Smithfraud and command--Macafee won't let me run HJT

Status
Not open for further replies.
Y

yokatta

New member
I have some malware I can't get rid of. I followed the directions on "read this before post" and have done everything except Hijackthis log. This is because when I try to run it Macafee says it's a virus and won't let me. Any help would be appreciated. Thanks in advance
 
Finally got it to work. Here it is. Any help is appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 4:17:53 PM, on 12/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasdc.exe
C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasers.exe
C:\Program Files\Common Files\WinAntiSpyware 2006\was6cw.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\OPMSXP~1\APPLIC~1\ASEMBL~1\wuauclt.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\lwinsoeg.exe
C:\Program Files\Common Files\{C8DF9355-0C78-1033-1011-040405120001}\Update.exe
C:\WINDOWS\system32\ISHOST.EXE
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\SYSTEM32\?ystem\l?gonui.exe
C:\WINDOWS\explorer.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\DOCUME~1\OPMSXP~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {C5A730CE-FA04-FA80-760C-F91A06C90AE0} - C:\WINDOWS\system32\msnnw.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 209.131.36.158 www.yahoo.com
O1 - Hosts: 208.186.231.242 www.bankofutah.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38DF9~1\Bar888.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [DC6_Check] "C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasdc.exe"
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasers.exe"
O4 - HKLM\..\Run: [was6cw] C:\Program Files\Common Files\WinAntiSpyware 2006\was6cw.exe -c
O4 - HKLM\..\Run: [{F9-93-35-55-ZN}] c:\windows\system32\dwdsregt.exe ELT001
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvvum.dll,startup
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lwinsoeh.exe ELT001
O4 - HKLM\..\Run: [gklpfqn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gklpfqn.dll,vmngtt
O4 - HKLM\..\Run: [sruusxm.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\OPMS XP\Local Settings\Application Data\sruusxm.dll",nsrxhv
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\OPMSXP~1\APPLIC~1\ASEMBL~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [Ocgdqtdt] C:\WINDOWS\SYSTEM32\?ystem\l?gonui.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\lwinsoeh.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Welcome to the forum, you have a real mess here. My first suggestion is to keep this computer offline until we get it cleaned up which may take a while.
You have multiple infections and various tools will be used, if there is anything you don't understand, please take the time to ask. I will number the instructions in an effort to stay organized. It appears you missed this, so
please review this information: "BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288
DO NOT attach files, copy and paste all information as in the instructions.

1) Did you place these items in your hosts file?
O1 - Hosts: 209.131.36.158 www.yahoo.com
O1 - Hosts: 208.186.231.242 www.bankofutah.com
See this: http://ws.arin.net/cgi-bin/whois.pl If you did not place these you may want to notify that bank and stop all transctions until you are clean.

2) You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
Once you have HJT relocated, then point at the .exe and rename it to yokatta.exe or whatever. Looks like we may have a vundo trojan also and that should show it in the next HJT log.

3) Start > Control Panel > Add Remove programs and uninstall WinAntiSpyware 2006, Bar888, ipwins, PuritySCAN By OIN, OIN, OuterInfo and any other program you know does not belong there. If you don't see this junk, please run this uninstaller:
http://www.outerinfo.com/howto.html

4) follow the directions in this link: http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.
Please use these instructions when you run AVG Anti-Spyware, make sure you delete or at least quarantine what is located.
http://forums.security-central.us/showthread.php?t=3165

Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.

5) Thanks to sUBs and anyone who helped with this fix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

If the log is large You might need to post half in one reply half in another.

Restart the computer and post the log from combofix, The results of Smitfraudfix, the scan results from AVG AntiSpyware a new HJT log and any other information I requested.

Thanks
 
WOW! That was fun. I really appreciate your help.

Ok, for step one, what is the hosts? I don't believe yahoo should be there, but I called the bank and they said their program put it there.

For step three The following did not show up to uninstall:
WinAntiSpywar 2006, ipwins, purity SCAN by OIN, and Outerinfo.

If by chance I missed a log let me know. My mind is spinning with all these different downloads and instructions. Thanks again.

