popups in ie and have tried everything :(

[railman]

hi,i,m new here,and am infected that I think has something to do with deluxe communications.I,ve unistalled it but the popups remain.heres a log,please helllllllllp,thanks,railLogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:11:06 AM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\warren\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0765EA83-9EC8-4BA2-A7F5-D6A0E251B2F5} - C:\WINDOWS\system32\jkkll.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {3B1AC5EE-E04B-43DB-A5AD-F88BF11BA440} - C:\Program Files\MSN\meqosadi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\yaywwuv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\npbfdoxx.dll",setvm
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2007FreeInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: jkkll - C:\WINDOWS\system32\jkkll.dll
O20 - Winlogon Notify: yaywwuv - C:\WINDOWS\SYSTEM32\yaywwuv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9992 bytes

 

[railman]

just to name a few,Ive tried,avg7.5,avg spyware,spysweeper,smithfraudfix.I use popup stopper companion.nothing seems to help.the popups come when i,m in explorer or firefox.Getting to my witts end.thanks

 

[Angelfire777]

Hi, welcome to Safer Networking forums!

Please download VundoFix.exe to your Desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES.
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

 

[railman]

thanks very much for your help! here is the vundo log.VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:04:10 AM 4/5/2007

Listing files found while scanning....

C:\WINDOWS\system32\byxvspn.dll
C:\WINDOWS\system32\byxvtut.dll
C:\WINDOWS\system32\byxyxyw.dll
C:\WINDOWS\system32\byxyywt.dll
C:\WINDOWS\system32\cbxvwtr.dll
C:\WINDOWS\system32\cbxwxxu.dll
C:\WINDOWS\system32\ddcdddd.dll
C:\WINDOWS\system32\fcccddb.dll
C:\WINDOWS\system32\gebcbaa.dll
C:\WINDOWS\system32\gebyxuu.dll
C:\WINDOWS\system32\hggefdb.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\khfeecy.dll
C:\WINDOWS\system32\khfggfc.dll
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\mljgfee.dll
C:\WINDOWS\system32\nnnnoop.dll
C:\WINDOWS\system32\npbfdoxx.dll
C:\WINDOWS\system32\qomllmm.dll
C:\WINDOWS\system32\qomnkji.dll
C:\WINDOWS\system32\rqrssrs.dll
C:\WINDOWS\system32\tuvspop.dll
C:\WINDOWS\system32\tuvwusq.dll
C:\WINDOWS\system32\urqronk.dll
C:\WINDOWS\system32\vtututq.dll
C:\WINDOWS\system32\vtuuuuu.dll
C:\WINDOWS\system32\wvuvtro.dll
C:\WINDOWS\system32\xxodfbpn.ini
C:\WINDOWS\system32\xxyawuv.dll
C:\WINDOWS\system32\yaywwuv.dll
C:\WINDOWS\system32\yayyvsq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byxvspn.dll
C:\WINDOWS\system32\byxvspn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxvtut.dll
C:\WINDOWS\system32\byxvtut.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxyxyw.dll
C:\WINDOWS\system32\byxyxyw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxyywt.dll
C:\WINDOWS\system32\byxyywt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxvwtr.dll
C:\WINDOWS\system32\cbxvwtr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxwxxu.dll
C:\WINDOWS\system32\cbxwxxu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcdddd.dll
C:\WINDOWS\system32\ddcdddd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fcccddb.dll
C:\WINDOWS\system32\fcccddb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcbaa.dll
C:\WINDOWS\system32\gebcbaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebyxuu.dll
C:\WINDOWS\system32\gebyxuu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggefdb.dll
C:\WINDOWS\system32\hggefdb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\jkkll.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfeecy.dll
C:\WINDOWS\system32\khfeecy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfggfc.dll
C:\WINDOWS\system32\khfggfc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljgfee.dll
C:\WINDOWS\system32\mljgfee.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnnoop.dll
C:\WINDOWS\system32\nnnnoop.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\npbfdoxx.dll
C:\WINDOWS\system32\npbfdoxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomllmm.dll
C:\WINDOWS\system32\qomllmm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomnkji.dll
C:\WINDOWS\system32\qomnkji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrssrs.dll
C:\WINDOWS\system32\rqrssrs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvspop.dll
C:\WINDOWS\system32\tuvspop.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvwusq.dll
C:\WINDOWS\system32\tuvwusq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqronk.dll
C:\WINDOWS\system32\urqronk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtututq.dll
C:\WINDOWS\system32\vtututq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuuuuu.dll
C:\WINDOWS\system32\vtuuuuu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuvtro.dll
C:\WINDOWS\system32\wvuvtro.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxodfbpn.ini
C:\WINDOWS\system32\xxodfbpn.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyawuv.dll
C:\WINDOWS\system32\xxyawuv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yaywwuv.dll
C:\WINDOWS\system32\yaywwuv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayyvsq.dll
C:\WINDOWS\system32\yayyvsq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

