romseeker123
New member
I have a lot of problems with pop ups, whenever i search for something in google it redirects me to other pages, and explorer.exe tends to overrun my computer and cause it to have 100% CPU. PLZ help
need help veru urgent!!!
- Thread starter romseeker123
- Start date
steamwiz
Security Expert-Emeritus
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:05 AM, on 9/27/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O1 - Hosts: zö,º\
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\vgcdlfrm.dll",sitypnow
O4 - HKCU\..\Run: [P2P] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [adprot] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WebRun] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [rraun] C:\WINDOWS\System32\veobmt.exe reg_run (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rraun] C:\WINDOWS\System32\veobmt.exe reg_run (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c11.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/08599382b0f9e9f77319/netzip/RdxIE601.cab
O16 - DPF: {5C3A9EA6-4068-46B8-8B5A-692FB10607B1} - http://www.grupomarineda.net/auto/DialerData.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125027239307
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125027096281
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4377/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F47BD564-1BA3-4E18-824C-F357D1A3EA75}: NameServer = 204.127.129.4 12.102.244.4
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O22 - SharedTaskScheduler: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\System32\winload.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 7481 bytes
Scan saved at 11:05:05 AM, on 9/27/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O1 - Hosts: zö,º\
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\vgcdlfrm.dll",sitypnow
O4 - HKCU\..\Run: [P2P] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [adprot] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WebRun] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [rraun] C:\WINDOWS\System32\veobmt.exe reg_run (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rraun] C:\WINDOWS\System32\veobmt.exe reg_run (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c11.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/08599382b0f9e9f77319/netzip/RdxIE601.cab
O16 - DPF: {5C3A9EA6-4068-46B8-8B5A-692FB10607B1} - http://www.grupomarineda.net/auto/DialerData.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125027239307
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125027096281
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4377/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F47BD564-1BA3-4E18-824C-F357D1A3EA75}: NameServer = 204.127.129.4 12.102.244.4
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O22 - SharedTaskScheduler: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\System32\winload.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 7481 bytes
steamwiz
Security Expert-Emeritus
HI
Please copy & paste any logs requested, do NOT attach them unless asked to do so ... it's easier to refer back to them that way...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
steam
Please copy & paste any logs requested, do NOT attach them unless asked to do so ... it's easier to refer back to them that way...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
steam
romseeker123
New member
this is combofix. i dont know if u need the quaratined txt but if u do let me know:
ComboFix 07-09-30.5 - Julio 2007-09-30 3:37:20.4 - NTFSx86
Running from: C:\Documents and Settings\Julio.HOME-TE6W3IOMYE\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\WINDOWS\system32\iifccax.dll
C:\WINDOWS\system32\khfcy.dll
C:\WINDOWS\system32\ntio256.sys
C:\WINDOWS\system32\protector.exe
C:\WINDOWS\system32\xpdx.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NTIO256
-------\LEGACY_XPDX
-------\ntio256
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.
2007-09-30 02:29 72,220 --a------ C:\uvbbeuu.exe
2007-09-30 02:29 25,088 --a------ C:\pgwgygwn.exe
2007-09-30 02:29 20,480 --a------ C:\rkburvxa.exe
2007-09-30 02:16 62,464 --a------ C:\WINDOWS\NirCmd.exe
2007-09-29 03:34 158,432 --a------ C:\WINDOWS\system32\bf81d339.sys
2007-09-28 17:09 122,944 --a------ C:\WINDOWS\system32\ltjwnsyb.exe
2007-09-28 17:06 158,432 --a------ C:\WINDOWS\system32\61b0b765.sys
2007-09-28 01:19 158,432 --a------ C:\WINDOWS\system32\2dd3a4cd.sys
2007-09-27 16:33 90,176 --------- C:\WINDOWS\system32\rogdakwa.exe