PS-everytime I reboot MacAfee won't let me run HJT. It thinks it's a virus. I never use it anyway (came with the computer) should I just unistall it?

combofix log:
OPMS XP - 06-12-13 19:05:42.53 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{38DF9355-0C78-1033-1011-040405120001}
C:\Program Files\Common Files\{C8DF9355-0C78-1033-1011-040405120001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\OPMS XP\Application Data\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\OPMS XP\Application Data\SCURIT~1
C:\QooBox\Purity\Documents and Settings\OPMS XP\My Documents\YMBOLS~1
C:\QooBox\Purity\Documents and Settings\OPMS XP\My Documents\YSTEM~1
C:\QooBox\Purity\Program Files\DOBE~1
C:\QooBox\Purity\Program Files\YMANTE~1
C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\SYSTEM32\SCURIT~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\YSTEM~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-13 to 2006-12-13 ))))))))))))))))))))))))))))))))))


2006-12-13 18:26 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-13 18:26 <DIR> d-------- C:\Program Files\Grisoft
2006-12-13 17:34 79,360 --a------ C:\WINDOWS\SYSTEM32\swxcacls.exe
2006-12-13 17:34 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2006-12-13 17:34 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2006-12-13 17:34 40,960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe
2006-12-13 17:34 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2006-12-13 17:34 135,168 --a------ C:\WINDOWS\SYSTEM32\swreg.exe
2006-12-13 09:25 88,340 --a------ C:\WINDOWS\SYSTEM32\lomvaxkr.exe
2006-12-13 03:34 918 --a------ C:\WINDOWS\SYSTEM32\winpfz32.sys
2006-12-13 03:34 184,430 --a------ C:\WINDOWS\SYSTEM32\lwinsoed.exe
2006-12-12 09:25 88,340 --a------ C:\WINDOWS\SYSTEM32\blkwjmco.exe
2006-12-11 09:25 88,340 --a------ C:\WINDOWS\SYSTEM32\yefyojtc.exe
2006-12-11 08:53 126,996 --a------ C:\WINDOWS\SYSTEM32\dbkmlufl.dll
2006-12-10 20:29 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2006-12-10 20:27 <DIR> d-------- C:\Documents and Settings\OPMS XP\.housecall6.6
2006-12-10 20:21 90,164 ---hs---- C:\WINDOWS\SYSTEM32\vturr.dll
2006-12-10 20:18 <DIR> d--h----- C:\WINDOWS\PIF
2006-12-10 20:14 <DIR> d-------- C:\Program Files\HijackThis
2006-12-10 20:09 94,208 --a------ C:\WINDOWS\SYSTEM32\sruusxm.dll
2006-12-10 20:09 72,704 --a------ C:\WINDOWS\SYSTEM32\drvvum.dll
2006-12-10 20:09 71,680 --a------ C:\WINDOWS\SYSTEM32\ipnydgh.dll
2006-12-10 19:39 88,340 --a------ C:\WINDOWS\SYSTEM32\oeqvtxiu.exe
2006-12-09 09:13 88,340 --a------ C:\WINDOWS\SYSTEM32\xyedlngo.exe
2006-12-08 09:13 88,340 --a------ C:\WINDOWS\SYSTEM32\xidpldmn.exe
2006-12-08 08:58 88,340 --a------ C:\WINDOWS\SYSTEM32\djuboiuf.exe
2006-12-07 08:58 88,340 --a------ C:\WINDOWS\SYSTEM32\vbqdibnr.exe
2006-12-06 08:58 88,340 --a------ C:\WINDOWS\SYSTEM32\fkuaebrc.exe
2006-12-05 08:57 88,340 --a------ C:\WINDOWS\SYSTEM32\ntufhkdh.exe
2006-12-05 08:56 88,340 --a------ C:\WINDOWS\SYSTEM32\evujvikh.exe
2006-12-04 08:56 88,340 --a------ C:\WINDOWS\SYSTEM32\wvcskfbh.exe
2006-12-04 08:54 126,996 --a------ C:\WINDOWS\SYSTEM32\jhlbyucr.dll
2006-12-03 08:55 88,340 --a------ C:\WINDOWS\SYSTEM32\hiewfmca.exe
2006-12-02 08:55 88,340 --a------ C:\WINDOWS\SYSTEM32\lgxkjvll.exe
2006-12-01 08:55 88,340 --a------ C:\WINDOWS\SYSTEM32\xjtadnhr.exe
2006-11-30 17:11 180,334 --a------ C:\WINDOWS\SYSTEM32\lwinsoeg.exe
2006-11-30 08:55 88,340 --a------ C:\WINDOWS\SYSTEM32\sflbkaws.exe
2006-11-29 08:55 88,340 --a------ C:\WINDOWS\SYSTEM32\kwxbsufh.exe
2006-11-28 08:55 88,340 --a------ C:\WINDOWS\SYSTEM32\qtbptglu.exe
2006-11-28 08:55 42,516 --a------ C:\WINDOWS\SYSTEM32\qfjjcqoo.dll
2006-11-28 05:22 180,334 --a------ C:\WINDOWS\SYSTEM32\lwinsoeh.exe
2006-11-27 08:55 88,340 --a------ C:\WINDOWS\SYSTEM32\rkglxoud.exe
2006-11-27 08:55 38,420 --a------ C:\WINDOWS\SYSTEM32\ldemhoty.dll
2006-11-27 08:55 126,996 --a------ C:\WINDOWS\SYSTEM32\ixbgdrin.dll
2006-11-22 11:32 110,612 --a------ C:\WINDOWS\SYSTEM32\ucmuguye.exe
2006-11-21 11:31 110,612 --a------ C:\WINDOWS\SYSTEM32\howjigwm.exe
2006-11-20 11:31 110,612 --a------ C:\WINDOWS\SYSTEM32\grfadtmo.exe
2006-11-19 11:31 110,612 --a------ C:\WINDOWS\SYSTEM32\ghmycxsl.exe
2006-11-18 11:31 110,612 --a------ C:\WINDOWS\SYSTEM32\lsrpufvo.exe
2006-11-17 11:31 110,612 --a------ C:\WINDOWS\SYSTEM32\xwsxbrvk.exe
