Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Hijackthis log: TROJANS
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-26-2006, 06:51 PM   #1 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 10
OS: windows XP


Hijackthis log: TROJANS
Logfile of HijackThis v1.99.1
Scan saved at 6:43:00 PM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\AOL\1146885179\ee\aolsoftware.exe
c:\program files\common files\aol\1146885179\ee\AOLOpenRide.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Reso...s.10.4.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
kmac182 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 11-26-2006, 06:59 PM   #2 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 10
OS: windows XP


my computer keeps finding and quaranteeing the same trojan in my computer everyday for the last week or more. The trojan is called : TROJ DLOADER.FFE
kmac182 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-28-2006, 05:13 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Hello kmac182 and welcome to TSF,

The infection you may have recognizes HijackThis and prevents HJT from reading the registry locations where it resides as well as hiding other infections in those locations.

I'd like you to rename HijackThis.exe to kmac.exe.
  • Navigate to C:\Documents and Settings\abde\Desktop\hijackthis\HijackThis.exe
  • Right click on HijackThis.exe
  • Select 'Rename'
  • Type in kmac.exe
  • Press Enter.
Run a new scan with kmac.exe and post that log here.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-28-2006, 05:41 PM   #4 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 10
OS: windows XP


Logfile of HijackThis v1.99.1
Scan saved at 5:40:20 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Common Files\AOL\1146885179\ee\aolsoftware.exe
c:\program files\common files\aol\1146885179\ee\AOLOpenRide.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\kmac.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0888E7C1-48A1-4152-B147-D52ECF067233} - C:\WINDOWS\Config\svsva.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\homsiuel.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {CA026815-F417-436C-A634-F25DAEA4F1B5} - C:\WINDOWS\system32\qgtjrryr.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Reso...s.10.4.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O20 - Winlogon Notify: svsva - C:\WINDOWS\Config\svsva.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



I'm not sure if I did the re-naming right, I tried to do your method but it wouldn't find that address you gave me so I found the program a different way and tried to rename it. Tell me if I did it wrong and ill try again, thanks
kmac182 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-28-2006, 06:02 PM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Hello kmac182,

You did just fine--I had neglected to change the file path when editing my speech for your system. My apologies for the confusion.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

-------------------------------------

Close any open browsers.

-------------------------------------



Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v homsiuel qgtjrryr

When finished, it shall produce a log for you that will ultimately be named ComboFix2.txt and will be located directly on the C:\ drive. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries:

O2 - BHO: (no name) - {0888E7C1-48A1-4152-B147-D52ECF067233} - C:\WINDOWS\Config\svsva.dll
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O20 - Winlogon Notify: svsva - C:\WINDOWS\Config\svsva.dll

Click 'Fix Checked' .

-----------------------------------

Still in HijackThis, in the lower right corner click on the Config button>Misc Tools .
  • On the screen, click on "Delete a file on reboot...".
  • Navigate to C:\WINDOWS\Config\svsva.dll and double click on that file.
  • HJT will ask you if you want to reboot, now. Click "Yes".
----------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

-----------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

Run a new scan with HijackThis and save the log.

-----------------------------------

Please include the following in your next reply:

ComboFix2.txt
Panda results
ComboFix.txt
New HijackThis log
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-28-2006, 07:20 PM   #6 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 10
OS: windows XP


Combofix:

Kendall - 06-11-28 19:08:29.12 Service Pack 2
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Kendall\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-28 to 2006-11-28 ))))))))))))))))))))))))))))))))))


2006-11-28 18:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-28 18:36 <DIR> d-------- C:\WINDOWS\LastGood
2006-11-28 18:15 <DIR> d-------- C:\WINDOWS\temp
2006-11-28 17:37 88,340 --a------ C:\WINDOWS\system32\yykdqmjx.exe
2006-11-28 17:31 88,340 --a------ C:\WINDOWS\system32\kblaikyl.exe
2006-11-28 17:31 132,116 --a------ C:\WINDOWS\system32\qgtjrryr.dll
2006-11-27 17:31 88,340 --a------ C:\WINDOWS\system32\klkctdcn.exe
2006-11-27 17:26 88,340 --a------ C:\WINDOWS\system32\csnrguem.exe
2006-11-27 17:26 42,516 --a------ C:\WINDOWS\system32\homsiuel.dll
2006-11-27 17:26 132,116 --a------ C:\WINDOWS\system32\hjpopuet.dll
2006-11-27 17:26 <DIR> d-------- C:\Program Files\VSAdd-in
2006-11-26 18:36 <DIR> d-------- C:\WINDOWS\pss
2006-11-26 18:35 218,112 --a------ C:\kmac.exe
2006-11-24 17:20 132,116 --a------ C:\WINDOWS\system32\oxkuvpqq.dll
2006-11-23 17:14 38,420 --a------ C:\WINDOWS\system32\verpbdqy.dll
2006-11-23 17:14 132,116 --a------ C:\WINDOWS\system32\vnlcqvpm.dll
2006-11-19 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-19 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-19 17:03 5,037,072 --a------ C:\spybotsd14.exe
2006-11-15 23:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-15 23:55 <DIR> d-------- C:\7256fbfbf1f5068a0b3bb1
2006-11-15 17:52 <DIR> d-------- C:\Program Files\AOL Pictures
2006-11-14 19:14 <DIR> d--h----- C:\Program Files\Zero G Registry
2006-11-14 19:14 <DIR> d-------- C:\Program Files\Rosetta Stone
2006-11-14 19:13 <DIR> d--h----- C:\Documents and Settings\Kendall\InstallAnywhere
2006-11-10 06:58 110,612 --a------ C:\WINDOWS\system32\ldrdfjnd.exe
2006-11-09 16:49 110,612 --a------ C:\WINDOWS\system32\ujgtqyai.exe
2006-11-09 15:47 110,612 --a------ C:\WINDOWS\system32\btanamwt.exe
2006-11-08 19:47 110,612 --a------ C:\WINDOWS\system32\idhsgfvs.exe
2006-11-07 19:44 118,804 --a------ C:\WINDOWS\system32\yjmbhewi.dll
2006-11-06 13:11 110,612 --a------ C:\WINDOWS\system32\grpuuwmv.exe
2006-11-05 16:45 110,612 --a------ C:\WINDOWS\system32\pycvgaed.exe
2006-11-05 16:43 110,612 --a------ C:\WINDOWS\system32\sidriopw.exe
2006-11-05 10:45 110,612 --a------ C:\WINDOWS\system32\knxhetvn.exe
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 10:16 110,612 --a------ C:\WINDOWS\system32\gowtiskk.exe
2006-11-03 21:51 110,612 --a------ C:\WINDOWS\system32\bbwhxclh.exe
2006-11-03 21:30 110,612 --a------ C:\WINDOWS\system32\woptkjdj.exe
2006-11-03 21:27 110,612 --a------ C:\WINDOWS\system32\ibtvuavg.exe
2006-11-03 13:12 110,612 --a------ C:\WINDOWS\system32\fmadnhbo.exe
2006-11-02 15:59 60,436 --a------ C:\WINDOWS\system32\enajoyma.dll
2006-11-02 15:59 110,612 --a------ C:\WINDOWS\system32\fwehymsw.exe
2006-10-31 19:45 118,804 --a------ C:\WINDOWS\system32\uuarivno.dll
2006-10-30 12:38 <DIR> dr-h----- C:\Documents and Settings\Kendall\Recent
2006-10-30 12:37 <DIR> d-------- C:\Program Files\Common Files\Java
2006-10-29 12:21 <DIR> d-------- C:\Program Files\NETGEAR
2006-10-28 21:26 <DIR> d-------- C:\Documents and Settings\Kendall\Application Data\Business Logic