 

[railman]

And now the hijack this log.(ive renamed hijack this to hjt.exe Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:05:24 PM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\Program Files\Tweak-XP Pro 4\Tweak-XP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\warren\Desktop\icons\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {48E0245E-6ACF-47B6-8C78-BA8BBE269D45} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Tweak-XP Pro] "C:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeBHInstall.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9938 bytes

 

[Angelfire777]

Hi,

Did you install a program called Winpcap?

*Update AVG Anti-Spyware

• From the main AVG Anti-Spyware screen, click on Update, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful")
• Exit AVG Anti-Spyware. DO NOT scan yet.

*Download ATF Cleaner by Atribune

Do not use it yet.
_________________

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: (no name) - {48E0245E-6ACF-47B6-8C78-BA8BBE269D45} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files...eBHInstall.cab


Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_________________

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.


*Important: Make sure all your browsers are closed before running ATF Cleaner..

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose:Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

*Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.

• Launch AVG AntiSpyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
• Close AVG AntiSpyware.
• Reboot to normal mode.

*Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.

• Click Start > Control Panel
• Click Add/Remove Programs
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove button.
• Repeat as many times as necessary to remove all versions of Java.
• Reboot your computer once all Java components are removed.

Then download Java Runtime Environment 6u1, and install it to your computer.

On your next reply, please include a fresh HijackThis log, AVG Antispyware log and a description on how's your machine running.

 

[railman]

hi,thanks again for your help.I have completed the above steps,and I dont remember downloading that program.avg anti spyware keeps finding yayawuv.dll and cant doanyting with it,I finally have to ignore it.here are the logsLogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:59:50 AM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Tweak-XP Pro 4\Tweak-XP.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\warren\Desktop\icons\hjt.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: (no name) - {02AB5694-F3B7-4543-B6EA-58EF966A4C2B} - C:\WINDOWS\system32\gebyy.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\vamkblcy.dll",setvm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Tweak-XP Pro] "C:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: gebyy - C:\WINDOWS\system32\gebyy.dll
O20 - Winlogon Notify: yayawuv - yayawuv.dll (file missing)
O20 - Winlogon Notify: yayyxyv - C:\WINDOWS\SYSTEM32\yayyxyv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10194 bytes---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:33:51 AM 4/9/2007

+ Scan result:



C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP58\A0046043.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046127.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046128.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046131.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP62\A0046280.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047464.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bund1\ClientBundle1.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\micro1\a1.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046114.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046115.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046116.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046118.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\WINDOWS\system32\micro1\a4.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP58\A0046060.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP58\A0046062.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP59\A0046076.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP59\A0046077.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP59\A0046092.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046098.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046099.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046104.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046108.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046125.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046130.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047537.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\WINDOWS\VTTC.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP60\A0046106.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047417.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047418.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047420.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047422.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047425.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047426.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047429.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047430.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047431.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047432.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047435.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047439.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047440.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047441.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047443.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP65\A0047622.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\byxvspn.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\byxvtut.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\byxyywt.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\cbxwxxu.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\gebcbaa.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\gebyxuu.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\khfeecy.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\khfggfc.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\mljgfee.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\nnnnoop.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\pmnlklk.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\qomnkji.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\urqronk.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\vtututq.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\vtuuuuu.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\xxyawuv.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP62\A0046252.dll -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\WINDOWS\system32\micro1\a3.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\WINDOWS\system32\micro1\win5.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_7777_BHLP0611NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP46\A0034835.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).


