Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Bho [Moved from General Security]
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 08-25-2007, 10:16 PM   #1 (permalink)
Registered User
 
Robert_R's Avatar
 
Join Date: Jan 2005
Posts: 188
OS: Windows XP Professional


Bho [Moved from General Security]
I have Spywareguard on my computer on this evening I keep getting this:

(See screenshot)

How can I get rid of this? I've run Spy-Bot and Ad-aware 2007 Pro restarted and it still came up.

Note: I ran Spy-Bot from Safe Mode and it couldn't delete it. Spy-Bot suggested to run it upon restart which I did but it still couldn't take care of it.

Thanks!!

I tried to delete mljjk.dll from C:/Windows/System32 but it claims that it is in use by another person or program.
Attached Images
File Type: jpg BHO.jpg (30.3 KB, 6 views)
Last edited by Robert_R; 08-25-2007 at 10:18 PM.
Robert_R is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-26-2007, 12:07 AM   #2 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,938
OS: WinXP and Vista


Re: Bho
Hello

That is a very specific infection that needs specific procedures to remove properly. Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review.
  • DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

Please include the following in your next reply so we can begin cleaning the system:

main.txt
an attached extra.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-26-2007, 10:02 AM   #3 (permalink)
Registered User
 
Robert_R's Avatar
 
Join Date: Jan 2005
Posts: 188
OS: Windows XP Professional


Re: Bho [Moved from General Security]
Deckard's System Scanner v20070819.64
Run by Bob on 2007-08-26 11:49:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
62: 2007-08-26 15:49:53 UTC - RP62 - Deckard's System Scanner Restore Point
61: 2007-08-24 18:50:41 UTC - RP61 - System Checkpoint
60: 2007-08-23 17:26:49 UTC - RP60 - System Checkpoint
59: 2007-08-22 00:04:20 UTC - RP59 - System Checkpoint
58: 2007-08-20 22:54:05 UTC - RP58 - System Checkpoint


-- First Restore Point --
1: 2007-07-20 00:53:11 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Bob.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:12 AM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ViceVersa Pro 2\VVLAUNCHER\VVLAUNCHER.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Bob\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bob.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nyyankees.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74AEAE99-E4A6-45CE-8B64-2EDB63442166} - C:\WINDOWS\system32\mljjk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VVLauncher 2] "C:\Program Files\ViceVersa Pro 2\VVLAUNCHER\VVLAUNCHER.EXE"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: gebxyyw - gebxyyw.dll (file missing)
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe

--
End of file - 11388 bytes

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 SnoopFree (SnoopFree Driver) - c:\windows\system32\drivers\snopfree.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper (TM) Disk Defragmenter>
R2 SnoopFreeSvc (Snoop Free Service) - system32\snoopfreesvc.exe
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-25 10:35:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-07-26 and 2007-08-26 -----------------------------