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-28 18:57 -------- d-------- C:\Program Files\QuickTime
2006-11-28 18:54 -------- d-------- C:\Program Files\Internet Explorer
2006-11-28 18:54 -------- d-------- C:\Program Files\GoogleAFE
2006-11-28 18:54 -------- d-------- C:\Program Files\Dell Support
2006-11-28 18:51 -------- d-------- C:\Program Files\America Online 9.0a
2006-11-28 18:51 -------- d-------- C:\Program Files\AIM
2006-11-27 20:44 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-03 14:12 6164 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-03 14:12 56 -r-hs---- C:\WINDOWS\system32\CC3DA89CEB.sys
2006-10-31 22:20 -------- d-------- C:\Program Files\VSToolbar
2006-10-30 19:12 -------- d-------- C:\Documents and Settings\Kendall\Application Data\AdobeUM
2006-10-29 17:36 -------- d-------- C:\Program Files\Java
2006-10-29 17:36 -------- d-------- C:\Program Files\Common Files
2006-10-29 12:21 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-29 10:27 -------- d---s---- C:\Documents and Settings\Kendall\Application Data\Microsoft
2006-10-28 14:29 908 --a------ C:\Documents and Settings\Kendall\Application Data\wklnhst.dat
2006-10-24 21:36 45525 --a------ C:\WINDOWS\system32\baialjvc.dll
2006-10-22 20:05 -------- d-------- C:\Documents and Settings\Kendall\Application Data\TPSEE
2006-10-22 14:37 67604 --a------ C:\WINDOWS\system32\cpaeuryr.exe
2006-10-19 10:09 -------- d-------- C:\Program Files\AOL
2006-10-19 09:45 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-17 21:37 45525 --a------ C:\WINDOWS\system32\rmgdlnjf.dll
2006-10-16 17:29 45525 --a------ C:\WINDOWS\system32\jhtqjylu.dll
2006-10-13 04:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 02:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-12 16:05 98324 --a------ C:\WINDOWS\system32\twgmqmyi.dll
2006-10-09 17:30 45525 --a------ C:\WINDOWS\system32\vhbwqdmy.dll
2006-10-03 09:43 86036 --a------ C:\WINDOWS\system32\omxwbojf.dll
2006-10-02 17:11 45525 --a------ C:\WINDOWS\system32\eetacftp.dll
2006-10-01 09:03 45525 --a------ C:\WINDOWS\system32\ylywwdem.dll
2006-09-28 19:28 -------- d-------- C:\Program Files\CleanUp!
2006-09-26 20:24 45525 --a------ C:\WINDOWS\system32\vctpwxvw.dll
2006-09-26 19:12 103984 --a------ C:\WINDOWS\system32\AOLDial.dll
2006-09-25 18:23 143380 --a------ C:\WINDOWS\system32\rpiufprr.exe
2006-09-19 20:25 106516 --a------ C:\WINDOWS\system32\qseybitq.dll
2006-09-19 07:38 86068 --a------ C:\WINDOWS\system32\uhvyblbu.dll
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 20:26 106516 --a------ C:\WINDOWS\system32\bqsnaewd.dll
2006-09-11 09:37 106516 --a------ C:\WINDOWS\system32\vbjevdpj.dll
2006-09-10 15:05 106516 --a------ C:\WINDOWS\system32\stbnvxql.dll
2006-09-10 12:19 106516 --a------ C:\WINDOWS\system32\avwylkwv.dll
2006-09-10 09:26 106516 --a------ C:\WINDOWS\system32\hrjrnqba.dll
2006-09-09 08:59 106516 --a------ C:\WINDOWS\system32\gkhljwmf.dll
2006-09-08 08:41 106516 --a------ C:\WINDOWS\system32\swhcdobs.dll
2006-09-07 10:12 106516 --a------ C:\WINDOWS\system32\pnjyccxt.dll
2006-09-06 20:50 106516 --a------ C:\WINDOWS\system32\nhkryunc.dll
2006-09-06 20:22 106516 --a------ C:\WINDOWS\system32\dwqjtmbm.dll
2006-09-05 18:53 106516 --a------ C:\WINDOWS\system32\dmllrglk.dll
2006-09-04 08:31 106516 --a------ C:\WINDOWS\system32\whdccbvc.dll
2006-09-03 09:32 102420 --a------ C:\WINDOWS\system32\meuufksp.dll
2006-09-02 14:56 102420 --a------ C:\WINDOWS\system32\pxodrrkm.dll
2006-09-02 07:29 102420 --a------ C:\WINDOWS\system32\luxvwyxm.dll
2006-09-01 09:35 102420 --a------ C:\WINDOWS\system32\rkkuccre.dll
2006-08-29 07:29 13844 --a------ C:\WINDOWS\system32\iwjriqvp.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="\"C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE\""
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146885179\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"DropBoxUtility"="\"C:\\Program Files\\DropBox\\DropBox\\DropBox.exe\" /s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Completion time: 06-11-28 19:10:55.84
C:\ComboFix.txt ... 06-11-28 19:10
C:\ComboFix2.txt ... 06-11-28 18:27









Combofix2:

Kendall - 06-11-28 19:08:29.12 Service Pack 2
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Kendall\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-28 to 2006-11-28 ))))))))))))))))))))))))))))))))))