::Report end

 

[Angelfire777]

You got reinfected by vundo..

*Please run vundofix again.

*Click Start > Control Panel > Add or Remove Programs and uninstall the item in bold if found.

WinPcap

*Reboot and delete the following folders:

C:\Program Files\WinPcap
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\micro1

empty your recycle bin.

Please post the vundofix log and a new HijackThis log.

 

[railman]

no popups so far!C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\hgggghe.dll
C:\WINDOWS\system32\vamkblcy.dll
C:\WINDOWS\system32\yayyxyv.dll
C:\WINDOWS\system32\yclbkmav.ini
C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\gebyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgggghe.dll
C:\WINDOWS\system32\hgggghe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vamkblcy.dll
C:\WINDOWS\system32\vamkblcy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayyxyv.dll
C:\WINDOWS\system32\yayyxyv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yclbkmav.ini
C:\WINDOWS\system32\yclbkmav.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\yayyxyv.dll
C:\WINDOWS\system32\yayyxyv.dll Has been deleted!

Performing Repairs to the registry.
Done!Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:03:31 PM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\Program Files\Tweak-XP Pro 4\Tweak-XP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\warren\Desktop\icons\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Tweak-XP Pro] "C:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9422 bytes

 

[railman]

spoke to soon,just got a popup

 

[Angelfire777]

Hmm.. Something is messing with us there :scratch:

Don't worry let's check some more

Download combofix.exe

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

 

[railman]

"warren" - 07-04-09 12:20:22 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\warren\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\warren\Desktop\internet.lnk
C:\WINDOWS\system32\vbuzip10.dll


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm
-------\LEGACY_NM


((((((((((((((((((((((((((((((( Files Created from 2007-03-09 to 2007-04-09 ))))))))))))))))))))))))))))))))))


2007-04-05 13:41 <DIR> d-------- C:\!KillBox
2007-04-05 10:24 <DIR> d-------- C:\SmitfraudFix
2007-04-05 08:36 3,064 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-05 08:34 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-05 08:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-05 08:34 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-05 08:34 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-05 08:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-05 08:34 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-03 14:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-03 11:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-04-03 11:38 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-04-03 11:38 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-04-03 11:38 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-04-03 11:38 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-04-03 11:36 <DIR> d-------- C:\DOCUME~1\warren\APPLIC~1\Webroot
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IKAutoUp.exe
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IkAutoUp.dat
2007-04-02 21:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-02 19:47 <DIR> d-------- C:\Program Files\STOPzilla!
2007-04-02 19:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-04-02 19:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZILLAbar
2007-04-02 19:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-04-02 15:45 <DIR> d-------- C:\WINDOWS\pss
2007-04-02 12:11 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-02 12:11 <DIR> d-------- C:\Temp\tn3
2007-03-18 19:54 <DIR> d-------- C:\Program Files\iTunes
2007-03-15 11:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-14 17:06 <DIR> d-------- C:\My Games
2007-03-14 17:05 <DIR> d-------- C:\My Download Files
2007-03-14 17:04 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-03-14 17:04 <DIR> d-------- C:\Program Files\Real
2007-03-11 16:32 <DIR> d-------- C:\DOCUME~1\alex\APPLIC~1\DivX