2007-09-27 10:38 155,712 --a------ C:\WINDOWS\system32\vjlprhtb.exe
2007-09-27 06:28 90,176 --a------ C:\WINDOWS\system32\yhwehvkj.exe
2007-09-27 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-27 00:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-27 00:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-27 00:16 90,176 --a------ C:\WINDOWS\system32\parrwnjh.exe
2007-09-27 00:08 122,944 --a------ C:\WINDOWS\system32\twtrletl.exe
2007-09-26 18:33 352,320 --a------ C:\WINDOWS\system32\jyimhgkr.exe
2007-09-26 17:25 122,944 --a------ C:\WINDOWS\system32\jmxnmetq.exe
2007-09-25 23:07 122,944 --a------ C:\WINDOWS\system32\rgsvvntc.exe
2007-09-25 21:59 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-25 21:38 188,480 --a------ C:\WINDOWS\system32\lyjwrbke.exe
2007-09-25 21:32 62,464 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-25 21:32 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-25 21:31 90,176 --a------ C:\WINDOWS\system32\rrajehyq.exe
2007-09-25 21:20 <DIR> d-------- C:\Documents and Settings\Julio.HOME-TE6W3IOMYE\.housecall6.6
2007-09-25 21:03 122,432 --a------ C:\WINDOWS\system32\vaillfgg.exe
2007-09-25 20:57 90,176 --a------ C:\WINDOWS\system32\mbwstwqo.exe
2007-09-25 17:54 90,176 --a------ C:\WINDOWS\system32\mvpkmfyg.exe
2007-09-25 16:22 122,432 --a------ C:\WINDOWS\system32\vxdkspuj.exe
2007-09-24 20:28 90,176 --a------ C:\WINDOWS\system32\feigpdeu.exe
2007-09-24 18:35 155,712 --a------ C:\WINDOWS\system32\bjftrkvk.exe
2007-09-23 22:13 90,176 --a------ C:\WINDOWS\system32\oicxersb.exe
2007-09-23 22:11 <DIR> d-------- C:\!KillBox
2007-09-23 22:04 155,712 --a------ C:\WINDOWS\system32\ejwlrlkg.exe
2007-09-23 21:19 90,176 --a------ C:\WINDOWS\system32\fthgfvei.exe
2007-09-23 21:17 90,176 --a------ C:\WINDOWS\system32\xmfcxfoa.exe
2007-09-23 08:58 90,176 --a------ C:\WINDOWS\system32\puntprag.exe
2007-09-21 01:22 221,248 --a------ C:\WINDOWS\system32\vamltqep.exe
2007-09-21 00:51 286,784 --a------ C:\WINDOWS\system32\kiwyrygm.exe
2007-09-17 17:01 122,944 --a------ C:\WINDOWS\system32\uiwfacru.exe
2007-09-17 16:17 90,176 --a------ C:\WINDOWS\system32\fpcytlkc.exe
2007-09-14 16:05 122,944 --a------ C:\WINDOWS\system32\ekgrmtda.exe
2007-09-13 22:01 90,176 --a------ C:\WINDOWS\system32\rbcmtbil.exe
2007-09-07 01:38 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-09-07 01:38 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-16 13:44 96,256 --a--c--- C:\WINDOWS\system32\dllcache\ac97intc.sys
2007-08-16 13:44 96,256 --a------ C:\WINDOWS\system32\drivers\ac97intc.sys
2007-08-16 13:35 509,353 --a--c--- C:\WINDOWS\system32\dllcache\ltmdmnt.sys
2007-08-16 13:35 509,353 --a------ C:\WINDOWS\system32\drivers\ltmdmnt.sys
2007-08-16 13:34 585,344 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2007-08-16 13:34 585,344 --a------ C:\WINDOWS\system32\i81xdnt5.dll
2007-08-16 13:34 138,240 --a--c--- C:\WINDOWS\system32\dllcache\i81xnt5.sys
2007-08-16 13:34 138,240 --a------ C:\WINDOWS\system32\drivers\i81xnt5.sys
2007-08-16 03:30 31,170 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2007-08-16 03:21 46,080 --a------ C:\WINDOWS\system32\tt.exe
2007-08-16 03:20 45,568 --a------ C:\WINDOWS\system32\cr.exe
2007-08-16 03:16 22,528 --a------ C:\WINDOWS\system32\Partizan.exe
2007-08-16 03:09 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2007-08-16 02:57 45,568 --a------ C:\WINDOWS\system32\kb.exe
2007-08-16 02:57 111,616 --a------ C:\WINDOWS\system32\xd.exe
2007-08-16 02:32 78,848 --a------ C:\WINDOWS\system32\xg.exe
2007-08-16 02:32 46,080 --a------ C:\WINDOWS\system32\qs.exe
2007-08-16 02:09 78,336 --a------ C:\WINDOWS\system32\uq.exe
2007-08-16 00:40 1,700,116 ---hs---- C:\WINDOWS\system32\ceggh.ini2
2007-08-15 23:35 90,176 --a------ C:\WINDOWS\system32\coulwlgv.exe
2007-08-15 17:44 188,480 --a------ C:\WINDOWS\system32\qdgqjvtx.exe
2007-08-15 03:11 122,944 --a------ C:\WINDOWS\system32\xomeaixu.exe
2007-08-15 01:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-08-15 01:19 89,664 --a------ C:\WINDOWS\system32\ughummbm.exe
2007-08-15 00:58 155,712 --a------ C:\WINDOWS\system32\jhwvplso.exe
2007-08-15 00:41 122,944 --a------ C:\WINDOWS\system32\sjshqbrk.exe
2007-08-15 00:32 90,176 --a------ C:\WINDOWS\system32\igdwbtln.exe
2007-08-13 11:00 90,176 --a------ C:\WINDOWS\system32\hyansied.exe
2007-08-13 10:48 122,944 --a------ C:\WINDOWS\system32\yvatnhsy.exe
2007-08-13 10:45 90,176 --a------ C:\WINDOWS\system32\xlbvvlcn.exe
2007-08-11 11:50 90,176 --a------ C:\WINDOWS\system32\iptjxqsp.exe