2006-11-28 18:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-28 18:36 <DIR> d-------- C:\WINDOWS\LastGood
2006-11-28 18:15 <DIR> d-------- C:\WINDOWS\temp
2006-11-28 17:37 88,340 --a------ C:\WINDOWS\system32\yykdqmjx.exe
2006-11-28 17:31 88,340 --a------ C:\WINDOWS\system32\kblaikyl.exe
2006-11-28 17:31 132,116 --a------ C:\WINDOWS\system32\qgtjrryr.dll
2006-11-27 17:31 88,340 --a------ C:\WINDOWS\system32\klkctdcn.exe
2006-11-27 17:26 88,340 --a------ C:\WINDOWS\system32\csnrguem.exe
2006-11-27 17:26 42,516 --a------ C:\WINDOWS\system32\homsiuel.dll
2006-11-27 17:26 132,116 --a------ C:\WINDOWS\system32\hjpopuet.dll
2006-11-27 17:26 <DIR> d-------- C:\Program Files\VSAdd-in
2006-11-26 18:36 <DIR> d-------- C:\WINDOWS\pss
2006-11-26 18:35 218,112 --a------ C:\kmac.exe
2006-11-24 17:20 132,116 --a------ C:\WINDOWS\system32\oxkuvpqq.dll
2006-11-23 17:14 38,420 --a------ C:\WINDOWS\system32\verpbdqy.dll
2006-11-23 17:14 132,116 --a------ C:\WINDOWS\system32\vnlcqvpm.dll
2006-11-19 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-19 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-19 17:03 5,037,072 --a------ C:\spybotsd14.exe
2006-11-15 23:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-15 23:55 <DIR> d-------- C:\7256fbfbf1f5068a0b3bb1
2006-11-15 17:52 <DIR> d-------- C:\Program Files\AOL Pictures
2006-11-14 19:14 <DIR> d--h----- C:\Program Files\Zero G Registry
2006-11-14 19:14 <DIR> d-------- C:\Program Files\Rosetta Stone
2006-11-14 19:13 <DIR> d--h----- C:\Documents and Settings\Kendall\InstallAnywhere
2006-11-10 06:58 110,612 --a------ C:\WINDOWS\system32\ldrdfjnd.exe
2006-11-09 16:49 110,612 --a------ C:\WINDOWS\system32\ujgtqyai.exe
2006-11-09 15:47 110,612 --a------ C:\WINDOWS\system32\btanamwt.exe
2006-11-08 19:47 110,612 --a------ C:\WINDOWS\system32\idhsgfvs.exe
2006-11-07 19:44 118,804 --a------ C:\WINDOWS\system32\yjmbhewi.dll
2006-11-06 13:11 110,612 --a------ C:\WINDOWS\system32\grpuuwmv.exe
2006-11-05 16:45 110,612 --a------ C:\WINDOWS\system32\pycvgaed.exe
2006-11-05 16:43 110,612 --a------ C:\WINDOWS\system32\sidriopw.exe
2006-11-05 10:45 110,612 --a------ C:\WINDOWS\system32\knxhetvn.exe
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 10:16 110,612 --a------ C:\WINDOWS\system32\gowtiskk.exe
2006-11-03 21:51 110,612 --a------ C:\WINDOWS\system32\bbwhxclh.exe
2006-11-03 21:30 110,612 --a------ C:\WINDOWS\system32\woptkjdj.exe
2006-11-03 21:27 110,612 --a------ C:\WINDOWS\system32\ibtvuavg.exe
2006-11-03 13:12 110,612 --a------ C:\WINDOWS\system32\fmadnhbo.exe
2006-11-02 15:59 60,436 --a------ C:\WINDOWS\system32\enajoyma.dll
2006-11-02 15:59 110,612 --a------ C:\WINDOWS\system32\fwehymsw.exe
2006-10-31 19:45 118,804 --a------ C:\WINDOWS\system32\uuarivno.dll
2006-10-30 12:38 <DIR> dr-h----- C:\Documents and Settings\Kendall\Recent
2006-10-30 12:37 <DIR> d-------- C:\Program Files\Common Files\Java
2006-10-29 12:21 <DIR> d-------- C:\Program Files\NETGEAR
2006-10-28 21:26 <DIR> d-------- C:\Documents and Settings\Kendall\Application Data\Business Logic


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-28 18:57 -------- d-------- C:\Program Files\QuickTime
2006-11-28 18:54 -------- d-------- C:\Program Files\Internet Explorer
2006-11-28 18:54 -------- d-------- C:\Program Files\GoogleAFE
2006-11-28 18:54 -------- d-------- C:\Program Files\Dell Support
2006-11-28 18:51 -------- d-------- C:\Program Files\America Online 9.0a
2006-11-28 18:51 -------- d-------- C:\Program Files\AIM
2006-11-27 20:44 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-03 14:12 6164 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-03 14:12 56 -r-hs---- C:\WINDOWS\system32\CC3DA89CEB.sys
2006-10-31 22:20 -------- d-------- C:\Program Files\VSToolbar
2006-10-30 19:12 -------- d-------- C:\Documents and Settings\Kendall\Application Data\AdobeUM
2006-10-29 17:36 -------- d-------- C:\Program Files\Java
2006-10-29 17:36 -------- d-------- C:\Program Files\Common Files
2006-10-29 12:21 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-29 10:27 -------- d---s---- C:\Documents and Settings\Kendall\Application Data\Microsoft
2006-10-28 14:29 908 --a------ C:\Documents and Settings\Kendall\Application Data\wklnhst.dat
2006-10-24 21:36 45525 --a------ C:\WINDOWS\system32\baialjvc.dll
2006-10-22 20:05 -------- d-------- C:\Documents and Settings\Kendall\Application Data\TPSEE
2006-10-22 14:37 67604 --a------ C:\WINDOWS\system32\cpaeuryr.exe
2006-10-19 10:09 -------- d-------- C:\Program Files\AOL
2006-10-19 09:45 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-17 21:37 45525 --a------ C:\WINDOWS\system32\rmgdlnjf.dll
2006-10-16 17:29 45525 --a------ C:\WINDOWS\system32\jhtqjylu.dll
2006-10-13 04:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 02:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-12 16:05 98324 --a------ C:\WINDOWS\system32\twgmqmyi.dll
2006-10-09 17:30 45525 --a------ C:\WINDOWS\system32\vhbwqdmy.dll
2006-10-03 09:43 86036 --a------ C:\WINDOWS\system32\omxwbojf.dll
2006-10-02 17:11 45525 --a------ C:\WINDOWS\system32\eetacftp.dll
2006-10-01 09:03 45525 --a------ C:\WINDOWS\system32\ylywwdem.dll
2006-09-28 19:28 -------- d-------- C:\Program Files\CleanUp!
2006-09-26 20:24 45525 --a------ C:\WINDOWS\system32\vctpwxvw.dll
2006-09-26 19:12 103984 --a------ C:\WINDOWS\system32\AOLDial.dll
2006-09-25 18:23 143380 --a------ C:\WINDOWS\system32\rpiufprr.exe
2006-09-19 20:25 106516 --a------ C:\WINDOWS\system32\qseybitq.dll
2006-09-19 07:38 86068 --a------ C:\WINDOWS\system32\uhvyblbu.dll
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 20:26 106516 --a------ C:\WINDOWS\system32\bqsnaewd.dll
2006-09-11 09:37 106516 --a------ C:\WINDOWS\system32\vbjevdpj.dll
2006-09-10 15:05 106516 --a------ C:\WINDOWS\system32\stbnvxql.dll
2006-09-10 12:19 106516 --a------ C:\WINDOWS\system32\avwylkwv.dll
2006-09-10 09:26 106516 --a------ C:\WINDOWS\system32\hrjrnqba.dll
2006-09-09 08:59 106516 --a------ C:\WINDOWS\system32\gkhljwmf.dll
2006-09-08 08:41 106516 --a------ C:\WINDOWS\system32\swhcdobs.dll
2006-09-07 10:12 106516 --a------ C:\WINDOWS\system32\pnjyccxt.dll
2006-09-06 20:50 106516 --a------ C:\WINDOWS\system32\nhkryunc.dll
2006-09-06 20:22 106516 --a------ C:\WINDOWS\system32\dwqjtmbm.dll
2006-09-05 18:53 106516 --a------ C:\WINDOWS\system32\dmllrglk.dll
2006-09-04 08:31 106516 --a------ C:\WINDOWS\system32\whdccbvc.dll
2006-09-03 09:32 102420 --a------ C:\WINDOWS\system32\meuufksp.dll
2006-09-02 14:56 102420 --a------ C:\WINDOWS\system32\pxodrrkm.dll
2006-09-02 07:29 102420 --a------ C:\WINDOWS\system32\luxvwyxm.dll
2006-09-01 09:35 102420 --a------ C:\WINDOWS\system32\rkkuccre.dll
2006-08-29 07:29 13844 --a------ C:\WINDOWS\system32\iwjriqvp.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="\"C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE\""
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146885179\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"DropBoxUtility"="\"C:\\Program Files\\DropBox\\DropBox\\DropBox.exe\" /s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Completion time: 06-11-28 19:10:55.84
C:\ComboFix.txt ... 06-11-28 19:10
C:\ComboFix2.txt ... 06-11-28 18:27






