Tech Support Forum - View Single Post

Berrybunches · 10-15-2005, 05:33 PM

I'm pretty sure I have done everything recomended.

Active scan results:

Incident Status Location

Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Adware:adware/cws No disinfected C:\Documents and Settings\Owner\Favorites\health
Adware:adware/coupons No disinfected Windows Registry
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0001847.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0001894.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002345.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002412.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002492.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002795.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002878.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002911.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0003464.~]
Adware:Adware/Coupons No disinfected C:\Documents and Settings\Owner\Desktop\hijackthis\hijackthis\backups\backup-20051014-125035-189.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\awtsp.dll

VundoFix text file:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 124 'smss.exe'
Threads [128][132][136]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 744 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 212 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.

New HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 7:26:06 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\110211~1\EE\AOLHOS~1.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\AOL\110211~1\EE\AOLServiceHost.e

xe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and

Settings\Owner\Desktop\hijackthis\hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class -

{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class -

{65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program

Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher -

{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Bho - {BFFA51A0-0B64-4aa3-AAC4-325F9338D0BE} -

C:\WINDOWS\system32\kgwiyorj.dll (file missing)
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar -

{DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online]

"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [LVCOMSX]

C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program

Files\WordPerfect Office 12\Programs\Registration.exe

/title="WordPerfect Office 12" /date=101004

serial=WS12WTX-9999998-UYR lang=EN
O4 - HKLM\..\Run: [Pure Networks Port Magic]

"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1102111375\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common

Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program

Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search -

res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar -

{3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro -

{6224f700-cba3-4071-b251-47cb894244cd} -

C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ -

{6224f700-cba3-4071-b251-47cb894244cd} -

C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}

(PCPitstop Utility) -

http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

(YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B}

(FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_41.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}

(QDiagAOLCCUpdateObj Class) -

http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3}

(EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/acti...ol_v1-0-3-9.ca

b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

(McAfee.com Operating System Class) -

http://download.av.aol.com/molbin/sh...s/4,0,0,77/mci

nsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...tsClient.cab28

578.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121}

(CustomerCtrl Class) -

https://cs7b.instantservice.com/jars...rxsigned42.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E}

(CWebLaunchCtl Object) -

http://gateway.cf1live.com/eSupport/.../weblaunch.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C}

(cpbrkpie Control) -

http://a19.g.akamai.net/7/19/7125/40...com/v3123/cpbr

kpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4}

(ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

(DwnldGroupMgr Class) -

http://download.av.aol.com/molbin/sh...-us/1,0,0,18/m

cgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF}

(Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}

(ActiveDataInfo Class) -

https://www-secure.symantec.com/tech...ta/SymAData.ca

b
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX

Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4}

(PWLNINST Control) -

http://www.platoweb.com/pathways/pwa...2040611/fullca

b/pwlninst.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7}

(ActiveDataObj Class) -

https://www-secure.symantec.com/tech.../ActiveData.ca

b
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util

Class) - https://isupport4.hp.com/motivedocs/...er/MotUtil.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN

Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF}

(Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary...wdown.cab28578

.cab
O20 - Winlogon Notify: geeba - C:\WINDOWS\system32\geeba.dll

(file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America

Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) -

Unknown owner - C:\Program Files\Common Files\AOL\AOL

Spyware Protection\\aolserv.exe (file missing)
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents

and Settings\Owner\Desktop\hijackthis\CWShredder\cwshredder.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio

Technologies - C:\Program Files\Kerio\Personal Firewall

4\kpf4ss.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager

(mcupdmgr.exe) - Networks Associates Technology, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine

(MCVSRte) - Networks Associates Technology, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thats all 3 things.
A few questions tho. How do you get the winfixer problem?
How did I get virus get though thunderbird? I remember getting citibank emails but I didnt download any attachments from them. Can you get viruses through mail clients just by reading an email?

Oh and the Cleanup program that was recomemnded deleted 4 GB! Great recomendation.

Thanks alot!

10-15-2005, 05:33 PM	#5 (permalink)
Berrybunches Registered User Join Date: Sep 2003 Location: Ohio Posts: 59 OS: WinXP Pro SP2	I'm pretty sure I have done everything recomended. Active scan results: Incident Status Location Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe Adware:adware/cws No disinfected C:\Documents and Settings\Owner\Favorites\health Adware:adware/coupons No disinfected Windows Registry Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0001847.~] Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0001894.~] Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002345.~] Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002412.~] Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002492.~] Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002795.~] Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002878.~] Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0002911.~] Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default\wy33jd7k.slt\Mail\localhost-1\Inbox[~0003464.~] Adware:Adware/Coupons No disinfected C:\Documents and Settings\Owner\Desktop\hijackthis\hijackthis\backups\backup-20051014-125035-189.dll Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\awtsp.dll VundoFix text file: Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Suspending PID 124 'smss.exe' Threads [128][132][136] Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 744 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 212 'winlogon.exe' File Deleted sucessfully. Files Deleted sucessfully. New HJT Log Logfile of HijackThis v1.99.1 Scan saved at 7:26:06 PM, on 10/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\QuickTime\qttask.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\America Online 9.0a\aoltray.exe C:\PROGRA~1\COMMON~1\AOL\110211~1\EE\AOLHOS~1.EXE C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\COMMON~1\AOL\110211~1\EE\AOLServiceHost.e xe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\AIM\aim.exe C:\Program Files\Yahoo!\Messenger\YPager.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Owner\Desktop\hijackthis\hijackthis\HijackThis.exe R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O2 - BHO: Bho - {BFFA51A0-0B64-4aa3-AAC4-325F9338D0BE} - C:\WINDOWS\system32\kgwiyorj.dll (file missing) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=101004 serial=WS12WTX-9999998-UYR lang=EN O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102111375\EE\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_41.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...ol_v1-0-3-9.ca b O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/sh...s/4,0,0,77/mci nsctl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tsClient.cab28 578.cab O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs7b.instantservice.com/jars...rxsigned42.cab O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/.../weblaunch.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...com/v3123/cpbr kpie.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...-us/1,0,0,18/m cgdmgr.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...ta/SymAData.ca b O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pwa...2040611/fullca b/pwlninst.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech.../ActiveData.ca b O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/...er/MotUtil.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...wdown.cab28578 .cab O20 - Winlogon Notify: geeba - C:\WINDOWS\system32\geeba.dll (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing) O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Owner\Desktop\hijackthis\CWShredder\cwshredder.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Thats all 3 things. A few questions tho. How do you get the winfixer problem? How did I get virus get though thunderbird? I remember getting citibank emails but I didnt download any attachments from them. Can you get viruses through mail clients just by reading an email? Oh and the Cleanup program that was recomemnded deleted 4 GB! Great recomendation. Thanks alot!