2007-08-26 11:51:01 0 d-------- C:\Program Files\Trend Micro
2007-08-26 11:48:32 1628708 ---hs---- C:\WINDOWS\system32\kjjlm.bak2
2007-08-25 22:15:14 6473 --ahs---- C:\WINDOWS\system32\kjjlm.bak1
2007-08-25 22:15:09 298080 --a------ C:\WINDOWS\system32\mljjk.dll
2007-08-21 15:23:47 0 d-------- C:\Documents and Settings\Christine\Shared
2007-08-21 15:23:43 0 d-------- C:\Documents and Settings\Christine\Incomplete
2007-08-21 15:23:30 0 d-------- C:\Documents and Settings\Christine\Application Data\LimeWire
2007-08-16 08:49:11 0 dr-h----- C:\Documents and Settings\Bob\Recent
2007-08-13 21:41:48 0 d-------- C:\Documents and Settings\Bob\Application Data\TechSmith
2007-08-13 21:34:27 0 d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-08-13 21:34:23 0 d-------- C:\Program Files\TechSmith
2007-08-04 10:39:08 0 d-------- C:\Program Files\iPod
2007-08-04 10:39:05 0 d-------- C:\Program Files\iTunes
2007-08-03 23:25:09 0 d-------- C:\Program Files\The Flash Ad Creator v2.5
2007-07-29 20:44:35 0 dr-h----- C:\Documents and Settings\Christine\Recent
2007-07-29 20:39:10 0 d-------- C:\Documents and Settings\All Users\Application Data\ViceVersa PRO 2
2007-07-29 20:38:21 0 d-------- C:\Program Files\ViceVersa Pro 2
2007-07-29 08:52:13 0 d-------- C:\Documents and Settings\Christine\Application Data\Adobe
2007-07-28 23:24:29 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-07-28 23:16:59 0 d-------- C:\Documents and Settings\All Users\Application Data\ALM
2007-07-28 23:01:58 0 d-------- C:\Program Files\Bonjour
2007-07-28 22:58:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-07-27 08:20:24 0 d-------- C:\Documents and Settings\Christine\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2007-08-26 08:55:11 0 d-------- C:\Documents and Settings\Bob\Application Data\AVG7
2007-08-25 23:43:25 0 d-------- C:\Program Files\SpywareBlaster
2007-08-25 23:04:50 0 d-------- C:\Program Files\SpywareGuard
2007-08-25 22:17:33 0 d-------- C:\Documents and Settings\Bob\Application Data\uTorrent
2007-08-21 19:05:57 0 d-------- C:\Documents and Settings\Bob\Application Data\LimeWire
2007-08-14 12:04:39 0 d-------- C:\Program Files\The Flash Ad Creator v2
2007-08-13 21:31:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 22:38:43 0 d-------- C:\Program Files\The Logo Creator v5
2007-08-04 23:40:02 0 d-------- C:\Documents and Settings\Bob\Application Data\Adobe
2007-08-03 23:25:49 167865 --a------ C:\Program Files\uninstal.log
2007-07-30 07:38:27 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2007-07-28 23:19:30 0 d-------- C:\Program Files\Common Files\Adobe
2007-07-28 22:58:31 0 d-------- C:\Program Files\Common Files
2007-07-25 21:58:04 0 d-------- C:\Documents and Settings\Bob\Application Data\AdobeUM
2007-07-25 07:04:38 0 d-------- C:\Documents and Settings\Bob\Application Data\Macromedia
2007-07-24 21:21:59 0 d-------- C:\Program Files\Picasa2
2007-07-24 21:20:51 0 d-------- C:\Program Files\Google
2007-07-24 08:05:42 0 d-------- C:\Program Files\Diskeeper Corporation
2007-07-24 08:04:12 0 d-------- C:\Documents and Settings\Bob\Application Data\Leadertech
2007-07-23 22:22:49 0 d-------- C:\Program Files\Ahead
2007-07-23 22:22:35 0 d-------- C:\Program Files\Common Files\Ahead
2007-07-23 22:05:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-23 22:04:54 0 d-------- C:\Documents and Settings\Bob\Application Data\CyberLink
2007-07-23 21:56:09 0 d-------- C:\Program Files\Common Files\Acronis
2007-07-23 21:56:01 0 d-------- C:\Program Files\Acronis
2007-07-23 18:38:18 0 d-------- C:\Program Files\Lavasoft
2007-07-23 08:02:41 0 d-------- C:\Documents and Settings\Bob\Application Data\Apple Computer
2007-07-22 22:51:34 0 d-------- C:\Program Files\WinSCP
2007-07-22 22:42:31 0 d-------- C:\Documents and Settings\Bob\Application Data\GlobalSCAPE
2007-07-22 22:42:14 0 d-------- C:\Program Files\GlobalSCAPE
2007-07-22 21:43:36 0 d-------- C:\Program Files\LimeWire
2007-07-22 20:39:47 0 d-------- C:\Program Files\Common Files\SWF Studio
2007-07-21 08:22:27 90112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2007-07-21 08:22:27 221184 --a------ C:\WINDOWS\SnoopFreeUI.exe <Not Verified; SnoopFree Software; SnoopFree Privacy Shield>
2007-07-21 08:22:27 45056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2007-07-20 23:21:16 0 d-------- C:\Documents and Settings\Bob\Application Data\MSNInstaller
2007-07-20 23:12:27 0 d-------- C:\Program Files\Windows Media Connect 2
2007-07-20 07:53:45 0 d-------- C:\Documents and Settings\Bob\Application Data\WinRAR
2007-07-20 07:19:13 1156 --a------ C:\WINDOWS\mozver.dat
2007-07-19 23:30:31 0 d-------- C:\Program Files\QuickTime
2007-07-19 23:30:11 0 d-------- C:\Program Files\Apple Software Update
2007-07-19 23:30:02 0 d-------- C:\Program Files\Common Files\Apple
2007-07-19 22:54:22 0 d-------- C:\Documents and Settings\Bob\Application Data\Comodo
2007-07-19 22:52:51 0 d-------- C:\Program Files\Comodo
2007-07-19 21:24:58 0 d-------- C:\Program Files\Dell Photo AIO Printer 942
2007-07-19 21:04:47 0 d-------- C:\Program Files\Outlook Express Backup Wizard
2007-07-19 20:54:34 0 d-------- C:\Documents and Settings\Bob\Application Data\Mozilla
2007-07-19 20:14:52 0 d-------- C:\Program Files\Java
2007-07-19 19:58:40 0 d-------- C:\Program Files\MSXML 4.0
2007-07-19 19:43:09 0 d-------- C:\Program Files\Messenger