Panda Results:

Incident Status Location

Adware:Adware/AdwareShooter Not disinfected C:\WINDOWS\Config\svsva.dll
Possible Virus. Not disinfected C:\dell\Utilities\DSR\demo\DEMO.EXE
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Kendall\Application Data\Mozilla\Firefox\Profiles\pauky5t6.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Kendall\Application Data\Mozilla\Firefox\Profiles\pauky5t6.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Kendall\Application Data\Mozilla\Firefox\Profiles\pauky5t6.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Kendall\Application Data\Mozilla\Firefox\Profiles\pauky5t6.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kendall\Application Data\Mozilla\Firefox\Profiles\pauky5t6.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@fastclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@go[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@media.fastclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@realmedia[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@stats1.reliablestats[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@target[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@tribalfusion[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@winantivirus[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@www.systemdoctor[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@zedo[2].txt
Virus:Eicar.Mod Not disinfected C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm]
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\aqducosp.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\arelpjgk.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\avwylkwv.dll
Potentially unwanted tool:Application/WinFixer2006 Not disinfected C:\WINDOWS\system32\baialjvc.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\bbwhxclh.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\bqsnaewd.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\btanamwt.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\ckdwgukx.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\cpaeuryr.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\csnrguem.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\dmllrglk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\dwqjtmbm.dll
Potentially unwanted tool:Application/WinFixer2006 Not disinfected C:\WINDOWS\system32\eetacftp.dll
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\eipujlbj.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\enajoyma.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\fmadnhbo.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\fwehymsw.exe
Adware:Adware/Popuper Not disinfected C:\WINDOWS\system32\gevyvafo.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gkhljwmf.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\gowtiskk.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\grpuuwmv.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\gudgcxyi.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\hjpopuet.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hrjrnqba.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ibtvuavg.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\idhsgfvs.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\iwjriqvp.exe
Potentially unwanted tool:Application/WinFixer2006 Not disinfected C:\WINDOWS\system32\jhtqjylu.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\kblaikyl.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\kctolslc.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\klkctdcn.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\knxhetvn.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ldrdfjnd.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\luxvwyxm.dll
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\lydkuwtt.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\meuufksp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nhkryunc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\omxwbojf.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\oxkuvpqq.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\pnjyccxt.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\pxodrrkm.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\pycvgaed.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\qseybitq.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\rkkuccre.dll
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\rmbxinde.exe
Potentially unwanted tool:Application/WinFixer2006 Not disinfected C:\WINDOWS\system32\rmgdlnjf.dll
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\rphswidr.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\rpiufprr.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\sidriopw.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\stbnvxql.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\swhcdobs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\twgmqmyi.dll
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\ufolmtnm.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\uhvyblbu.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ujgtqyai.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vbjevdpj.dll
Potentially unwanted tool:Application/WinFixer2006 Not disinfected C:\WINDOWS\system32\vctpwxvw.dll
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\verpbdqy.dll
Potentially unwanted tool:Application/WinFixer2006 Not disinfected C:\WINDOWS\system32\vhbwqdmy.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\vnlcqvpm.dll
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\vruynixm.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\whdccbvc.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\woptkjdj.exe
Potentially unwanted tool:Application/WinFixer2006 Not disinfected C:\WINDOWS\system32\ylywwdem.dll
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\yqmlgeqt.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\yykdqmjx.exe




New Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:20:39 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1146885179\ee\aolsoftware.exe
c:\program files\common files\aol\1146885179\ee\AOLOpenRide.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Kendall\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Reso...s.10.4.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
kmac182 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-28-2006, 07:37 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Hi,

It appears you ran combofix.exe both times. To kill the main infection, we need to run it as follows:

Click Start>Run and copy/pasting this command--exactly as shown in the bold red text--into the Run box.

"%userprofile%\desktop\combofix.exe" /v homsiuel qgtjrryr

If the program hangs at /wow, please do the following:

On your keyboard press Ctrl Alt Del to bring up the Task Manager.
Look for findstr.exe
Click on that file, then click End Process.

Combofix should now finish running for you. The log produced will be ComboFix.txt for this run.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-28-2006, 07:46 PM   #8 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 10
OS: windows XP


Kendall - 06-11-28 19:41:30.15 Service Pack 2
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Kendall\desktop"
Command switches used :: /v homsiuel qgtjrryr

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\homsiuel.dll
C:\WINDOWS\system32\qgtjrryr.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2006-10-28 to 2006-11-28 ))))))))))))))))))))))))))))))))))


2006-11-28 19:42 <DIR> d-------- C:\WINDOWS\erdnt
2006-11-28 19:10 <DIR> d-------- C:\WINDOWS\temp
2006-11-28 18:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-28 17:37 88,340 --a------ C:\WINDOWS\system32\yykdqmjx.exe
2006-11-28 17:31 88,340 --a------ C:\WINDOWS\system32\kblaikyl.exe
2006-11-27 17:31 88,340 --a------ C:\WINDOWS\system32\klkctdcn.exe
2006-11-27 17:26 88,340 --a------ C:\WINDOWS\system32\csnrguem.exe
2006-11-27 17:26 132,116 --a------ C:\WINDOWS\system32\hjpopuet.dll
2006-11-27 17:26 <DIR> d-------- C:\Program Files\VSAdd-in
2006-11-26 18:36 <DIR> d-------- C:\WINDOWS\pss
2006-11-26 18:35 218,112 --a------ C:\kmac.exe
2006-11-24 17:20 132,116 --a------ C:\WINDOWS\system32\oxkuvpqq.dll
2006-11-23 17:14 38,420 --a------ C:\WINDOWS\system32\verpbdqy.dll
2006-11-23 17:14 132,116 --a------ C:\WINDOWS\system32\vnlcqvpm.dll
2006-11-19 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-19 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-19 17:03 5,037,072 --a------ C:\spybotsd14.exe
2006-11-15 23:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-15 23:55 <DIR> d-------- C:\7256fbfbf1f5068a0b3bb1
2006-11-15 17:52 <DIR> d-------- C:\Program Files\AOL Pictures
2006-11-14 19:14 <DIR> d--h----- C:\Program Files\Zero G Registry
2006-11-14 19:14 <DIR> d-------- C:\Program Files\Rosetta Stone
2006-11-14 19:13 <DIR> d--h----- C:\Documents and Settings\Kendall\InstallAnywhere
2006-11-10 06:58 110,612 --a------ C:\WINDOWS\system32\ldrdfjnd.exe
2006-11-09 16:49 110,612 --a------ C:\WINDOWS\system32\ujgtqyai.exe
2006-11-09 15:47 110,612 --a------ C:\WINDOWS\system32\btanamwt.exe
2006-11-08 19:47 110,612 --a------ C:\WINDOWS\system32\idhsgfvs.exe
2006-11-07 19:44 118,804 --a------ C:\WINDOWS\system32\yjmbhewi.dll
2006-11-06 13:11 110,612 --a------ C:\WINDOWS\system32\grpuuwmv.exe
2006-11-05 16:45 110,612 --a------ C:\WINDOWS\system32\pycvgaed.exe
2006-11-05 16:43 110,612 --a------ C:\WINDOWS\system32\sidriopw.exe
2006-11-05 10:45 110,612 --a------ C:\WINDOWS\system32\knxhetvn.exe
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 10:16 110,612 --a------ C:\WINDOWS\system32\gowtiskk.exe
2006-11-03 21:51 110,612 --a------ C:\WINDOWS\system32\bbwhxclh.exe
2006-11-03 21:30 110,612 --a------ C:\WINDOWS\system32\woptkjdj.exe
2006-11-03 21:27 110,612 --a------ C:\WINDOWS\system32\ibtvuavg.exe
2006-11-03 13:12 110,612 --a------ C:\WINDOWS\system32\fmadnhbo.exe
2006-11-02 15:59 60,436 --a------ C:\WINDOWS\system32\enajoyma.dll
2006-11-02 15:59 110,612 --a------ C:\WINDOWS\system32\fwehymsw.exe
2006-10-31 19:45 118,804 --a------ C:\WINDOWS\system32\uuarivno.dll
2006-10-30 12:38 <DIR> dr-h----- C:\Documents and Settings\Kendall\Recent
2006-10-30 12:37 <DIR> d-------- C:\Program Files\Common Files\Java
2006-10-29 12:21 <DIR> d-------- C:\Program Files\NETGEAR
2006-10-28 21:26 <DIR> d-------- C:\Documents and Settings\Kendall\Application Data\Business Logic