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-09 11:57 -------- d-------- C:\Program Files\tweak-xp pro 4
2007-04-09 11:51 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\skype
2007-04-09 10:55 -------- d-------- C:\Program Files\java
2007-04-05 13:16 2951 --a------ C:\WINDOWS\mozver.dat
2007-04-05 11:28 -------- d-------- C:\Program Files\super internet tv
2007-04-03 12:30 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\verbatim software
2007-04-03 11:38 -------- d-------- C:\Program Files\webroot
2007-04-02 16:22 -------- d-------- C:\Program Files\google
2007-03-28 19:09 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso_hwe
2007-03-18 20:55 -------- d-------- C:\Program Files\dvdfab platinum 3
2007-03-18 20:55 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso
2007-03-18 19:54 -------- d-------- C:\Program Files\ipod
2007-03-18 19:52 -------- d-------- C:\Program Files\quicktime
2007-03-14 17:04 -------- d-------- C:\Program Files\Common Files\real
2007-03-08 09:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 09:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 09:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 07:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 09:32 -------- d-------- C:\Program Files\divx
2007-03-05 19:16 -------- d-------- C:\Program Files\yahoo! games
2007-03-05 18:21 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\juniper networks
2007-03-01 08:53 142 --a------ C:\Program Files\Common Files\rtele.html
2007-02-22 22:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-22 22:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-22 22:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-22 22:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-22 22:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-22 22:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-22 22:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-22 22:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-22 22:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-22 22:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-22 22:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-22 22:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-15 19:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-11 18:22 -------- d-------- C:\Program Files\openvideoconverter
2007-02-11 17:53 0 --a------ C:\WINDOWS\nsreg.dat
2007-01-29 23:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-29 23:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-29 23:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-22 19:24 23392 --a--c--- C:\WINDOWS\system32\emptyregdb.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Tweak-XP Pro"="\"C:\\Program Files\\Tweak-XP Pro 4\\autostart.exe\""
"Pop-Up-Blocker"="\"C:\\Program Files\\Tweak-XP Pro 4\\popup.exe\""
"BlockAds"="\"C:\\Program Files\\Tweak-XP Pro 4\\AdBlocker.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"RegistryMechanic"=""
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"WatchDog"="\"C:\\Program Files\\mobile PhoneTools\\WatchDog.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{D2A0728D-AB2F-4B91-9EEF-590C70EA075D}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-09 12:25:09
C:\ComboFix-quarantined-files.txt ... 07-04-09 12:25

 

[railman]

when i restart my computer,avg finds malware,often a different file,usually one every time.eg.yayawuv.dll,ddcawx.dll.windows/system32

 

[Angelfire777]

Hi,

Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWS\system32\drivers\core.sys

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Next, please visit TheSpyKillers forum HERE

Read the first topic for instructions on uploading files then start a new Topic, name the topic "core.sys sample" thenpost a link to this thread and upload the requested files.cab archive from your desktop.
__________________

*Do you recognize the following file? If not, locate the file and right click on it, select properties, and look for the vendor name, or anything that would indicate the program with which it may be associated. If you still do not recognize it, nor does it appear to be associated with a known valid program, delete it...

C:\Program Files\Common Files\rtele.html

*Delete the following folder:

C:\Temp\tn3

Empty your recycle bin.

• Open HijackThis > Click Misc Tools Section
• Click "Delete a File on Reboot."
• Copy and paste this into the file name box: C:\WINDOWS\system32\drivers\core.sys
• Hijackthis will ask you if you want to reboot, click yes.

Please post a fresh HijackThis log.

 

[railman]