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74AEAE99-E4A6-45CE-8B64-2EDB63442166}]
08/25/2007 11:22 PM 298080 --a------ C:\WINDOWS\system32\mljjk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 05:42 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [03/23/2004 02:16 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/25/2004 02:52 PM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [05/27/2004 10:05 PM]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [07/19/2007 10:52 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08/16/2007 09:52 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [07/20/2007 10:58 PM]
"SnoopFreeUI"="SnoopFreeUI.exe" [07/21/2007 08:22 AM C:\WINDOWS\SnoopFreeUI.exe]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [10/16/2006 09:12 PM]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [10/16/2006 09:17 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [10/16/2006 09:13 PM]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [06/07/2006 12:35 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM]
"@"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/31/2007 06:44 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"VVLauncher 2"="C:\Program Files\ViceVersa Pro 2\VVLAUNCHER\VVLAUNCHER.EXE" [05/09/2007 06:02 PM]

C:\Documents and Settings\Bob\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 7:15:06 PM]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 7:15:06 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2/15/2005 10:43:26 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2004652A-4CCE-4EA5-A49E-FEEBF2A2BA8B}"= C:\WINDOWS\system32\gebxyyw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyyw]
gebxyyw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjk]
C:\WINDOWS\system32\mljjk.dll 08/25/2007 11:22 PM 298080 C:\WINDOWS\SYSTEM32\mljjk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Christine^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Christine\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime




-- End of Deckard's System Scanner: finished at 2007-08-26 11:51:39 ------------
Attached Files
File Type: txt extra.txt (18.7 KB, 1 views)
Last edited by Robert_R; 08-26-2007 at 10:08 AM. Reason: Attached correct file
Robert_R is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-26-2007, 12:47 PM   #4 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,938
OS: WinXP and Vista


Re: Bho [Moved from General Security]
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. (right click their icons in the system tray and exit each of them)

--------------------------------------------------------------------

**Note: Spyware Guard will reactivate upon the reboot, please be sure to allow all changes you are being alerted to.

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-26-2007, 01:16 PM   #5 (permalink)
Registered User
 
Robert_R's Avatar
 
Join Date: Jan 2005
Posts: 188
OS: Windows XP Professional


Re: Bho [Moved from General Security]
Here it the combofix txt

ComboFix 07-08-26.3 - "Bob" 2007-08-26 15:07:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.542 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\SYSTEM32\kjjlm.bak1
C:\WINDOWS\SYSTEM32\kjjlm.bak2
C:\WINDOWS\SYSTEM32\kjjlm.ini
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\qnncljpq.dll