2007-08-11 11:50 1,687,655 ---hs---- C:\WINDOWS\system32\ceggh.bak2
2007-08-10 01:19 1,728,635 ---hs---- C:\WINDOWS\system32\ceggh.bak1
2007-08-04 04:18 0 --a------ C:\WINDOWS\system32\scricon.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 01:30 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-09-28 00:42 7168 --a------ C:\WINDOWS\system32\protect.dll
2007-09-28 00:41 9216 --a------ C:\WINDOWS\system32\yatool.dll
2007-09-28 00:41 8192 --a------ C:\WINDOWS\system32\iphelp.dll
2007-09-28 00:41 5120 --a------ C:\WINDOWS\system32\rsh.dll
2007-09-28 00:41 4096 --a------ C:\WINDOWS\system32\mscert.dll
2007-09-27 20:38 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-26 23:30 77312 --a------ C:\WINDOWS\ua2.dll
2007-09-25 21:33 --------- d-------- C:\Program Files\FlashGet
2007-09-20 18:10 --------- d-------- C:\Program Files\AIM
2007-09-20 18:03 --------- d-------- C:\Documents and Settings\Julio.HOME-TE6W3IOMYE\Application Data\Aim
2007-09-20 17:08 --------- d-------- C:\Program Files\BitLord
2007-09-14 00:31 4608 --a------ C:\WINDOWS\system32\netd.dll
2007-09-14 00:30 9216 --a------ C:\WINDOWS\system32\rcpdu.dll
2007-09-14 00:30 8192 --a------ C:\WINDOWS\system32\dcphnet.dll
2007-09-14 00:30 7680 --a------ C:\WINDOWS\system32\gdid32.dll
2007-09-14 00:30 7680 --a------ C:\WINDOWS\system32\cbrowse.dll
2007-09-14 00:30 5120 --a------ C:\WINDOWS\system32\ftpsystem.dll
2007-09-14 00:30 4608 --a------ C:\WINDOWS\system32\psx.dll
2007-09-14 00:30 4608 --a------ C:\WINDOWS\system32\credigui.dll
2007-09-14 00:30 3072 --a------ C:\WINDOWS\system32\pxcrt.dll
2007-08-31 00:37 --------- d-------- C:\Documents and Settings\Julio.HOME-TE6W3IOMYE\Application Data\AdobeUM
2007-08-16 01:42 --------- d-------- C:\Program Files\Comodo
2007-08-15 01:11 --------- d--h----- C:\Program Files\QuickTime
2007-08-15 00:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 10:31 --------- d-------- C:\Program Files\mIRC
2007-07-07 21:10 44676 --a------ C:\WINDOWS\system32\ut.exe
2007-07-07 20:00 46004 --a------ C:\WINDOWS\system32\sq.exe
2007-02-16 17:19 0 --a------ C:\Program Files\Common Files\Internat.sys
2000-06-16 05:26 271 ---hs---- C:\Program Files\desktop.ini
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54C7D1DD-4296-451e-B756-1E94F665B4FF}]
2007-09-28 00:41 9216 --a------ C:\WINDOWS\System32\yatool.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64B94229-7967-860A-A0C2-034C02BA876B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-06-18 22:32 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winqeo32]
winqeo32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Julio.HOME-TE6W3IOMYE^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Julio.HOME-TE6W3IOMYE\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2F7U3ml]
athwave.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\650f0e7c.exe]
C:\WINDOWS\System32\650f0e7c.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adprot]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate]
C:\WINDOWS\ARUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aiyhbfq]
C:\WINDOWS\System32\pnmlt\aiyhbfq.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader2soo1aYlUYXM]
"C:\WINDOWS\System32\athwave.exe" /PC="CP.CDT3" /ShowLegalNote="nonbranded" /UninstallName="CtxPls"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
"C:\Program Files\AutoUpdate\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win22.tmp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
"C:\Program Files\Comodo\Firewall\CPF.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
rundll32.exe "C:\WINDOWS\qonmjg.dll",setvm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DM_Server]
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS]
C:\Program Files\Common Files\mc-58-12-0000140.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dodcbsnm]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\dodcbsnm.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-Gold]
C:\WINDOWS\TEMP\VRR2.tmp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\mwinkmdt.exe CHD003
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\frwx]
C:\WINDOWS\System32\tycp\frwx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1125542246\ee\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPwxVsG]
C:\WINDOWS\xpqdc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"C:\Program Files\Internet Optimizer\optimize.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Joo8RgJnP]
vcdd3x40.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jwyehnl.dll]