2006-11-16 11:31 126,996 --a------ C:\WINDOWS\SYSTEM32\opawnwiw.dll
2006-11-16 11:31 110,612 --a------ C:\WINDOWS\SYSTEM32\xjxyekkt.exe
2006-11-16 08:01 94,208 --a------ C:\WINDOWS\SYSTEM32\gklpfqn.dll
2006-11-16 08:01 71,680 --a------ C:\WINDOWS\SYSTEM32\fwajpad.dll
2006-11-15 11:31 110,612 --a------ C:\WINDOWS\SYSTEM32\tduhqowg.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-13 19:07 -------- d-------- C:\Program Files\Common Files
2006-12-13 19:05 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-13 18:59 -------- d-------- C:\Program Files\Common Files\WinAntiSpyware 2006 Free
2006-12-13 18:59 -------- d-------- C:\Program Files\Common Files\WinAntiSpyware 2006
2006-12-13 12:16 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-13 12:16 -------- d-------- C:\Program Files\MUSICMATCH
2006-12-12 09:25 861127 ---hs---- C:\WINDOWS\SYSTEM32\vybeg.bak2
2006-12-10 21:34 1063 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys
2006-12-08 09:13 837307 ---hs---- C:\WINDOWS\SYSTEM32\vybeg.bak1
2006-11-09 11:30 110612 --a------ C:\WINDOWS\SYSTEM32\rhrclgcq.exe
2006-11-09 11:19 110612 --a------ C:\WINDOWS\SYSTEM32\lmelgsaj.exe
2006-11-08 11:19 110612 --a------ C:\WINDOWS\SYSTEM32\ymnogmpi.exe
2006-11-07 11:46 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-07 11:20 110612 --a------ C:\WINDOWS\SYSTEM32\cxlslchs.exe
2006-11-06 11:18 110612 --a------ C:\WINDOWS\SYSTEM32\idbyclpf.exe
2006-11-06 10:51 110612 --a------ C:\WINDOWS\SYSTEM32\kpiketgl.exe
2006-11-03 13:33 -------- d-------- C:\Documents and Settings\OPMS XP\Application Data\Mozilla
2006-11-03 13:09 -------- d-------- C:\Program Files\Broadcom
2006-11-03 11:23 -------- d-------- C:\Documents and Settings\OPMS XP\Application Data\WinAntiSpyware 2006
2006-11-03 11:20 -------- d-------- C:\Program Files\Internet Explorer
2006-11-03 10:51 110612 --a------ C:\WINDOWS\SYSTEM32\hjaxhwfr.exe
2006-11-03 10:51 -------- d-------- C:\Program Files\VSAdd-in
2006-11-03 10:50 692276 ---hs---- C:\WINDOWS\SYSTEM32\gebyv.dll
2006-11-03 10:48 1259 --a------ C:\WINDOWS\SYSTEM32\onaa71b4.sys
2006-11-03 10:47 433632 --a------ C:\WINDOWS\hancerdoem.exe
2006-11-03 10:47 -------- d-------- C:\Program Files\em
2006-11-03 10:47 -------- d-------- C:\Program Files\Common Files\kqqk
2006-11-03 10:40 93696 --a------ C:\WINDOWS\SYSTEM32\qxqjeeg.dll
2006-11-03 10:40 72704 --a------ C:\WINDOWS\SYSTEM32\hcdsxec.dll
2006-11-03 10:38 -------- d-------- C:\Program Files\microsoft frontpage
2006-11-03 10:38 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-27 15:09 6049280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\SYSTEM32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll
2006-10-17 15:05 -------- d-------- C:\Program Files\CCware
2006-10-17 13:06 78336 --a------ C:\WINDOWS\SYSTEM32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\SYSTEM32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\SYSTEM32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\SYSTEM32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\SYSTEM32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\SYSTEM32\ieapfltr.dll
2006-10-13 05:35 65536 --a------ C:\WINDOWS\SYSTEM32\nwwks.dll
2006-10-13 05:35 64000 --a------ C:\WINDOWS\SYSTEM32\nwapi32.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\SYSTEM32\nwprovau.dll
2006-10-13 03:23 163584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nwrdr.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"was6cw"="C:\\Program Files\\Common Files\\WinAntiSpyware 2006\\was6cw.exe -c"
"gklpfqn.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\gklpfqn.dll,vmngtt"
"sruusxm.dll"="C:\\WINDOWS\\system32\\rundll32.exe \"C:\\Documents and Settings\\OPMS XP\\Local Settings\\Application Data\\sruusxm.dll\",nsrxhv"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{C671A733-A4AA-4B5F-8CEE-006242C457B5}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcayx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingwn32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (DFM3H461-Administrator).job
C:\WINDOWS\tasks\McAfee.com Update Check (OPMS-OPMS XP).job
C:\WINDOWS\tasks\McAfee.com Update Check (OPMS-Willis).job
C:\WINDOWS\tasks\McAfee.com Update Check (OPMS0853-OPMS XP).job
C:\WINDOWS\tasks\McAfee.com Update Check (OPMS0853-OPMS).job