good morning and thanks.last night I used this program and things were working quite well.After following the latest instructions,my computer is so slow I can hardly post this.here is the log from both programs
[04/09/2007, 21:55:07] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\warren\Desktop\VirtumundoBeGone.exe" )
[04/09/2007, 21:55:13] - Detected System Information:
[04/09/2007, 21:55:13] - Windows Version: 5.1.2600, Service Pack 2
[04/09/2007, 21:55:13] - Current Username: warren (Admin)
[04/09/2007, 21:55:13] - Windows is in NORMAL mode.
[04/09/2007, 21:55:13] - Searching for Browser Helper Objects:
[04/09/2007, 21:55:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:55:13] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:55:13] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:55:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:55:13] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:55:13] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:55:13] - BHO 4: {6ED6EB56-AD46-488C-B515-2A8EA53BB42D} ()
[04/09/2007, 21:55:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:55:13] - Checking for HKLM\...\Winlogon\Notify\ddcyy
[04/09/2007, 21:55:13] - Found: HKLM\...\Winlogon\Notify\ddcyy - This is probably Virtumundo.
[04/09/2007, 21:55:13] - Assigning {6ED6EB56-AD46-488C-B515-2A8EA53BB42D} MSEvents Object
[04/09/2007, 21:55:13] - BHO list has been changed! Starting over...
[04/09/2007, 21:55:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:55:13] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:55:13] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:55:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:55:13] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:55:13] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:55:13] - BHO 4: {6ED6EB56-AD46-488C-B515-2A8EA53BB42D} (MSEvents Object)
[04/09/2007, 21:55:13] - ALERT: Found MSEvents Object!
[04/09/2007, 21:55:13] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 21:55:13] - Finished Searching Browser Helper Objects
[04/09/2007, 21:55:13] - *** Detected MSEvents Object
[04/09/2007, 21:55:13] - Trying to remove MSEvents Object...
[04/09/2007, 21:55:14] - Terminating Process: IEXPLORE.EXE
[04/09/2007, 21:55:15] - Terminating Process: RUNDLL32.EXE
[04/09/2007, 21:55:15] - Disabling Automatic Shell Restart
[04/09/2007, 21:55:15] - Terminating Process: EXPLORER.EXE
[04/09/2007, 21:55:16] - Suspending the NT Session Manager System Service
[04/09/2007, 21:55:16] - Terminating Windows NT Logon/Logoff Manager
[04/09/2007, 21:55:16] - Re-enabling Automatic Shell Restart
[04/09/2007, 21:55:16] - File to disable: C:\WINDOWS\system32\ddcyy.dll
[04/09/2007, 21:55:16] - Renaming C:\WINDOWS\system32\ddcyy.dll -> C:\WINDOWS\system32\ddcyy.dll.vir
[04/09/2007, 21:55:17] - File successfully renamed!
[04/09/2007, 21:55:17] - Removing HKLM\...\Browser Helper Objects\{6ED6EB56-AD46-488C-B515-2A8EA53BB42D}
[04/09/2007, 21:55:17] - Removing HKCR\CLSID\{6ED6EB56-AD46-488C-B515-2A8EA53BB42D}
[04/09/2007, 21:55:17] - Adding Kill Bit for ActiveX for GUID: {6ED6EB56-AD46-488C-B515-2A8EA53BB42D}
[04/09/2007, 21:55:17] - Deleting ATLEvents/MSEvents Registry entries
[04/09/2007, 21:55:17] - Removing HKLM\...\Winlogon\Notify\ddcyy
[04/09/2007, 21:55:17] - Searching for Browser Helper Objects:
[04/09/2007, 21:55:17] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:55:17] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:55:17] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:55:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:55:17] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:55:17] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:55:17] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 21:55:17] - Finished Searching Browser Helper Objects
[04/09/2007, 21:55:17] - Finishing up...
[04/09/2007, 21:55:17] - A restart is needed.
[04/09/2007, 21:55:28] - Attempting to Restart via STOP error (Blue Screen!)