C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\NetworkService\Local Settings\Application Data\jwyehnl.dll",zjpegeg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\links]
links.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsciy]
C:\WINDOWS\System32\qkxcykeh\lsciy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lwbidyfm]
rundll32.exe "C:\Program Files\lwbidyfm\borgfuvw.dll",Init
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Update]
"C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms-update]
scvhost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Messenger]
msnmrgrs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsUpdate]
C:\Program Files\MsUpdate\MsUpdate.exe /auto
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pjpru]
C:\WINDOWS\System32\pvaotsnh\pjpru.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]
C:\Program Files\ProfileWatcher\profilewatcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu21.exe 61A847B5BBF72810338B2B27128065E9C084320161C4661227A755E9C2933154389A
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\System32\piaasgyy.dll",sitypnow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services32]
C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowBehind]
C:\WINDOWS\sbnet\ShowBehind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
C:\WINDOWS\System32\spoolsvv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
C:\WINDOWS\System32\kernels8.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRun]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{3E-EA-AD-D9-ZN}]
C:\WINDOWS\system32\dwdsrngt.exe CHD003
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"wuauserv"=2 (0x2)
"uysmhernxqkgee"=2 (0x2)
"TlntSvr"=3 (0x3)
"snmuxxvitojnt"=2 (0x2)
"RSVP"=3 (0x3)
"PREVXAgent"=2 (0x2)
"Microsoft update Service"=2 (0x2)
"DomainService"=2 (0x2)
"CmdAgent"=2 (0x2)
S3 Partizan;Partizan;C:\WINDOWS\System32\drivers\Partizan.sys
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 03:46:02
Windows 5.1.2600 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-30 3:48:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-30 03:48
.
--- E O F ---
ComboFix 07-09-30.5 - Julio 2007-09-30 3:37:20.4 - NTFSx86
Running from: C:\Documents and Settings\Julio.HOME-TE6W3IOMYE\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\WINDOWS\system32\iifccax.dll
C:\WINDOWS\system32\khfcy.dll
C:\WINDOWS\system32\ntio256.sys
C:\WINDOWS\system32\protector.exe
C:\WINDOWS\system32\xpdx.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NTIO256
-------\LEGACY_XPDX
-------\ntio256
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.
2007-09-30 02:29 72,220 --a------ C:\uvbbeuu.exe
2007-09-30 02:29 25,088 --a------ C:\pgwgygwn.exe
2007-09-30 02:29 20,480 --a------ C:\rkburvxa.exe
2007-09-30 02:16 62,464 --a------ C:\WINDOWS\NirCmd.exe
2007-09-29 03:34 158,432 --a------ C:\WINDOWS\system32\bf81d339.sys
2007-09-28 17:09 122,944 --a------ C:\WINDOWS\system32\ltjwnsyb.exe
2007-09-28 17:06 158,432 --a------ C:\WINDOWS\system32\61b0b765.sys
2007-09-28 01:19 158,432 --a------ C:\WINDOWS\system32\2dd3a4cd.sys
2007-09-27 16:33 90,176 --------- C:\WINDOWS\system32\rogdakwa.exe
2007-09-27 10:38 155,712 --a------ C:\WINDOWS\system32\vjlprhtb.exe
2007-09-27 06:28 90,176 --a------ C:\WINDOWS\system32\yhwehvkj.exe
2007-09-27 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-27 00:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-27 00:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-27 00:16 90,176 --a------ C:\WINDOWS\system32\parrwnjh.exe
2007-09-27 00:08 122,944 --a------ C:\WINDOWS\system32\twtrletl.exe
2007-09-26 18:33 352,320 --a------ C:\WINDOWS\system32\jyimhgkr.exe
2007-09-26 17:25 122,944 --a------ C:\WINDOWS\system32\jmxnmetq.exe
2007-09-25 23:07 122,944 --a------ C:\WINDOWS\system32\rgsvvntc.exe
2007-09-25 21:59 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-25 21:38 188,480 --a------ C:\WINDOWS\system32\lyjwrbke.exe
2007-09-25 21:32 62,464 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-25 21:32 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-25 21:31 90,176 --a------ C:\WINDOWS\system32\rrajehyq.exe
2007-09-25 21:20 <DIR> d-------- C:\Documents and Settings\Julio.HOME-TE6W3IOMYE\.housecall6.6
2007-09-25 21:03 122,432 --a------ C:\WINDOWS\system32\vaillfgg.exe
2007-09-25 20:57 90,176 --a------ C:\WINDOWS\system32\mbwstwqo.exe
2007-09-25 17:54 90,176 --a------ C:\WINDOWS\system32\mvpkmfyg.exe
2007-09-25 16:22 122,432 --a------ C:\WINDOWS\system32\vxdkspuj.exe