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-28 18:57 -------- d-------- C:\Program Files\QuickTime
2006-11-28 18:54 -------- d-------- C:\Program Files\Internet Explorer
2006-11-28 18:54 -------- d-------- C:\Program Files\GoogleAFE
2006-11-28 18:54 -------- d-------- C:\Program Files\Dell Support
2006-11-28 18:51 -------- d-------- C:\Program Files\America Online 9.0a
2006-11-28 18:51 -------- d-------- C:\Program Files\AIM
2006-11-27 20:44 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-03 14:12 6164 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-03 14:12 56 -r-hs---- C:\WINDOWS\system32\CC3DA89CEB.sys
2006-10-31 22:20 -------- d-------- C:\Program Files\VSToolbar
2006-10-30 19:12 -------- d-------- C:\Documents and Settings\Kendall\Application Data\AdobeUM
2006-10-29 17:36 -------- d-------- C:\Program Files\Java
2006-10-29 17:36 -------- d-------- C:\Program Files\Common Files
2006-10-29 12:21 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-29 10:27 -------- d---s---- C:\Documents and Settings\Kendall\Application Data\Microsoft
2006-10-28 14:29 908 --a------ C:\Documents and Settings\Kendall\Application Data\wklnhst.dat
2006-10-24 21:36 45525 --a------ C:\WINDOWS\system32\baialjvc.dll
2006-10-22 20:05 -------- d-------- C:\Documents and Settings\Kendall\Application Data\TPSEE
2006-10-22 14:37 67604 --a------ C:\WINDOWS\system32\cpaeuryr.exe
2006-10-19 10:09 -------- d-------- C:\Program Files\AOL
2006-10-19 09:45 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-17 21:37 45525 --a------ C:\WINDOWS\system32\rmgdlnjf.dll
2006-10-16 17:29 45525 --a------ C:\WINDOWS\system32\jhtqjylu.dll
2006-10-13 04:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 02:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-12 16:05 98324 --a------ C:\WINDOWS\system32\twgmqmyi.dll
2006-10-09 17:30 45525 --a------ C:\WINDOWS\system32\vhbwqdmy.dll
2006-10-03 09:43 86036 --a------ C:\WINDOWS\system32\omxwbojf.dll
2006-10-02 17:11 45525 --a------ C:\WINDOWS\system32\eetacftp.dll
2006-10-01 09:03 45525 --a------ C:\WINDOWS\system32\ylywwdem.dll
2006-09-28 19:28 -------- d-------- C:\Program Files\CleanUp!
2006-09-26 20:24 45525 --a------ C:\WINDOWS\system32\vctpwxvw.dll
2006-09-26 19:12 103984 --a------ C:\WINDOWS\system32\AOLDial.dll
2006-09-25 18:23 143380 --a------ C:\WINDOWS\system32\rpiufprr.exe
2006-09-19 20:25 106516 --a------ C:\WINDOWS\system32\qseybitq.dll
2006-09-19 07:38 86068 --a------ C:\WINDOWS\system32\uhvyblbu.dll
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 20:26 106516 --a------ C:\WINDOWS\system32\bqsnaewd.dll
2006-09-11 09:37 106516 --a------ C:\WINDOWS\system32\vbjevdpj.dll
2006-09-10 15:05 106516 --a------ C:\WINDOWS\system32\stbnvxql.dll
2006-09-10 12:19 106516 --a------ C:\WINDOWS\system32\avwylkwv.dll
2006-09-10 09:26 106516 --a------ C:\WINDOWS\system32\hrjrnqba.dll
2006-09-09 08:59 106516 --a------ C:\WINDOWS\system32\gkhljwmf.dll
2006-09-08 08:41 106516 --a------ C:\WINDOWS\system32\swhcdobs.dll
2006-09-07 10:12 106516 --a------ C:\WINDOWS\system32\pnjyccxt.dll
2006-09-06 20:50 106516 --a------ C:\WINDOWS\system32\nhkryunc.dll
2006-09-06 20:22 106516 --a------ C:\WINDOWS\system32\dwqjtmbm.dll
2006-09-05 18:53 106516 --a------ C:\WINDOWS\system32\dmllrglk.dll
2006-09-04 08:31 106516 --a------ C:\WINDOWS\system32\whdccbvc.dll
2006-09-03 09:32 102420 --a------ C:\WINDOWS\system32\meuufksp.dll
2006-09-02 14:56 102420 --a------ C:\WINDOWS\system32\pxodrrkm.dll
2006-09-02 07:29 102420 --a------ C:\WINDOWS\system32\luxvwyxm.dll
2006-09-01 09:35 102420 --a------ C:\WINDOWS\system32\rkkuccre.dll
2006-08-29 07:29 13844 --a------ C:\WINDOWS\system32\iwjriqvp.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="\"C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE\""
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146885179\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"DropBoxUtility"="\"C:\\Program Files\\DropBox\\DropBox\\DropBox.exe\" /s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Completion time: 06-11-28 19:44:09.76
C:\ComboFix.txt ... 06-11-28 19:44
C:\ComboFix2.txt ... 06-11-28 19:10
C:\ComboFix3.txt ... 06-11-28 19:12


I'm sorry, I'm really bad at these kind of things. Thanks so much for helping me out.
kmac182 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-28-2006, 08:13 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Hiya,

No worries--that's what we're here for.