((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


2007-08-26 15:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-26 12:21 <DIR> d-------- C:\Program Files\InCode Solutions
2007-08-26 11:54 574,508 --a------ C:\WINDOWS\SYSTEM32\xoglgsks.exe
2007-08-26 11:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-26 11:49 <DIR> d-------- C:\Deckard
2007-08-21 15:23 <DIR> d-------- C:\DOCUME~1\CHRIST~1\Shared
2007-08-21 15:23 <DIR> d-------- C:\DOCUME~1\CHRIST~1\Incomplete
2007-08-21 15:23 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\LimeWire
2007-08-13 21:41 <DIR> d-------- C:\DOCUME~1\Bob\APPLIC~1\TechSmith
2007-08-13 21:34 <DIR> d-------- C:\Program Files\TechSmith
2007-08-13 21:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TechSmith
2007-08-04 10:39 <DIR> d-------- C:\Program Files\iTunes
2007-08-04 10:39 <DIR> d-------- C:\Program Files\iPod
2007-08-03 23:25 <DIR> d-------- C:\Program Files\The Flash Ad Creator v2.5
2007-07-29 20:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ViceVersa PRO 2
2007-07-29 20:38 <DIR> d-------- C:\Program Files\ViceVersa Pro 2
2007-07-28 23:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-28 23:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2007-07-28 23:08 2,463,976 --a------ C:\WINDOWS\SYSTEM32\NPSWF32.dll
2007-07-28 23:08 190,696 --a------ C:\WINDOWS\SYSTEM32\NPSWF32_FlashUtil.exe
2007-07-28 23:01 <DIR> d-------- C:\Program Files\Bonjour
2007-07-28 22:58 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-26 13:29 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\uTorrent
2007-08-26 12:07 --------- d-------- C:\Program Files\LimeWire
2007-08-25 23:43 --------- d-------- C:\Program Files\SpywareBlaster
2007-08-25 23:04 --------- d-------- C:\Program Files\SpywareGuard
2007-08-14 12:04 --------- d-------- C:\Program Files\The Flash Ad Creator v2
2007-08-13 21:31 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-11 16:46 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-11 16:46 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-06 22:38 --------- d-------- C:\Program Files\The Logo Creator v5
2007-08-03 23:25 167865 --a------ C:\Program Files\uninstal.log
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\WUPS.DLL
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 07:38 45056 --a------ C:\WINDOWS\NCUNINST.EXE
2007-07-25 23:28 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-25 21:58 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\AdobeUM
2007-07-24 21:50 --------- d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Apple Computer
2007-07-24 21:21 --------- d-------- C:\Program Files\Picasa2
2007-07-24 21:20 --------- d-------- C:\Program Files\Google
2007-07-24 08:05 --------- d-------- C:\Program Files\Diskeeper Corporation
2007-07-24 08:04 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\Leadertech
2007-07-23 22:22 --------- d-------- C:\Program Files\Common Files\Ahead
2007-07-23 22:22 --------- d-------- C:\Program Files\Ahead
2007-07-23 22:05 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-23 22:04 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\CyberLink
2007-07-23 21:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Acronis
2007-07-23 21:56 395744 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2007-07-23 21:56 39264 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-07-23 21:56 114048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2007-07-23 21:56 --------- d-------- C:\Program Files\Common Files\Acronis
2007-07-23 21:56 --------- d-------- C:\Program Files\Acronis
2007-07-23 18:38 --------- d-------- C:\Program Files\Lavasoft
2007-07-23 08:02 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\Apple Computer
2007-07-22 22:55 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-22 22:51 --------- d-------- C:\Program Files\WinSCP
2007-07-22 22:42 --------- d-------- C:\Program Files\GlobalSCAPE
2007-07-22 22:42 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\GlobalSCAPE
2007-07-22 21:29 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-22 20:39 --------- d-------- C:\Program Files\Common Files\SWF Studio
2007-07-21 08:22 9472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2007-07-21 08:22 90112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2007-07-21 08:22 45056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2007-07-21 08:22 221184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2007-07-20 23:21 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\MSNInstaller
2007-07-20 23:12 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-20 21:38 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-20 07:53 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\WinRAR
2007-07-19 23:33 --------- d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Comodo
2007-07-19 23:30 --------- d-------- C:\Program Files\QuickTime
2007-07-19 23:30 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-19 23:30 --------- d-------- C:\Program Files\Apple Software Update
2007-07-19 23:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-19 22:54 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\Comodo
2007-07-19 22:54 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-19 22:52 --------- d-------- C:\Program Files\Comodo
2007-07-19 22:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-07-19 21:24 --------- d-------- C:\Program Files\Dell Photo AIO Printer 942
2007-07-19 21:04 --------- d-------- C:\Program Files\Outlook Express Backup Wizard
2007-07-19 20:27 --------- d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\McAfee.com Personal Firewall
2007-07-19 20:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-07-19 19:58 --------- d-------- C:\Program Files\MSXML 4.0
2007-07-19 18:55 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall
2007-07-19 02:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 19:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 10:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 10:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 10:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 10:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 10:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 10:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 10:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 10:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 10:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 10:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 10:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 10:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 10:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 10:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 10:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 10:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 10:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 10:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 10:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 10:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 04:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 04:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 04:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 03:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E32F705-40BC-49E6-BE15-0539C227B364}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F18CC137-FC55-46C6-907D-E418CA7E8592}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 14:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 22:05]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-19 22:52]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-16 09:52]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-20 22:58]
"SnoopFreeUI"="SnoopFreeUI.exe" [2007-07-21 08:22 C:\WINDOWS\SnoopFreeUI.exe]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 21:12]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 21:17]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 21:13]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 12:35]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"VVLauncher 2"="C:\Program Files\ViceVersa Pro 2\VVLAUNCHER\VVLAUNCHER.EXE" [2007-05-09 18:02]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" []