Completion time: 06-12-13 19:07:41.87
C:\ComboFix.txt ... 06-12-13 19:07
 
Smitfraudfix log:

SmitFraudFix v2.130

Scan done at 17:52:29.26, 12/13/2006
Run from C:\Documents and Settings\OPMS XP\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\impgsje.dll Deleted
C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted
C:\WINDOWS\system32\components\flx???.dll Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\DOCUME~1\OPMSXP~1\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\VirusBursters\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
 
AVG AntiSpyware Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:00:22 PM 12/13/2006

+ Scan result:



C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022886.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022916.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP623\A0022986.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP624\A0023003.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023103.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP632\A0023159.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP633\A0023174.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP634\A0023183.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP635\A0023185.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP636\A0023193.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP637\A0023203.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP638\A0023221.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP642\A0023240.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021484.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021485.exe -> Adware.CommAd : Cleaned.
C:\WINDOWS\Temp\cmdinst.exe -> Adware.CommAd : Cleaned.
C:\WINDOWS\V2lsbGlz\asappsrv.dll -> Adware.CommAd : Cleaned.
C:\WINDOWS\V2lsbGlz\command.exe -> Adware.CommAd : Cleaned.
C:\WINDOWS\unstall.exe -> Adware.EliteMedia : Cleaned.
HKU\S-1-5-21-2834199108-3797678928-2590302833-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-2834199108-3797678928-2590302833-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{39F25B12-74FF-4079-A51F-1D70F5B08B84} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-2834199108-3797678928-2590302833-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-2834199108-3797678928-2590302833-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39F25B12-74FF-4079-A51F-1D70F5B08B84} -> Adware.Generic : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021548.exe -> Adware.Maxifiles : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021678.exe -> Adware.Maxifiles : Cleaned.
C:\Documents and Settings\OPMS XP\Desktop\OiUninstaller.exe -> Adware.MediaTickets : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021496.dll -> Adware.Mirar : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021497.dll -> Adware.Mirar : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0020477.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021523.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022913.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023054.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP633\A0023179.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP645\A0023316.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0023378.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP656\A0023478.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\MirarSetup_876057.exe -> Adware.SaveNow : Cleaned.
C:\Documents and Settings\OPMS XP\Local Settings\Temp\nsn184.tmp\Services.dll -> Adware.Softomate : Cleaned.
C:\Program Files\Common Files\{38DF9355-0C78-1033-1011-040405120001}\Bar888.dll -> Adware.Softomate : Cleaned.
C:\Program Files\Common Files\{38DF9355-0C78-1033-1011-040405120001}\MyToolBar.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022880.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022952.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022953.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022954.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP627\A0023029.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023090.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023091.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023092.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023093.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0023942.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0023943.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0023944.exe -> Adware.Softomate : Cleaned.
C:\WINDOWS\Temp\b116.exe -> Adware.Softomate : Cleaned.
C:\WINDOWS\Temp\win15B.tmp.exe -> Adware.Softomate : Cleaned.
C:\WINDOWS\Temp\win20E.tmp.exe -> Adware.Softomate : Cleaned.