I see at least 50 files that need to be deleted. I'd like to see if this next tool will help take out some of them for us. If not, we'll go after them manually in the next round.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account.

------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

VSAdd-in
VSToolbar

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Using My Computer, navigate to and delete the following Folders if they still exist.

C:\Program Files\ VSAdd-in
C:\Program Files\ VSToolbar

-----------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

-----------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

Run a new scan with kmac.exe and save the log.

-----------------------------------

Please include the following in your next reply:

AVG Anti-Spyware results
Panda results
ComboFix.txt
New HijackThis log (kmac.exe)
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried; 11-28-2006 at 08:14 PM.
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-29-2006, 03:17 PM   #10 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 10
OS: windows XP


AVG anti-spyware results:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:18:59 PM 11/29/2006

+ Scan result:



C:\WINDOWS\system32\cpaeuryr.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rpiufprr.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\uuarivno.dll -> Adware.Winfixer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\yjmbhewi.dll -> Adware.Winfixer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\avwylkwv.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\baialjvc.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bqsnaewd.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmllrglk.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dwqjtmbm.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\eetacftp.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gkhljwmf.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hrjrnqba.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jhtqjylu.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\luxvwyxm.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\meuufksp.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nhkryunc.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pnjyccxt.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pxodrrkm.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\qseybitq.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rkkuccre.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rmgdlnjf.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\stbnvxql.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\swhcdobs.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vbjevdpj.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vctpwxvw.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vhbwqdmy.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\whdccbvc.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ylywwdem.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\aqducosp.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lydkuwtt.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rmbxinde.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\arelpjgk.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ckdwgukx.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gudgcxyi.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iwjriqvp.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kctolslc.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ufolmtnm.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vruynixm.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gevyvafo.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\enajoyma.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\omxwbojf.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\uhvyblbu.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\eipujlbj.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rphswidr.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\WINDOWS\system32\yqmlgeqt.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).


::Report end







Panda results:

Incident Status Location

Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\ujkwikjq.dll
Adware:Adware/AdwareShooter Not disinfected C:\WINDOWS\Config\svsva.dll
Possible Virus. Not disinfected C:\dell\Utilities\DSR\demo\DEMO.EXE
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@2o7[1].txt
Virus:Eicar.Mod Not disinfected C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\bbwhxclh.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\btanamwt.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\fmadnhbo.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\fwehymsw.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\gowtiskk.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\grpuuwmv.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\hjpopuet.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ibtvuavg.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\idhsgfvs.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\knxhetvn.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ldrdfjnd.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\oxkuvpqq.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\pycvgaed.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\sidriopw.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\twgmqmyi.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ujgtqyai.exe
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\verpbdqy.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\vnlcqvpm.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\woptkjdj.exe






Combofix.txt:

Kendall - 06-11-29 15:01:47.96 Service Pack 2
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Kendall\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-29 to 2006-11-29 ))))))))))))))))))))))))))))))))))


2006-11-29 13:35 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-29 13:35 <DIR> d-------- C:\Program Files\Grisoft
2006-11-28 19:44 42,516 --a------ C:\WINDOWS\system32\ujkwikjq.dll
2006-11-28 19:44 <DIR> d-------- C:\WINDOWS\temp
2006-11-28 19:42 <DIR> d-------- C:\WINDOWS\erdnt
2006-11-28 18:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-27 17:26 132,116 --a------ C:\WINDOWS\system32\hjpopuet.dll
2006-11-26 18:36 <DIR> d-------- C:\WINDOWS\pss
2006-11-26 18:35 218,112 --a------ C:\kmac.exe
2006-11-24 17:20 132,116 --a------ C:\WINDOWS\system32\oxkuvpqq.dll
2006-11-23 17:14 38,420 --a------ C:\WINDOWS\system32\verpbdqy.dll
2006-11-23 17:14 132,116 --a------ C:\WINDOWS\system32\vnlcqvpm.dll
2006-11-19 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-19 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-19 17:03 5,037,072 --a------ C:\spybotsd14.exe
2006-11-15 23:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-15 23:55 <DIR> d-------- C:\7256fbfbf1f5068a0b3bb1
2006-11-15 17:52 <DIR> d-------- C:\Program Files\AOL Pictures
2006-11-14 19:14 <DIR> d--h----- C:\Program Files\Zero G Registry
2006-11-14 19:14 <DIR> d-------- C:\Program Files\Rosetta Stone
2006-11-14 19:13 <DIR> d--h----- C:\Documents and Settings\Kendall\InstallAnywhere
2006-11-10 06:58 110,612 --a------ C:\WINDOWS\system32\ldrdfjnd.exe
2006-11-09 16:49 110,612 --a------ C:\WINDOWS\system32\ujgtqyai.exe
2006-11-09 15:47 110,612 --a------ C:\WINDOWS\system32\btanamwt.exe
2006-11-08 19:47 110,612 --a------ C:\WINDOWS\system32\idhsgfvs.exe
2006-11-06 13:11 110,612 --a------ C:\WINDOWS\system32\grpuuwmv.exe
2006-11-05 16:45 110,612 --a------ C:\WINDOWS\system32\pycvgaed.exe
2006-11-05 16:43 110,612 --a------ C:\WINDOWS\system32\sidriopw.exe
2006-11-05 10:45 110,612 --a------ C:\WINDOWS\system32\knxhetvn.exe
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 10:16 110,612 --a------ C:\WINDOWS\system32\gowtiskk.exe
2006-11-03 21:51 110,612 --a------ C:\WINDOWS\system32\bbwhxclh.exe
2006-11-03 21:30 110,612 --a------ C:\WINDOWS\system32\woptkjdj.exe
2006-11-03 21:27 110,612 --a------ C:\WINDOWS\system32\ibtvuavg.exe
2006-11-03 13:12 110,612 --a------ C:\WINDOWS\system32\fmadnhbo.exe
2006-11-02 15:59 110,612 --a------ C:\WINDOWS\system32\fwehymsw.exe
2006-10-30 12:38 <DIR> dr-h----- C:\Documents and Settings\Kendall\Recent
2006-10-30 12:37 <DIR> d-------- C:\Program Files\Common Files\Java
2006-10-29 12:21 <DIR> d-------- C:\Program Files\NETGEAR