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\Bob\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\DOCUME~1\CHRIST~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2004652A-4CCE-4EA5-A49E-FEEBF2A2BA8B}"= C:\WINDOWS\system32\gebxyyw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyyw]
gebxyyw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Christine^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Christine\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM


Contents of the 'Scheduled Tasks' folder
2007-08-25 14:35:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 15:10:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 15:12:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-26 15:12

--- E O F ---


And here is the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:20 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ViceVersa Pro 2\VVLAUNCHER\VVLAUNCHER.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nyyankees.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E32F705-40BC-49E6-BE15-0539C227B364} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F18CC137-FC55-46C6-907D-E418CA7E8592} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VVLauncher 2] "C:\Program Files\ViceVersa Pro 2\VVLAUNCHER\VVLAUNCHER.EXE"
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: gebxyyw - gebxyyw.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe

--
End of file - 11387 bytes
Robert_R is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-26-2007, 05:30 PM   #6 (permalink)
Registered User
 
Robert_R's Avatar
 
Join Date: Jan 2005
Posts: 188
OS: Windows XP Professional


Re: Bho [Moved from General Security]
This is really weird. It's gone now. I logged on and I didn't get the warning from SpywareGuard regarding the BHO.

What now?
Robert_R is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-26-2007, 09:12 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,938
OS: WinXP and Vista


Re: Bho [Moved from General Security]
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E32F705-40BC-49E6-BE15-0539C227B364}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F18CC137-FC55-46C6-907D-E418CA7E8592}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2004652A-4CCE-4EA5-A49E-FEEBF2A2BA8B}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyyw]
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Panda results
New HijackThis log
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-27-2007, 06:41 PM   #8 (permalink)
Registered User
 
Robert_R's Avatar
 
Join Date: Jan 2005
Posts: 188
OS: Windows XP Professional


Re: Bho [Moved from General Security]
ComboFix Log

ComboFix 07-08-26.3 - "Bob" 2007-08-27 18:41:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Bob\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-27 to 2007-08-27 )))))))))))))))))))))))))))))))