C:\WINDOWS\Temp\win5A1.tmp.exe -> Adware.Softomate : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DC6_Check -> Adware.Systemdoctor : Error during cleaning.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0020481.dll -> Adware.TargetServer : Cleaned.
C:\WINDOWS\SYSTEM32\cbxussr.dll -> Adware.Virtumonde : Cleaned.
C:\WINDOWS\SYSTEM32\efcaaax.dll -> Adware.Virtumonde : Cleaned.
C:\WINDOWS\SYSTEM32\khfcayx.dll -> Adware.Virtumonde : Cleaned.
C:\WINDOWS\SYSTEM32\ssqpoom.dll -> Adware.Virtumonde : Cleaned.
C:\WINDOWS\SYSTEM32\vtuvvtr.dll -> Adware.Virtumonde : Cleaned.
C:\WINDOWS\SYSTEM32\yaywuvv.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0024285.exe -> Adware.VirusBurst.b : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021658.dll -> Adware.WebHancer : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021662.dll -> Adware.WebHancer : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021683.exe -> Adware.WebHancer : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021681.exe -> Adware.Webhancer.a : Cleaned.
HKU\S-1-5-21-2834199108-3797678928-2590302833-1008\Software\ToolBar -> Adware.WebSearch : Cleaned.
HKU\S-1-5-21-2834199108-3797678928-2590302833-1008\Software\ToolBar\all -> Adware.WebSearch : Cleaned.
HKU\S-1-5-21-2834199108-3797678928-2590302833-1008\Software\ToolBar\all\History -> Adware.WebSearch : Cleaned.
C:\Documents and Settings\OPMS XP\Local Settings\Temp\NI.WAS6_0001_N91E2609\setup.exe -> Adware.WinAntiSpyware : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP619\A0021806.exe -> Adware.WinAntiSpyware : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP619\A0021810.exe -> Adware.WinAntiSpyware : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP619\A0021812.exe -> Adware.WinAntiSpyware : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP619\A0021813.dll -> Adware.WinAntiSpyware : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP619\A0021815.exe -> Adware.WinAntiSpyware : Cleaned.
HKLM\SOFTWARE\Classes\WASPChk.WASPChk -> Adware.WinAntiSpyware : Cleaned.
HKLM\SOFTWARE\Classes\WASPChk.WASPChk\CLSID -> Adware.WinAntiSpyware : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP619\A0021809.exe -> Adware.WinAntiVirus : Cleaned.
C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasdc.exe -> Adware.WinFixer : Cleaned.
C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasers.exe -> Adware.WinFixer : Cleaned.
[2188] C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasdc.exe -> Adware.WinFixer : Cleaned.
[2208] C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasers.exe -> Adware.WinFixer : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021686.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022853.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022934.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022936.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023081.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\A0023441.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\A0023443.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0024294.exe -> Adware.ZenoSearch : Cleaned.
C:\WINDOWS\SYSTEM32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned.
C:\WINDOWS\TIELT001.exe -> Adware.ZenoSearch : Cleaned.
[2676] c:\windows\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022843.dll -> Downloader.Agent.awb : Cleaned.
C:\WINDOWS\Temp\win2FF6.tmp.exe -> Downloader.Agent.bca : Cleaned.
C:\WINDOWS\Temp\win5292.tmp.exe -> Downloader.Agent.bca : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022854.exe -> Downloader.Agent.dz : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022935.exe -> Downloader.Agent.dz : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\A0023440.exe -> Downloader.Agent.dz : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0020478.exe -> Downloader.Purit.co : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021515.exe -> Downloader.Purit.co : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022914.exe -> Downloader.Purit.co : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP633\A0023180.exe -> Downloader.Purit.co : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP645\A0023317.exe -> Downloader.Purit.co : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022933.exe -> Downloader.PurityScan.dc : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023080.exe -> Downloader.PurityScan.dc : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\A0023455.exe -> Downloader.PurityScan.dc : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0023517.exe -> Downloader.PurityScan.dc : Cleaned.
C:\WINDOWS\Temp\win164.tmp.exe -> Downloader.PurityScan.dc : Cleaned.
C:\WINDOWS\Temp\win3007.tmp.exe -> Downloader.PurityScan.dc : Cleaned.
C:\WINDOWS\Temp\win38C.tmp.exe -> Downloader.PurityScan.dc : Cleaned.
C:\WINDOWS\Temp\win5297.tmp.exe -> Downloader.PurityScan.dc : Cleaned.
 
