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP164\A0070461.exe Infected: Trojan.Win32.Agent.cuok 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP164\A0070462.exe Infected: not-a-virus:AdWare.Win32.Agent.lhu 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP165\A0072652.dll Infected: Trojan.Win32.Monder.blxt 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP165\A0072654.dll Infected: Trojan.Win32.Monder.aidu 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP166\A0072663.dll Infected: Trojan.Win32.Inject.mud 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074017.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074018.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074019.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074020.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074021.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074022.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074023.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074024.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074025.dll Infected: Trojan.Win32.Monder.alkp 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074026.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074027.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074028.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074029.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074030.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074031.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074032.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074033.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074034.dll Infected: Trojan.Win32.Monder.alkp 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074035.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074036.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074037.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074039.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074040.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074041.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074042.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074043.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074044.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074046.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074047.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074048.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074049.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074050.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074051.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074052.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074053.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074054.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074055.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074056.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.lit 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074076.exe Infected: Trojan.Win32.Inject.muc 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074109.exe Infected: Trojan-Downloader.Win32.FraudLoad.cvt 1
C:\System Volume Information\_restore{94249F6F-DC54-49CD-9348-3D9C85437377}\RP169\A0074119.exe Infected: Trojan.Win32.Inject.muc 1
C:\WINDOWS\system32\oPIXnoli.dll Infected: Trojan.Win32.Pakes.mmg 1

Selected area has been scanned.
Dalmation
2009-08-28, 03:51
HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:50 PM, on 8/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://espanol.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=3082
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-us\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1119719136\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Student\pull.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PEVSystemStart - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\WINDOWS\system32\CF27350.exe" /c RD /S/Q \$RECYCLE.bin \RECYCLER \RECYCLED (file missing)
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe

--
End of file - 6706 bytes
Shaba
2009-08-28, 07:11
Please post a fresh HijackThis log taken in normal mode :)
Dalmation
2009-08-28, 14:20
OK :red:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:11 AM, on 8/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1119719136\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Interwise\Student\pull.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://espanol.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=3082
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-us\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1119719136\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Student\pull.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PEVSystemStart - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\WINDOWS\system32\CF27350.exe" /c RD /S/Q \$RECYCLE.bin \RECYCLER \RECYCLED (file missing)
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe

--
End of file - 7548 bytes
Shaba
2009-08-28, 14:36
Empty this folder:

C:\Qoobox\Quarantine

Delete this:

C:\WINDOWS\system32\oPIXnoli.dll

Empty Recycle Bin.

Still problems?
Dalmation
2009-08-29, 01:24
It all seems to be working great! :thanks:

I still have updates for Java and Windows that need to be installed. Let me know if we are ready for that yet. I will be away from my computer Saturday.


Thanks for all your help!
Shaba
2009-08-29, 12:20
Yes it would be good time to do it :)

See below for my final instructions:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

You can fix these, they are leftovers:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O23 - Service: PEVSystemStart - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\WINDOWS\system32\CF27350.exe" /c RD /S/Q \$RECYCLE.bin \RECYCLER \RECYCLED (file missing)

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:
Dalmation
2009-08-30, 19:40
Thanks for all the help, Shaba!

:wav:
Shaba
2009-09-05, 12:14
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.