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-29 14:50 -------- d-------- C:\Program Files\QuickTime
2006-11-29 14:48 -------- d-------- C:\Program Files\Internet Explorer
2006-11-29 14:47 -------- d-------- C:\Program Files\GoogleAFE
2006-11-29 14:47 -------- d-------- C:\Program Files\Dell Support
2006-11-29 14:44 -------- d-------- C:\Program Files\America Online 9.0a
2006-11-29 14:44 -------- d-------- C:\Program Files\AIM
2006-11-27 20:44 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-03 14:12 6164 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-03 14:12 56 -r-hs---- C:\WINDOWS\system32\CC3DA89CEB.sys
2006-10-30 19:12 -------- d-------- C:\Documents and Settings\Kendall\Application Data\AdobeUM
2006-10-29 17:36 -------- d-------- C:\Program Files\Java
2006-10-29 17:36 -------- d-------- C:\Program Files\Common Files
2006-10-29 12:21 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-29 10:27 -------- d---s---- C:\Documents and Settings\Kendall\Application Data\Microsoft
2006-10-28 21:26 -------- d-------- C:\Documents and Settings\Kendall\Application Data\Business Logic
2006-10-28 14:29 908 --a------ C:\Documents and Settings\Kendall\Application Data\wklnhst.dat
2006-10-22 20:05 -------- d-------- C:\Documents and Settings\Kendall\Application Data\TPSEE
2006-10-19 10:09 -------- d-------- C:\Program Files\AOL
2006-10-19 09:45 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-13 04:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 02:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-12 16:05 98324 --a------ C:\WINDOWS\system32\twgmqmyi.dll
2006-09-26 19:12 103984 --a------ C:\WINDOWS\system32\AOLDial.dll
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="\"C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE\""
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146885179\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"DropBoxUtility"="\"C:\\Program Files\\DropBox\\DropBox\\DropBox.exe\" /s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Completion time: 06-11-29 15:04:16.90
C:\ComboFix.txt ... 06-11-29 15:04
C:\ComboFix2.txt ... 06-11-28 19:44
C:\ComboFix3.txt ... 06-11-28 19:10






New hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:09:50 PM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\AOL\1146885179\ee\aolsoftware.exe
c:\program files\common files\aol\1146885179\ee\AOLOpenRide.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Kendall\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\kmac.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ujkwikjq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {B76DC9C6-8E5C-4626-ADFD-6BAF9C592D40} - C:\WINDOWS\Config\svsva.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Reso...s.10.4.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: svsva - C:\WINDOWS\Config\svsva.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
kmac182 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-29-2006, 08:31 PM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Hi kmac182,

Gotta love that AVG Anti-Spyware--it tool out the bulk for us. Let's go get the rest of it now.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. (it's important that you get version v2.0.0.175)

-----------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ujkwikjq.dll
O2 - BHO: (no name) - {B76DC9C6-8E5C-4626-ADFD-6BAF9C592D40} - C:\WINDOWS\Config\svsva.dll
O20 - Winlogon Notify: svsva - C:\WINDOWS\Config\svsva.dll

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Launch KillBox.exe & select the following options:
  • delete on Reboot
Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\system32\ujkwikjq.dll
C:\WINDOWS\Config\svsva.dll
C:\WINDOWS\system32\bbwhxclh.exe
C:\WINDOWS\system32\btanamwt.exe
C:\WINDOWS\system32\fmadnhbo.exe
C:\WINDOWS\system32\fwehymsw.exe
C:\WINDOWS\system32\gowtiskk.exe
C:\WINDOWS\system32\grpuuwmv.exe
C:\WINDOWS\system32\hjpopuet.dll
C:\WINDOWS\system32\ibtvuavg.exe
C:\WINDOWS\system32\idhsgfvs.exe
C:\WINDOWS\system32\knxhetvn.exe
C:\WINDOWS\system32\ldrdfjnd.exe
C:\WINDOWS\system32\oxkuvpqq.dll
C:\WINDOWS\system32\pycvgaed.exe
C:\WINDOWS\system32\sidriopw.exe
C:\WINDOWS\system32\twgmqmyi.dll
C:\WINDOWS\system32\ujgtqyai.exe
C:\WINDOWS\system32\verpbdqy.dll
C:\WINDOWS\system32\vnlcqvpm.dll
C:\WINDOWS\system32\woptkjdj.exe

Within Killbox, go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there

Select/tick the following:

* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click YES at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run [b]missingfilesetup.exe[/color]. Then try Killbox again.

----------------------------------

From Normal Mode, run another online scan at Panda and save the results.

----------------------------------

Run another scan with kmac.exe and save the log.

----------------------------------

Please include the following in your next reply:

Panda results
New HijackThis log (kmac.exe)
Update on how your system is behaving.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-30-2006, 03:22 PM   #12 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 10
OS: windows XP


Panda results:


Incident Status Location

Adware:Adware/AdwareShooter Not disinfected C:\WINDOWS\Config\svsva.dll
Adware:Adware/WebSearch Not disinfected C:\backups\backup-20061130-093440-899.dll
Possible Virus. Not disinfected C:\dell\Utilities\DSR\demo\DEMO.EXE
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@2o7[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@ads.pointroll[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@atwola[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@realmedia[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@stats1.reliablestats[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Kendall\Cookies\kendall@tribalfusion[1].txt
Virus:Eicar.Mod Not disinfected C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm]
Possible Virus. Not disinfected C:\WINDOWS\system32\uhhxhrks.dll




new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 2:58:10 PM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1146885179\ee\aolsoftware.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\kmac.exe
c:\program files\common files\aol\1146885179\ee\AOLOpenRide.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.facebook.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44CB56F8-9D4F-4E5C-BDFC-41D7CE559B12} - C:\WINDOWS\Config\svsva.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {CA026815-F417-436C-A634-F25DAEA4F1B5} - C:\WINDOWS\system32\uhhxhrks.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Reso...s.10.4.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: svsva - C:\WINDOWS\Config\svsva.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe







I think my system is behaving better. Its still finding things when i can. Any suggestions on extra protection for my computer?
kmac182 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-01-2006, 06:05 AM   #13 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Hi,

We're not quite through yet--still have stragglers.

Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
  • Double-click VundoFix.exe to run it.
  • Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes
    • C:\WINDOWS\system32\uhhxhrks.dll
    • C:\WINDOWS\Config\svsva.dll
  • Click Add Files and Click Close Window
Repeat the above procedure for these files:
  • Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes
    • C:\WINDOWS\system32\skrhxhhu.*
    • C:\WINDOWS\Config\avsvs.*
  • Click Add Files and Click Close Window
Click Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • It will produce a log of it's actions at C:\vundofix.txt

Run a new scan with kmac.exe and save the log.

Please include the following in your next reply:

vundofix.txt
New kmac.exe log
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-03-2006, 11:12 AM   #14 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 10
OS: windows XP


Hi,

Ok so the vundofix showed nothing wrong and never gave me a log. SO heres the kmac.exe log:

Logfile of HijackThis v1.99.1
Scan saved at 11:11:23 AM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1146885179\ee\aolsoftware.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
c:\program files\common files\aol\1146885179\ee\AOLOpenRide.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\WINDOWS\system32\notepad.exe
C:\kmac.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.facebook.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\aracvmvi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {B00C2C1B-FA27-4AC3-B356-45FB054575FF} - C:\WINDOWS\Config\svsva.dll (file missing)
O2 - BHO: (no name) - {CA026815-F417-436C-A634-F25DAEA4F1B5} - C:\WINDOWS\system32\vqecxbch.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Reso...s.10.4.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
kmac182 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-03-2006, 05:44 PM   #15 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Go to <<Start>> then <<Run>> then copy/paste the following red text into the Run box then click OK

"%userprofile%\desktop\combofix.exe" /v aracvmvi vqecxbch

When finished, it shall produce a log for you. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

From Normal Mode:


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries:

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\aracvmvi.dll
O2 - BHO: (no name) - {B00C2C1B-FA27-4AC3-B356-45FB054575FF} - C:\WINDOWS\Config\svsva.dll (file missing)
O2 - BHO: (no name) - {CA026815-F417-436C-A634-F25DAEA4F1B5} - C:\WINDOWS\system32\vqecxbch.dll


Click 'Fix Checked' and close HijackThis.