CONT.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021516.exe -> Downloader.PurityScan.dr : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0023933.exe -> Downloader.PurityScan.dt : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021549.exe -> Downloader.PurityScan.dy : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022844.dll -> Downloader.Small : Cleaned.
C:\WINDOWS\Temp\b104.exe -> Downloader.Small.buy : Cleaned.
C:\WINDOWS\idlemg.exe -> Downloader.Small.buy : Cleaned.
C:\WINDOWS\ac3_0002.exe -> Downloader.Small.cyh : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021679.dll -> Downloader.Small.ece : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0020480.exe -> Downloader.TSUpdate.l : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0020479.exe -> Downloader.TSUpdate.n : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0020484.exe -> Downloader.VB.anl : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0020485.exe -> Downloader.VB.anl : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021477.exe -> Downloader.VB.anl : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022848.exe -> Downloader.VB.anl : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022849.exe -> Downloader.VB.anl : Cleaned.
C:\WINDOWS\Duce6.exe -> Downloader.VB.apu : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021660.exe -> Downloader.Zlob.aew : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0020491.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021489.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021507.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021529.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021648.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021674.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021697.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021709.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021721.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021736.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021757.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP619\A0021776.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP619\A0021788.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP619\A0021826.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP619\A0021837.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022838.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022846.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022883.exe -> Downloader.Zlob.atw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022899.exe -> Downloader.Zlob.auw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022931.exe -> Downloader.Zlob.auw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022957.exe -> Downloader.Zlob.auw : Cleaned.
C:\WINDOWS\Temp\win192.tmp.exe -> Downloader.Zlob.auw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023078.exe -> Downloader.Zlob.avb : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP632\A0023158.exe -> Downloader.Zlob.avb : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021747.dll -> Downloader.Zlob.avl : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP642\A0023257.exe -> Downloader.Zlob.azj : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP644\A0023295.exe -> Downloader.Zlob.azj : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\A0023415.exe -> Downloader.Zlob.azj : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\A0023433.exe -> Downloader.Zlob.azj : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\A0023439.exe -> Downloader.Zlob.azj : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0020492.dll -> Downloader.Zlob.v : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021488.dll -> Downloader.Zlob.v : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021508.dll -> Downloader.Zlob.v : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021530.dll -> Downloader.Zlob.v : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021649.dll -> Downloader.Zlob.v : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021659.exe -> Downloader.Zlob.v : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021661.dll -> Downloader.Zlob.v : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021688.dll -> Downloader.Zlob.v : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0023949.dll -> Downloader.Zlob.v : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021677.exe -> Dropper.DollarR.b : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021518.exe -> Dropper.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022851.exe -> Hijacker.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021663.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N91M1508NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\Program Files\Common Files\WinAntiSpyware 2006\was6cw.exe -> Not-A-Virus.Downloader.Win32.WinFixer.t : Cleaned.
[2224] C:\Program Files\Common Files\WinAntiSpyware 2006\was6cw.exe -> Not-A-Virus.Downloader.Win32.WinFixer.t : Cleaned.
C:\WINDOWS\SYSTEM32\drvlut.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned.
C:\WINDOWS\Temp\mst5BB.tmp -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP632\A0023149.dll -> Not-A-Virus.Hoax.Win32.Renos.ge : Cleaned.
C:\WINDOWS\SYSTEM32\drvcup.dll -> Not-A-Virus.Hoax.Win32.Renos.ge : Cleaned.
C:\WINDOWS\Temp\mst162.tmp -> Not-A-Virus.Hoax.Win32.Renos.ge : Cleaned.
C:\WINDOWS\Temp\mst38B.tmp -> Not-A-Virus.Hoax.Win32.Renos.ge : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP618\A0021655.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023077.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
:mozilla.223:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.293:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.297:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.318:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.39:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.40:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.41:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.42:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.43:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.44:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.45:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.46:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.47:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.48:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.49:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.50:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.51:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.52:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.53:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.54:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.55:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.57:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.58:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.67:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.68:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt ->
 
CONT:

TrackingCookie.Adbrite : Cleaned.
:mozilla.437:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.438:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.439:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.440:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.441:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.519:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.520:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.81:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.82:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.131:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.199:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.200:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.7:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\yz7l540y.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.8:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\yz7l540y.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.164:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.165:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.166:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.167:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.168:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.169:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.170:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.171:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.172:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.173:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.174:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.175:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.176:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.177:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.178:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.179:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.180:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.181:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.182:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.183:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.184:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.185:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.186:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.72:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.210:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.9:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\yz7l540y.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.715:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.468:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.469:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.470:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.471:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.472:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.21:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.349:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.350:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.372:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.74:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.75:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.76:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.386:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.387:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.10:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.11:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.12:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.13:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.16:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.17:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.18:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.513:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.514:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.524:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.551:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.552:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.553:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.697:C:\Documents and Settings\OPMS XP\Application Data\Mozilla\Firefox\Profiles\qp5u6eog.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\SYSTEM32\wingwn32.dll -> Trojan.Agent.vg : Cleaned.
C:\WINDOWS\SYSTEM32\upfapeqn.dll -> Trojan.BHO.g : Cleaned.
C:\Program Files\Common Files\{38DF9355-0C78-1033-1011-040405120001}\Activate.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021486.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0021494.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022845.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022881.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022915.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP622\A0022955.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP625\A0023020.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023076.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP630\A0023094.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP633\A0023181.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP645\A0023318.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP651\A0023380.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP656\A0023480.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0023848.exe -> Trojan.Small : Cleaned.
C:\WINDOWS\V2lsbGlz\pZ5Pv35W.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022847.exe -> Trojan.VB.tg : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP621\A0022850.exe -> Trojan.VB.tg : Cleaned.
C:\WINDOWS\Setup90.exe -> Trojan.VB.tg : Cleaned.