2007-09-24 20:28 90,176 --a------ C:\WINDOWS\system32\feigpdeu.exe
2007-09-24 18:35 155,712 --a------ C:\WINDOWS\system32\bjftrkvk.exe
2007-09-23 22:13 90,176 --a------ C:\WINDOWS\system32\oicxersb.exe
2007-09-23 22:11 <DIR> d-------- C:\!KillBox
2007-09-23 22:04 155,712 --a------ C:\WINDOWS\system32\ejwlrlkg.exe
2007-09-23 21:19 90,176 --a------ C:\WINDOWS\system32\fthgfvei.exe
2007-09-23 21:17 90,176 --a------ C:\WINDOWS\system32\xmfcxfoa.exe
2007-09-23 08:58 90,176 --a------ C:\WINDOWS\system32\puntprag.exe
2007-09-21 01:22 221,248 --a------ C:\WINDOWS\system32\vamltqep.exe
2007-09-21 00:51 286,784 --a------ C:\WINDOWS\system32\kiwyrygm.exe
2007-09-17 17:01 122,944 --a------ C:\WINDOWS\system32\uiwfacru.exe
2007-09-17 16:17 90,176 --a------ C:\WINDOWS\system32\fpcytlkc.exe
2007-09-14 16:05 122,944 --a------ C:\WINDOWS\system32\ekgrmtda.exe
2007-09-13 22:01 90,176 --a------ C:\WINDOWS\system32\rbcmtbil.exe
2007-09-07 01:38 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-09-07 01:38 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-16 13:44 96,256 --a--c--- C:\WINDOWS\system32\dllcache\ac97intc.sys
2007-08-16 13:44 96,256 --a------ C:\WINDOWS\system32\drivers\ac97intc.sys
2007-08-16 13:35 509,353 --a--c--- C:\WINDOWS\system32\dllcache\ltmdmnt.sys
2007-08-16 13:35 509,353 --a------ C:\WINDOWS\system32\drivers\ltmdmnt.sys
2007-08-16 13:34 585,344 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2007-08-16 13:34 585,344 --a------ C:\WINDOWS\system32\i81xdnt5.dll
2007-08-16 13:34 138,240 --a--c--- C:\WINDOWS\system32\dllcache\i81xnt5.sys
2007-08-16 13:34 138,240 --a------ C:\WINDOWS\system32\drivers\i81xnt5.sys
2007-08-16 03:30 31,170 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2007-08-16 03:21 46,080 --a------ C:\WINDOWS\system32\tt.exe
2007-08-16 03:20 45,568 --a------ C:\WINDOWS\system32\cr.exe
2007-08-16 03:16 22,528 --a------ C:\WINDOWS\system32\Partizan.exe
2007-08-16 03:09 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2007-08-16 02:57 45,568 --a------ C:\WINDOWS\system32\kb.exe
2007-08-16 02:57 111,616 --a------ C:\WINDOWS\system32\xd.exe
2007-08-16 02:32 78,848 --a------ C:\WINDOWS\system32\xg.exe
2007-08-16 02:32 46,080 --a------ C:\WINDOWS\system32\qs.exe
2007-08-16 02:09 78,336 --a------ C:\WINDOWS\system32\uq.exe
2007-08-16 00:40 1,700,116 ---hs---- C:\WINDOWS\system32\ceggh.ini2
2007-08-15 23:35 90,176 --a------ C:\WINDOWS\system32\coulwlgv.exe
2007-08-15 17:44 188,480 --a------ C:\WINDOWS\system32\qdgqjvtx.exe
2007-08-15 03:11 122,944 --a------ C:\WINDOWS\system32\xomeaixu.exe
2007-08-15 01:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-08-15 01:19 89,664 --a------ C:\WINDOWS\system32\ughummbm.exe
2007-08-15 00:58 155,712 --a------ C:\WINDOWS\system32\jhwvplso.exe
2007-08-15 00:41 122,944 --a------ C:\WINDOWS\system32\sjshqbrk.exe
2007-08-15 00:32 90,176 --a------ C:\WINDOWS\system32\igdwbtln.exe
2007-08-13 11:00 90,176 --a------ C:\WINDOWS\system32\hyansied.exe
2007-08-13 10:48 122,944 --a------ C:\WINDOWS\system32\yvatnhsy.exe
2007-08-13 10:45 90,176 --a------ C:\WINDOWS\system32\xlbvvlcn.exe
2007-08-11 11:50 90,176 --a------ C:\WINDOWS\system32\iptjxqsp.exe
2007-08-11 11:50 1,687,655 ---hs---- C:\WINDOWS\system32\ceggh.bak2
2007-08-10 01:19 1,728,635 ---hs---- C:\WINDOWS\system32\ceggh.bak1
2007-08-04 04:18 0 --a------ C:\WINDOWS\system32\scricon.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 01:30 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-09-28 00:42 7168 --a------ C:\WINDOWS\system32\protect.dll
2007-09-28 00:41 9216 --a------ C:\WINDOWS\system32\yatool.dll
2007-09-28 00:41 8192 --a------ C:\WINDOWS\system32\iphelp.dll
2007-09-28 00:41 5120 --a------ C:\WINDOWS\system32\rsh.dll
2007-09-28 00:41 4096 --a------ C:\WINDOWS\system32\mscert.dll
2007-09-27 20:38 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-26 23:30 77312 --a------ C:\WINDOWS\ua2.dll
2007-09-25 21:33 --------- d-------- C:\Program Files\FlashGet
2007-09-20 18:10 --------- d-------- C:\Program Files\AIM
2007-09-20 18:03 --------- d-------- C:\Documents and Settings\Julio.HOME-TE6W3IOMYE\Application Data\Aim
2007-09-20 17:08 --------- d-------- C:\Program Files\BitLord
2007-09-14 00:31 4608 --a------ C:\WINDOWS\system32\netd.dll
2007-09-14 00:30 9216 --a------ C:\WINDOWS\system32\rcpdu.dll
2007-09-14 00:30 8192 --a------ C:\WINDOWS\system32\dcphnet.dll
2007-09-14 00:30 7680 --a------ C:\WINDOWS\system32\gdid32.dll
2007-09-14 00:30 7680 --a------ C:\WINDOWS\system32\cbrowse.dll