[04/09/2007, 21:57:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\warren\Desktop\VirtumundoBeGone.exe" )
[04/09/2007, 21:57:36] - Detected System Information:
[04/09/2007, 21:57:36] - Windows Version: 5.1.2600, Service Pack 2
[04/09/2007, 21:57:36] - Current Username: warren (Admin)
[04/09/2007, 21:57:36] - Windows is in SAFE mode with Networking.
[04/09/2007, 21:57:36] - Searching for Browser Helper Objects:
[04/09/2007, 21:57:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:57:36] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:57:36] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:57:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:57:36] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:57:36] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:57:36] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 21:57:36] - BHO 5: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} ()
[04/09/2007, 21:57:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:57:36] - Checking for HKLM\...\Winlogon\Notify\byxxwxw
[04/09/2007, 21:57:36] - Found: HKLM\...\Winlogon\Notify\byxxwxw - This is probably Virtumundo.
[04/09/2007, 21:57:36] - Assigning {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} MSEvents Object
[04/09/2007, 21:57:36] - BHO list has been changed! Starting over...
[04/09/2007, 21:57:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:57:37] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:57:37] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:57:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:57:37] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:57:37] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:57:37] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 21:57:37] - BHO 5: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} (MSEvents Object)
[04/09/2007, 21:57:37] - ALERT: Found MSEvents Object!
[04/09/2007, 21:57:37] - Finished Searching Browser Helper Objects
[04/09/2007, 21:57:37] - *** Detected MSEvents Object
[04/09/2007, 21:57:37] - Trying to remove MSEvents Object...
[04/09/2007, 21:57:38] - Terminating Process: IEXPLORE.EXE
[04/09/2007, 21:57:39] - Terminating Process: RUNDLL32.EXE
[04/09/2007, 21:57:39] - Disabling Automatic Shell Restart
[04/09/2007, 21:57:39] - Terminating Process: EXPLORER.EXE
[04/09/2007, 21:57:39] - Suspending the NT Session Manager System Service
[04/09/2007, 21:57:39] - Terminating Windows NT Logon/Logoff Manager
[04/09/2007, 21:57:39] - Re-enabling Automatic Shell Restart
[04/09/2007, 21:57:39] - File to disable: C:\WINDOWS\system32\byxxwxw.dll
[04/09/2007, 21:57:39] - Renaming C:\WINDOWS\system32\byxxwxw.dll -> C:\WINDOWS\system32\byxxwxw.dll.vir
[04/09/2007, 21:57:39] - File successfully renamed!
[04/09/2007, 21:57:39] - Removing HKLM\...\Browser Helper Objects\{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}
[04/09/2007, 21:57:39] - Removing HKCR\CLSID\{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}
[04/09/2007, 21:57:39] - Adding Kill Bit for ActiveX for GUID: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69}
[04/09/2007, 21:57:39] - Deleting ATLEvents/MSEvents Registry entries
[04/09/2007, 21:57:39] - Removing HKLM\...\Winlogon\Notify\byxxwxw
[04/09/2007, 21:57:39] - Searching for Browser Helper Objects:
[04/09/2007, 21:57:39] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2007, 21:57:39] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[04/09/2007, 21:57:39] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 21:57:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 21:57:39] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/09/2007, 21:57:39] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/09/2007, 21:57:39] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 21:57:39] - Finished Searching Browser Helper Objects
[04/09/2007, 21:57:39] - Finishing up...
[04/09/2007, 21:57:39] - A restart is needed.
[04/09/2007, 21:57:43] - Attempting to Restart via STOP error (Blue Screen!)
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:39:53 AM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\WINDOWS\system32\micro1\b9.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijack this\hjt.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\TEMP\New21.tmp\upgrade.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {94C566BD-A7C8-425A-B98B-A2E9ACB2C8BE} - C:\Program Files\MSN\meqosadi.dll
O2 - BHO: 0 - {B6B32DB0-24C7-4473-50A1-241AEEC9EB9E} - C:\Program Files\Common Files\quca.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: yayaaya - C:\WINDOWS\SYSTEM32\yayaaya.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10367 bytes

 

[railman]

latest avg scan and hijack this logs

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:05:27 AM 4/10/2007

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\Program Files\hijack this\backups\backup-20070410-074709-409.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053561.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053562.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053563.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053546.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053565.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053566.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053579.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053547.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053577.dll -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053576.exe -> Hijacker.Small.jf : Cleaned with backup (quarantined).


::Report endLogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:07:58 AM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijack this\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9A932671-F0DD-436E-A521-4AA2D5506CBF} - C:\Program Files\MSN\meqosadi.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9025 bytes

 

[Angelfire777]

You got reinfected so fast.. I suggest you stay offline with that computer as long as possible and go online only when you are waiting for my instructions..

Is your AVG Antivirus up to date?


*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {9A932671-F0DD-436E-A521-4AA2D5506CBF} - C:\Program Files\MSN\meqosadi.dll

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.

• Open HijackThis > Click Misc Tools Section
• Click "Delete a File on Reboot."
• Copy and paste this into the file name box: C:\Program Files\MSN\meqosadi.dll
• Hijackthis will ask you if you want to reboot, click yes.

*Download Gmer

• Disconnect from internet and close running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double click gmer.exe
• Let the gmer.sys driver load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
• If no warning....
• Click "Rootkit" tab and click "Scan"
• Once done, click "Copy"
• Open Notepad and hit "ctrl+v" to paste the log.
• Reconnect to the internet and post the log back to this thread please.

*please run combofix once more.

On your next reply, please include a fresh HijackThis log, combofix log and the gmer log.