::Report end
 
Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:10:54 PM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\SYSTEM32\lwinsoed.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HijackThis\kissmybuttmalware.exe

O1 - Hosts: 209.131.36.158 www.yahoo.com
O1 - Hosts: 208.186.231.242 www.bankofutah.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O2 - BHO: (no name) - {052D8C58-BD7F-60BB-95C6-042F3A1903A0} - C:\WINDOWS\system32\hcdsxec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FABD0D5-85A7-4E27-8EC7-39ABFDD5A6BC} - C:\WINDOWS\system32\gebyv.dll
O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - C:\Documents and Settings\OPMS XP\Local Settings\Application Data\ipnydgh.dll
O2 - BHO: (no name) - {32D64784-715D-4A2C-1DC4-08E56A70334F} - C:\WINDOWS\system32\fwajpad.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\qfjjcqoo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38DF9~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - C:\WINDOWS\system32\khfcayx.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38DF9~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [was6cw] C:\Program Files\Common Files\WinAntiSpyware 2006\was6cw.exe -c
O4 - HKLM\..\Run: [gklpfqn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gklpfqn.dll,vmngtt
O4 - HKLM\..\Run: [sruusxm.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\OPMS XP\Local Settings\Application Data\sruusxm.dll",nsrxhv
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\lwinsoed.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll
O20 - Winlogon Notify: khfcayx - khfcayx.dll (file missing)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: wingwn32 - wingwn32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Thanks for returning your information, let's see how we did. First let me say you did a good job with the tools. Work through the fixes at a safe pace. Do not rush and make an error. Read the instructions and make sure you understand them, if not, post and ask for more instructions.
Ok, for step one, what is the hosts? I don't believe yahoo should be there, but I called the bank and they said their program put it there.
Click to expand...
http://www.mvps.org/winhelp2002/hosts.htm <<< information about Hosts file.
PS-everytime I reboot MacAfee won't let me run HJT. It thinks it's a virus. I never use it anyway (came with the computer) should I just unistall it?
Click to expand...
I run McAfee and it does not do that? You need to run an antivirus program, you can remove McAfee but you must have a program to replace it. I can provide links to free programs if you wish.

Your Java program is out of date and may be the reason you are infected, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\ <<< out of date, please download the newest version and uninstall all old versions in Add Remove programs.

Your System Restore files are badly infected, but that junk can not get to the computer unless you use System Restore. DO NOT, we will clean those files before we finish.

We can see the vundo infection now:
O2 - BHO: (no name) - {0FABD0D5-85A7-4E27-8EC7-39ABFDD5A6BC} - C:\WINDOWS\system32\gebyv.dll
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll

Keep in mind the Vundofix may find files it can not remove the first run. I have seen it take several and the scan must show all files Vundofix locates "Have been deleted" before you move on.

Thanks to Atribune and any others who helped with this fix.

1) Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

(save those two reports until you finish)

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) AVG Anti-Spyware 7.5: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.


5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O1 - Hosts: 209.131.36.158 www.yahoo.com
(next item is NOT bad, but with the missing file is not working right if at all. Install it again if you use it after we are finished)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O2 - BHO: (no name) - {052D8C58-BD7F-60BB-95C6-042F3A1903A0} - C:\WINDOWS\system32\hcdsxec.dll
O2 - BHO: (no name) - {0FABD0D5-85A7-4E27-8EC7-39ABFDD5A6BC} - C:\WINDOWS\system32\gebyv.dll
(Vundo)
O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - C:\Documents and Settings\OPMS XP\Local Settings\Application Data\ipnydgh.dll
O2 - BHO: (no name) - {32D64784-715D-4A2C-1DC4-08E56A70334F} - C:\WINDOWS\system32\fwajpad.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\qfjjcqoo.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38DF9~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - C:\WINDOWS\system32\khfcayx.dll (file missing)
(same as above Yahoo! item)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38DF9~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [was6cw] C:\Program Files\Common Files\WinAntiSpyware 2006\was6cw.exe -c
O4 - HKLM\..\Run: [gklpfqn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gklpfqn.dll,vmngtt
O4 - HKLM\..\Run: [sruusxm.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\OPMS XP\Local Settings\Application Data\sruusxm.dll",nsrxhv
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\lwinsoed.exe
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll
(Vundo, should be gone)
O20 - Winlogon Notify: khfcayx - khfcayx.dll (file missing)
O20 - Winlogon Notify: wingwn32 - wingwn32.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

(some files may be gone, just DO NOT miss any)

C:\Program Files\Common Files\WinAntiSpyware 2006\ <<< delete that folder

C:\WINDOWS\TIELT001.exe <<< delete that file

C:\WINDOWS\system32\gklpfqn.dll <<< delete that file

C:\WINDOWS\SYSTEM32\lwinsoed.exe <<< delete that file
C:\Documents and Settings\OPMS XP\Local Settings\Application Data\sruusxm.dll <<< delete that file

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the C:\vundofix.txt and a new HiJackThis log. Let me know how the computer is running now.