2007-09-14 00:30 5120 --a------ C:\WINDOWS\system32\ftpsystem.dll
2007-09-14 00:30 4608 --a------ C:\WINDOWS\system32\psx.dll
2007-09-14 00:30 4608 --a------ C:\WINDOWS\system32\credigui.dll
2007-09-14 00:30 3072 --a------ C:\WINDOWS\system32\pxcrt.dll
2007-08-31 00:37 --------- d-------- C:\Documents and Settings\Julio.HOME-TE6W3IOMYE\Application Data\AdobeUM
2007-08-16 01:42 --------- d-------- C:\Program Files\Comodo
2007-08-15 01:11 --------- d--h----- C:\Program Files\QuickTime
2007-08-15 00:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 10:31 --------- d-------- C:\Program Files\mIRC
2007-07-07 21:10 44676 --a------ C:\WINDOWS\system32\ut.exe
2007-07-07 20:00 46004 --a------ C:\WINDOWS\system32\sq.exe
2007-02-16 17:19 0 --a------ C:\Program Files\Common Files\Internat.sys
2000-06-16 05:26 271 ---hs---- C:\Program Files\desktop.ini
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54C7D1DD-4296-451e-B756-1E94F665B4FF}]
2007-09-28 00:41 9216 --a------ C:\WINDOWS\System32\yatool.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64B94229-7967-860A-A0C2-034C02BA876B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-06-18 22:32 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winqeo32]
winqeo32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Julio.HOME-TE6W3IOMYE^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Julio.HOME-TE6W3IOMYE\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2F7U3ml]
athwave.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\650f0e7c.exe]
C:\WINDOWS\System32\650f0e7c.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adprot]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate]
C:\WINDOWS\ARUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aiyhbfq]
C:\WINDOWS\System32\pnmlt\aiyhbfq.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader2soo1aYlUYXM]
"C:\WINDOWS\System32\athwave.exe" /PC="CP.CDT3" /ShowLegalNote="nonbranded" /UninstallName="CtxPls"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
"C:\Program Files\AutoUpdate\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win22.tmp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
"C:\Program Files\Comodo\Firewall\CPF.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
rundll32.exe "C:\WINDOWS\qonmjg.dll",setvm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DM_Server]
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS]
C:\Program Files\Common Files\mc-58-12-0000140.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dodcbsnm]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\dodcbsnm.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-Gold]
C:\WINDOWS\TEMP\VRR2.tmp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\mwinkmdt.exe CHD003
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\frwx]
C:\WINDOWS\System32\tycp\frwx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1125542246\ee\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPwxVsG]
C:\WINDOWS\xpqdc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"C:\Program Files\Internet Optimizer\optimize.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Joo8RgJnP]
vcdd3x40.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jwyehnl.dll]
C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\NetworkService\Local Settings\Application Data\jwyehnl.dll",zjpegeg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\links]
links.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsciy]
C:\WINDOWS\System32\qkxcykeh\lsciy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lwbidyfm]
rundll32.exe "C:\Program Files\lwbidyfm\borgfuvw.dll",Init
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Update]
"C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms-update]
scvhost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Messenger]
msnmrgrs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsUpdate]
C:\Program Files\MsUpdate\MsUpdate.exe /auto
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pjpru]
C:\WINDOWS\System32\pvaotsnh\pjpru.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]
C:\Program Files\ProfileWatcher\profilewatcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu21.exe 61A847B5BBF72810338B2B27128065E9C084320161C4661227A755E9C2933154389A
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\System32\piaasgyy.dll",sitypnow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services32]
C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowBehind]
C:\WINDOWS\sbnet\ShowBehind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