-----------------------------------

Reboot your system.

-----------------------------------

I'd like to use a different online scanner this time:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
-----------------------------------

Run a new scan with kmac.exe and save the log.

-----------------------------------

Please include the following in your next reply:

ComboFix.txt
Kaspersky results
New kmac.exe log
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-06-2006, 05:05 PM   #16 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 10
OS: windows XP


combofix.txt:

Kendall - 06-12-06 15:11:44.69 Service Pack 2
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Kendall\desktop"
Command switches used :: /v aracvmvi vqecxbch

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aracvmvi.dll
C:\WINDOWS\system32\vqecxbch.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2006-11-06 to 2006-12-06 ))))))))))))))))))))))))))))))))))


2006-12-03 11:00 <DIR> d-------- C:\VundoFix Backups
2006-11-30 09:34 <DIR> d-------- C:\backups
2006-11-29 16:29 <DIR> d-------- C:\Program Files\iTunes
2006-11-29 16:29 <DIR> d-------- C:\Program Files\iPod
2006-11-29 16:28 <DIR> d--hs---- C:\Config.Msi
2006-11-29 16:28 <DIR> d-------- C:\Program Files\Apple Software Update
2006-11-29 15:04 <DIR> d-------- C:\WINDOWS\temp
2006-11-29 13:35 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-29 13:35 <DIR> d-------- C:\Program Files\Grisoft
2006-11-28 19:42 <DIR> d-------- C:\WINDOWS\erdnt
2006-11-28 18:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-26 18:36 <DIR> d-------- C:\WINDOWS\pss
2006-11-26 18:35 218,112 --a------ C:\kmac.exe
2006-11-19 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-19 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-19 17:03 5,037,072 --a------ C:\spybotsd14.exe
2006-11-15 23:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-15 23:55 <DIR> d-------- C:\7256fbfbf1f5068a0b3bb1
2006-11-15 17:52 <DIR> d-------- C:\Program Files\AOL Pictures
2006-11-14 19:14 <DIR> d--h----- C:\Program Files\Zero G Registry
2006-11-14 19:14 <DIR> d-------- C:\Program Files\Rosetta Stone
2006-11-14 19:13 <DIR> d--h----- C:\Documents and Settings\Kendall\InstallAnywhere


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-03 12:19 1046 --a------ C:\Documents and Settings\Kendall\Application Data\wklnhst.dat
2006-12-01 22:49 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-30 10:29 -------- d-------- C:\Program Files\QuickTime
2006-11-30 10:25 -------- d-------- C:\Program Files\Dell Support
2006-11-30 10:22 -------- d-------- C:\Program Files\America Online 9.0a
2006-11-30 10:22 -------- d-------- C:\Program Files\AIM
2006-11-29 16:30 -------- d-------- C:\Documents and Settings\Kendall\Application Data\Apple Computer
2006-11-29 14:48 -------- d-------- C:\Program Files\Internet Explorer
2006-11-29 14:47 -------- d-------- C:\Program Files\GoogleAFE
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 14:12 6164 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-03 14:12 56 -r-hs---- C:\WINDOWS\system32\CC3DA89CEB.sys
2006-10-30 19:12 -------- d-------- C:\Documents and Settings\Kendall\Application Data\AdobeUM
2006-10-30 12:37 -------- d-------- C:\Program Files\Common Files\Java
2006-10-29 17:36 -------- d-------- C:\Program Files\Java
2006-10-29 17:36 -------- d-------- C:\Program Files\Common Files
2006-10-29 12:21 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-29 12:21 -------- d-------- C:\Program Files\NETGEAR
2006-10-29 10:27 -------- d---s---- C:\Documents and Settings\Kendall\Application Data\Microsoft
2006-10-28 21:26 -------- d-------- C:\Documents and Settings\Kendall\Application Data\Business Logic
2006-10-22 20:05 -------- d-------- C:\Documents and Settings\Kendall\Application Data\TPSEE
2006-10-19 10:09 -------- d-------- C:\Program Files\AOL
2006-10-19 09:45 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-13 04:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 02:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-09-26 19:12 103984 --a------ C:\WINDOWS\system32\AOLDial.dll
2006-09-19 15:43 109360 --a------ C:\WINDOWS\system32\GEARAspi.dll
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="\"C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE\""
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146885179\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"DropBoxUtility"="\"C:\\Program Files\\DropBox\\DropBox\\DropBox.exe\" /s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-12-06 15:15:40.92
C:\ComboFix.txt ... 06-12-06 15:15
C:\ComboFix2.txt ... 06-11-29 15:04
C:\ComboFix3.txt ... 06-11-28 19:44








kaspersky results:

Wednesday, December 06, 2006 4:53:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/12/2006
Kaspersky Anti-Virus database records: 234691
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 63258
Number of viruses found 6
Number of infected objects 40 / 0
Number of suspicious objects 0
Duration of the scan process 00:36:10

Infected Object Name Virus Name Last Action
C:\backups\backup-20061130-093440-899.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\13eef09c4a9a4f1921cb2c5e4890c397_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Kendall\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Kendall\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kendall\DropBox.log Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Documents.dfd Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Documents.did Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Documents.dsd Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kdb Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kdl Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kib Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kpf Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.ksb Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Temp\14.tmp Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Temp\JETBC2B.tmp Object is locked skipped
C:\Documents and Settings\Kendall\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kendall\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kendall\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP195\A0029439.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029610.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029611.dll Infected: Packed.Win32.Klone.k skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029612.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029613.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029614.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029615.dll Infected: Packed.Win32.Klone.k skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029616.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029617.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029618.dll Infected: Packed.Win32.Klone.k skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029619.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029620.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029621.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029622.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029623.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029624.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029625.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029626.dll Infected: Packed.Win32.Klone.k skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029627.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029628.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029629.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029630.dll Infected: Packed.Win32.Klone.k skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029631.dll Infected: Packed.Win32.Klone.k skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029632.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029633.dll Infected: Packed.Win32.Klone.k skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029634.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029635.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029636.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029637.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029638.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029639.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029640.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029645.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029646.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP196\A0029647.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP197\A0029885.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP197\A0029901.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP197\A0029903.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP203\A0031399.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP203\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{95E3AF10-0BCF-4CAD-8074-028E8ABC3678}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000005-00000000-00000004-00001102-00000004-20061102}.CDF Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.









new kmac log:

Logfile of HijackThis v1.99.1
Scan saved at 4:58:06 PM, on 12/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1146885179\ee\aolsoftware.exe
c:\program files\common files\aol\1146885179\ee\AOLOpenRide.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\kmac.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146885179\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Reso...s.10.4.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
kmac182 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-06-2006, 07:58 PM   #17 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Hello kmac182,

Your logs are finally clean--nice work. If there aren't any more problems, please continue with these final instructions and helpful links.


Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.



To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
Now navigate to C:\ie-spyad. Double click to open it.
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4


Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected again will reduce dramatically.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-06-2006, 08:00 PM   #18 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 10
OS: windows XP


Thank you SOOOOO much for all your help. I will attempt the last steps tomorrow and read the articles. Thanks again!
kmac182 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-06-2006, 09:03 PM   #19 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


You're welcome, kmac182.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:20 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84