Thanks
 
Ok, lots more fun! Please let me know before were done what programs to run to prevent this and how to maintain and monitor problems. Computer is running much better since the last time, expect even better after this.

First of all MacAffee continues to give me an error when I try to run Hijackthis and it deletes the file. If I re-enable then re-disable protection it works ok. It says that "Hijackthis is infected by W32/generic.worm!.p2p"

In the Hijack system scan I could not find the following:
O2 - BHO: (no name) - {0FABD0D5-85A7-4E27-8EC7-39ABFDD5A6BC} - C:\WINDOWS\system32\gebyv.dll
(Vundo)

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\qfjjcqoo.dll


Thanks again and I looked forward to your reply.





VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.3

Scan started at 6:12:47 PM 12/19/2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\gebyv.dll
C:\WINDOWS\SYSTEM32\vybeg.ini
C:\WINDOWS\SYSTEM32\vybeg.bak1
C:\WINDOWS\SYSTEM32\vybeg.bak2
C:\WINDOWS\SYSTEM32\gklpfqn.dll
C:\WINDOWS\SYSTEM32\hcdsxec.dll
C:\WINDOWS\SYSTEM32\sruusxm.dll
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\SYSTEM32\vybeg.ini
C:\WINDOWS\SYSTEM32\vybeg.bak1
C:\WINDOWS\SYSTEM32\vybeg.bak2
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\vybeg.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\gebyv.dll
C:\WINDOWS\SYSTEM32\gebyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\vybeg.ini
C:\WINDOWS\SYSTEM32\vybeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\vybeg.bak1
C:\WINDOWS\SYSTEM32\vybeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\vybeg.bak2
C:\WINDOWS\SYSTEM32\vybeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\gklpfqn.dll
C:\WINDOWS\SYSTEM32\gklpfqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\hcdsxec.dll
C:\WINDOWS\SYSTEM32\hcdsxec.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\sruusxm.dll
C:\WINDOWS\SYSTEM32\sruusxm.dll Has been deleted!

Performing Repairs to the registry.
Done!
VUNDO LOG:


VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.3

Scan started at 6:21:16 PM 12/19/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...


HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 7:10:44 PM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HijackThis\kissmybutmalware.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O1 - Hosts: 208.186.231.242 www.bankofutah.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\julckvsp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {D91158AB-5D54-45F2-B5C6-247002E3F30D} - C:\WINDOWS\system32\gebyv.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\lwinsoed.exe ELT001
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\aggbrmab.dll",setvm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
The only thing I can think is that McAfee is seeing something in the HJT backups. Take a look here:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTRestore
You sure don't want to restore any of this junk, you should see what McAfee is seeing. After a few days, when you are sure you nothing in those backups is needed, navigate to there and Delete them All.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\julckvsp.dll
O2 - BHO: (no name) - {D91158AB-5D54-45F2-B5C6-247002E3F30D} - C:\WINDOWS\system32\gebyv.dll (file missing)
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\lwinsoed.exe ELT001
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\aggbrmab.dll",setvm

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

(these files may be gone, just DO NOT miss them)

C:\WINDOWS\system32\aggbrmab.dll <<< delete that file
C:\WINDOWS\system32\julckvsp.dll <<< delete that file
C:\WINDOWS\SYSTEM32\lwinsoed.exe <<< delete that file

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a last HJT log. Let me know how the computer is running.

Thanks
 
Computer has been running very well, no hicups so far. Thank you so much for you help thus far. Your AWESOME!


Logfile of HijackThis v1.99.1
Scan saved at 10:05:02 AM, on 12/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HijackThis\kissmybutmalware.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O1 - Hosts: 208.186.231.242 www.bankofutah.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Thanks for the feedback, everything looks good so you should be good to go. A couple of things to help you.

1) You may rename HJT to what it was if you wish.

2) Let's clean System Restore in case it backed up bad stuff that can effect us if we need System Restore:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot.
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

3) AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

4) Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Safe surfing and Merry Christmas:present:

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.
 
Status
Not open for further replies.
Back
Top