C:\WINDOWS\System32\spoolsvv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
C:\WINDOWS\System32\kernels8.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRun]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{3E-EA-AD-D9-ZN}]
C:\WINDOWS\system32\dwdsrngt.exe CHD003
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"wuauserv"=2 (0x2)
"uysmhernxqkgee"=2 (0x2)
"TlntSvr"=3 (0x3)
"snmuxxvitojnt"=2 (0x2)
"RSVP"=3 (0x3)
"PREVXAgent"=2 (0x2)
"Microsoft update Service"=2 (0x2)
"DomainService"=2 (0x2)
"CmdAgent"=2 (0x2)
S3 Partizan;Partizan;C:\WINDOWS\System32\drivers\Partizan.sys
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 03:46:02
Windows 5.1.2600 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-30 3:48:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-30 03:48
.
--- E O F ---
romseeker123
New member
this is the hijackthis log:
HIJACKTHIS FILE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:01 AM, on 9/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\Jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - C:\WINDOWS\System32\yatool.dll
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125027239307
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F47BD564-1BA3-4E18-824C-F357D1A3EA75}: NameServer = 204.127.160.3 12.102.240.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: winqeo32 - winqeo32.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 4958 bytes
HIJACKTHIS FILE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:01 AM, on 9/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\Jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - C:\WINDOWS\System32\yatool.dll
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125027239307
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F47BD564-1BA3-4E18-824C-F357D1A3EA75}: NameServer = 204.127.160.3 12.102.240.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: winqeo32 - winqeo32.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 4958 bytes
steamwiz
Security Expert-Emeritus
HI
That is one of the most infected computers I have seen for a while ... probably a hundred malware files shown ...
I see you've stopped a lot of them running from msconfig ... good move, we'll clean those keys out when we delete the bad files ...
I want you to run some removal programs for me, which will hopefully get rid of a lot of the files ...
FIRST ....
Please download VundoFix.exe to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".
7. Please post the contents of C:\vundofix.txt
If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...
Keep running vundofix untill it gives you the message "no infected files were found"
SECOND ...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
THIRD ...
Download and install the 30 day trial of AVG Anti-Spyware from HERE :-
http://www.ewido.net/en/download/
1. Download it to your desktop
2. Doubleclick the AVG Anti-Spyware icon to start the AVG Anti-Spyware setup process...
3. update the definition files....
Click the Update icon then select the Update now link...
Select the Start Update button, the update will start and a progress bar will show the updates being installed.
4. select the Scanner icon at the top of the screen, then select the Settings tab
click on Recommended actions and then select Quarantine
5. Under Reports...
Select Automatically generate report after every scan
Un-Select Only if threats were found
6. Close AVG Anti-Spyware > Do not run the scan yet.
Boot your computer into Safemode
1. Go to Start> Shut Off your Computer> Restart
2. As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
3. Use the Up and Down Arrow Keys to scroll up to SAFEMODE
4. Then press the Enter on your Keyboard
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process
1. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
2. Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
3. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
4. Once the scan is complete do the following:
5. If you have any infections you will prompted, then select Apply all actions
6. Next select the Reports icon at the top.
7. Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
8. make sure to remember where you saved that file, this is important
9. Close AVG Anti-Spyware
10. Copy & paste the AVG Anti-Spyware report in your next post
So I want to see :-
1. C:\vundofix.txt
2. SUPERAntiSpyware Scan Log
3. AVG Anti-Spyware report
steam
That is one of the most infected computers I have seen for a while ... probably a hundred malware files shown ...