 

[railman]

sorry had to go work angelfire

heres the logs"warren" - 07-04-11 15:54:36 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\warren\Desktop\icons"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\bkd.exe
C:\WINDOWS\system32\bund1


((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))


2007-04-11 11:57 <DIR> d-------- C:\WINDOWS\LastGood
2007-04-10 11:08 <DIR> d-------- C:\Temp\tn3
2007-04-10 07:51 776,959 ---hs---- C:\WINDOWS\system32\ppqss.bak1
2007-04-10 07:50 280,676 --ahs---- C:\WINDOWS\system32\ssqpp.dll.vir
2007-04-10 07:36 105,434 --a------ C:\WINDOWS\VTTC.exe
2007-04-10 07:35 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-04-09 21:44 <DIR> d-------- C:\Program Files\hijack this
2007-04-09 16:41 776,959 ---hs---- C:\WINDOWS\system32\yycdd.bak1
2007-04-09 15:29 776,959 ---hs---- C:\WINDOWS\system32\npqss.bak1
2007-04-09 12:57 776,959 ---hs---- C:\WINDOWS\system32\jmllm.bak1
2007-04-09 12:56 280,676 ---hs---- C:\WINDOWS\system32\mllmj.dll
2007-04-05 13:41 <DIR> d-------- C:\!KillBox
2007-04-05 10:24 <DIR> d-------- C:\SmitfraudFix
2007-04-05 08:36 3,064 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-05 08:34 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-05 08:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-05 08:34 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-05 08:34 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-05 08:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-05 08:34 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-03 14:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-03 11:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-04-03 11:38 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-04-03 11:38 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-04-03 11:38 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-04-03 11:38 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-04-03 11:36 <DIR> d-------- C:\DOCUME~1\warren\APPLIC~1\Webroot
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IKAutoUp.exe
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IkAutoUp.dat
2007-04-02 21:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-02 19:47 <DIR> d-------- C:\Program Files\STOPzilla!
2007-04-02 19:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-04-02 19:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-04-02 15:45 <DIR> d-------- C:\WINDOWS\pss
2007-04-02 12:11 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-03-18 19:54 <DIR> d-------- C:\Program Files\iTunes
2007-03-15 11:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-14 17:06 <DIR> d-------- C:\My Games
2007-03-14 17:05 <DIR> d-------- C:\My Download Files
2007-03-14 17:04 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-03-14 17:04 <DIR> d-------- C:\Program Files\Real
2007-03-11 16:32 <DIR> d-------- C:\DOCUME~1\alex\APPLIC~1\DivX


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-11 15:49 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\skype
2007-04-10 11:04 -------- d-------- C:\Program Files\tweak-xp pro 4
2007-04-09 18:25 -------- d-------- C:\Program Files\replay7
2007-04-09 13:32 -------- d-------- C:\Program Files\google
2007-04-09 10:55 -------- d-------- C:\Program Files\java
2007-04-05 13:16 2951 --a------ C:\WINDOWS\mozver.dat
2007-04-05 11:28 -------- d-------- C:\Program Files\super internet tv
2007-04-03 12:30 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\verbatim software
2007-04-03 11:38 -------- d-------- C:\Program Files\webroot
2007-03-28 19:09 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso_hwe
2007-03-18 20:55 -------- d-------- C:\Program Files\dvdfab platinum 3
2007-03-18 20:55 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso
2007-03-18 19:54 -------- d-------- C:\Program Files\ipod
2007-03-18 19:52 -------- d-------- C:\Program Files\quicktime
2007-03-14 17:04 -------- d-------- C:\Program Files\Common Files\real
2007-03-08 09:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 09:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 09:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 07:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 09:32 -------- d-------- C:\Program Files\divx
2007-03-05 19:16 -------- d-------- C:\Program Files\yahoo! games
2007-03-05 18:21 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\juniper networks
2007-02-22 22:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-22 22:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-22 22:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-22 22:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-22 22:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-22 22:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-22 22:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-22 22:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-22 22:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-22 22:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-22 22:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-22 22:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-15 19:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-11 18:22 -------- d-------- C:\Program Files\openvideoconverter
2007-02-11 17:53 0 --a------ C:\WINDOWS\nsreg.dat
2007-01-29 23:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-29 23:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-29 23:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-22 19:24 23392 --a--c--- C:\WINDOWS\system32\emptyregdb.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"RegistryMechanic"=""
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"WatchDog"="\"C:\\Program Files\\mobile PhoneTools\\WatchDog.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-11 15:59:21
C:\ComboFix-quarantined-files.txt ... 07-04-11 15:59