I see you've stopped a lot of them running from msconfig ... good move, we'll clean those keys out when we delete the bad files ...
I want you to run some removal programs for me, which will hopefully get rid of a lot of the files ...
FIRST ....
Please download VundoFix.exe to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".
7. Please post the contents of C:\vundofix.txt
If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...
Keep running vundofix untill it gives you the message "no infected files were found"
SECOND ...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
THIRD ...
Download and install the 30 day trial of AVG Anti-Spyware from HERE :-
http://www.ewido.net/en/download/
1. Download it to your desktop
2. Doubleclick the AVG Anti-Spyware icon to start the AVG Anti-Spyware setup process...
3. update the definition files....
Click the Update icon then select the Update now link...
Select the Start Update button, the update will start and a progress bar will show the updates being installed.
4. select the Scanner icon at the top of the screen, then select the Settings tab
click on Recommended actions and then select Quarantine
5. Under Reports...
Select Automatically generate report after every scan
Un-Select Only if threats were found
6. Close AVG Anti-Spyware > Do not run the scan yet.
Boot your computer into Safemode
1. Go to Start> Shut Off your Computer> Restart
2. As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
3. Use the Up and Down Arrow Keys to scroll up to SAFEMODE
4. Then press the Enter on your Keyboard
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process
1. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
2. Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
3. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
4. Once the scan is complete do the following:
5. If you have any infections you will prompted, then select Apply all actions
6. Next select the Reports icon at the top.
7. Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
8. make sure to remember where you saved that file, this is important
9. Close AVG Anti-Spyware
10. Copy & paste the AVG Anti-Spyware report in your next post
So I want to see :-
1. C:\vundofix.txt
2. SUPERAntiSpyware Scan Log
3. AVG Anti-Spyware report
steam
romseeker123
New member
I can't boot into safe mode anymore. Wut can I do? I did the superantivirus scan and the vundo but now I can't boot in safe mode
steamwiz
Security Expert-Emeritus
Hi
If by not being able to boot into safemode, you mean all you get is a black screen ... this is most likely being caused by the vundo trojan ... you have dozens of vundo files on your computer...
I have just been informed that you started another thread :-
http://forums.spybot.info/showthread.php?t=18483
Scotty highlights 2 things which I should have picked up on ...
You have NO service packs (without them hundreds of security vulnerabilities have gone unpatched)
& you have NO active anti-virus
Plus your java is out of date, & vulnerabilities in old versions of java is the most common way that the vundo trojan gets on to your computer...
As I have all ready said, you have a very badly compromised computer ... I see NO point in trying to clean it up unless you...
1. Install service pack 1a (don't install SP2 until your computer is clean)
2. Install & run an anti-virus
3. install an up to date java
Links for the first 2 you can find in your other thread, posted by Scotty ...
for java ...
Go to add/remove programs and uninstall any earlier versions ...(j2re1.4.2_05 + any others)
Then You can go here and install the latest version of Java.
http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6' and press the 'Download' button.
-
Once you have done the above, we can continue, I still want to see :-
1. C:\vundofix.txt
2. SUPERAntiSpyware Scan Log
3. AVG Anti-Spyware report
+ a new hijackthis log
steam
If by not being able to boot into safemode, you mean all you get is a black screen ... this is most likely being caused by the vundo trojan ... you have dozens of vundo files on your computer...
I have just been informed that you started another thread :-
http://forums.spybot.info/showthread.php?t=18483
Scotty highlights 2 things which I should have picked up on ...
You have NO service packs (without them hundreds of security vulnerabilities have gone unpatched)
& you have NO active anti-virus
Plus your java is out of date, & vulnerabilities in old versions of java is the most common way that the vundo trojan gets on to your computer...
As I have all ready said, you have a very badly compromised computer ... I see NO point in trying to clean it up unless you...
1. Install service pack 1a (don't install SP2 until your computer is clean)
2. Install & run an anti-virus
3. install an up to date java
Links for the first 2 you can find in your other thread, posted by Scotty ...
for java ...
Go to add/remove programs and uninstall any earlier versions ...(j2re1.4.2_05 + any others)
Then You can go here and install the latest version of Java.
http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6' and press the 'Download' button.
-
Once you have done the above, we can continue, I still want to see :-
1. C:\vundofix.txt
2. SUPERAntiSpyware Scan Log
3. AVG Anti-Spyware report
+ a new hijackthis log
steam
romseeker123
New member
I cant download sp1a. the link scotty gave me doesnt take me to the download so i cearched it on their website and found it and downloaded it. but it says my product key is invalid and it quits the installaiton. what can i do?