 

[railman]

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-11 15:52:44
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 84586828 ZwAllocateVirtualMemory
SSDT \SystemRoot\system32\drivers\core.sys ZwClose
SSDT \SystemRoot\system32\drivers\core.sys ZwCreateKey
SSDT 84586D50 ZwCreateProcess
SSDT 84586CD8 ZwCreateProcessEx
SSDT 84586AF8 ZwCreateThread
SSDT \SystemRoot\system32\drivers\core.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\core.sys ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\core.sys ZwLoadKey
SSDT \SystemRoot\system32\drivers\core.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 845868A0 ZwQueueApcThread
SSDT 84586738 ZwReadVirtualMemory
SSDT 84586F30 ZwRenameKey
SSDT \SystemRoot\system32\drivers\core.sys ZwReplaceKey
SSDT \SystemRoot\system32\drivers\core.sys ZwRestoreKey
SSDT 84586990 ZwSetContextThread
SSDT 84586EB8 ZwSetInformationKey
SSDT 84586BE8 ZwSetInformationProcess
SSDT 84586A08 ZwSetInformationThread
SSDT \SystemRoot\system32\drivers\core.sys ZwSetValueKey
SSDT 84586B70 ZwSuspendProcess
SSDT 84586918 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 84586A80 ZwTerminateThread
SSDT 845867B0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\drivers\core.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1900] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 8393F370
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 8393F2F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 839743E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 83974370
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 839742F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 838C4BA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 838C4B28
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 838C4AB0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 838CDFA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 838CDF30
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 838CDEB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 838CDE40
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 838F97F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 838F9780
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 838F9708
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8085A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 839ADFA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 839ADF30
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 839ADEB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 839ADE40
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 839068F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 83906878
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 83906800
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 83906788
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 83905650
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 839055D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 83905560
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 839054E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 8393F370
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 8393F2F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 839743E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 83974370
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 839742F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 838C4BA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 838C4B28
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 838C4AB0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 838CDFA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 838CDF30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 838CDEB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 838CDE40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 838F97F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 838F9780
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 838F9708
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 839ADFA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 839ADF30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 839ADEB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 839ADE40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 839068F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 83906878
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 83906800
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 83906788
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 83905650
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 839055D8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 83905560
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 839054E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 8393F370
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 8393F2F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 839743E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 83974370
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 839742F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 838C4BA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 838C4B28
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 838C4AB0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 838CDFA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 838CDF30
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 838CDEB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 838CDE40
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 838F97F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 838F9780
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 838F9708
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 839ADFA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 839ADF30
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 839ADEB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 839ADE40
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 839068F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 83906878
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 83906800
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 83906788
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 83905650
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 839055D8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 83905560
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 839054E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 8393F370
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 8393F2F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 839743E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 83974370
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 839742F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 838C4BA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 838C4B28
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 838C4AB0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 838CDFA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 838CDF30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 838CDEB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 838CDE40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 838F97F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 838F9780
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 838F9708
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 839ADFA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 839ADF30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 839ADEB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 839ADE40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 839068F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 83906878
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 83906800
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 83906788
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 83905650
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 839055D8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 83905560
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 839054E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 8393F370
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 8393F2F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 839743E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 83974370
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 839742F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 838C4BA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 838C4B28
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 838C4AB0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 838CDFA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 838CDF30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 838CDEB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 838CDE40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 838F97F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 838F9780
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 838F9708
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 839ADFA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 839ADF30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 839ADEB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 839ADE40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 839068F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 83906878
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 83906800
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 83906788
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 83905650
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 839055D8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 83905560
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 839054E8

---- Modules - GMER 1.0.12 ----

Module (noname) (*** hidden *** ) F7CA7000

---- EOF - GMER 1.0.12 ----

 

[railman]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:06:16 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijack this\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8414 bytes