2007-08-26 15:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-26 12:21 <DIR> d-------- C:\Program Files\InCode Solutions
2007-08-26 11:54 574,508 --a------ C:\WINDOWS\SYSTEM32\xoglgsks.exe
2007-08-26 11:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-26 11:49 <DIR> d-------- C:\Deckard
2007-08-21 15:23 <DIR> d-------- C:\DOCUME~1\CHRIST~1\Shared
2007-08-21 15:23 <DIR> d-------- C:\DOCUME~1\CHRIST~1\Incomplete
2007-08-21 15:23 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\LimeWire
2007-08-13 21:41 <DIR> d-------- C:\DOCUME~1\Bob\APPLIC~1\TechSmith
2007-08-13 21:34 <DIR> d-------- C:\Program Files\TechSmith
2007-08-13 21:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TechSmith
2007-08-04 10:39 <DIR> d-------- C:\Program Files\iTunes
2007-08-04 10:39 <DIR> d-------- C:\Program Files\iPod
2007-08-03 23:25 <DIR> d-------- C:\Program Files\The Flash Ad Creator v2.5
2007-07-29 20:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ViceVersa PRO 2
2007-07-29 20:38 <DIR> d-------- C:\Program Files\ViceVersa Pro 2
2007-07-28 23:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-28 23:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2007-07-28 23:08 2,463,976 --a------ C:\WINDOWS\SYSTEM32\NPSWF32.dll
2007-07-28 23:08 190,696 --a------ C:\WINDOWS\SYSTEM32\NPSWF32_FlashUtil.exe
2007-07-28 23:01 <DIR> d-------- C:\Program Files\Bonjour
2007-07-28 22:58 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-26 19:27 --------- d-------- C:\Program Files\SpywareGuard
2007-08-26 13:29 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\uTorrent
2007-08-26 12:07 --------- d-------- C:\Program Files\LimeWire
2007-08-25 23:43 --------- d-------- C:\Program Files\SpywareBlaster
2007-08-14 12:04 --------- d-------- C:\Program Files\The Flash Ad Creator v2
2007-08-13 21:31 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-11 16:46 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-11 16:46 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-06 22:38 --------- d-------- C:\Program Files\The Logo Creator v5
2007-08-03 23:25 167865 --a------ C:\Program Files\uninstal.log
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\WUPS.DLL
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 07:38 45056 --a------ C:\WINDOWS\NCUNINST.EXE
2007-07-25 23:28 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-25 21:58 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\AdobeUM
2007-07-24 21:50 --------- d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Apple Computer
2007-07-24 21:21 --------- d-------- C:\Program Files\Picasa2
2007-07-24 21:20 --------- d-------- C:\Program Files\Google
2007-07-24 08:05 --------- d-------- C:\Program Files\Diskeeper Corporation
2007-07-24 08:04 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\Leadertech
2007-07-23 22:22 --------- d-------- C:\Program Files\Common Files\Ahead
2007-07-23 22:22 --------- d-------- C:\Program Files\Ahead
2007-07-23 22:05 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-23 22:04 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\CyberLink
2007-07-23 21:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Acronis
2007-07-23 21:56 395744 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2007-07-23 21:56 39264 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-07-23 21:56 114048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2007-07-23 21:56 --------- d-------- C:\Program Files\Common Files\Acronis
2007-07-23 21:56 --------- d-------- C:\Program Files\Acronis
2007-07-23 18:38 --------- d-------- C:\Program Files\Lavasoft
2007-07-23 08:02 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\Apple Computer
2007-07-22 22:55 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-22 22:51 --------- d-------- C:\Program Files\WinSCP
2007-07-22 22:42 --------- d-------- C:\Program Files\GlobalSCAPE
2007-07-22 22:42 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\GlobalSCAPE
2007-07-22 21:29 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-22 20:39 --------- d-------- C:\Program Files\Common Files\SWF Studio
2007-07-21 08:22 9472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2007-07-21 08:22 90112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2007-07-21 08:22 45056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2007-07-21 08:22 221184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2007-07-20 23:21 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\MSNInstaller
2007-07-20 23:12 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-20 21:38 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-20 07:53 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\WinRAR
2007-07-19 23:33 --------- d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Comodo
2007-07-19 23:30 --------- d-------- C:\Program Files\QuickTime
2007-07-19 23:30 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-19 23:30 --------- d-------- C:\Program Files\Apple Software Update
2007-07-19 23:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-19 22:54 --------- d-------- C:\DOCUME~1\Bob\APPLIC~1\Comodo
2007-07-19 22:54 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-19 22:52 --------- d-------- C:\Program Files\Comodo
2007-07-19 22:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-07-19 21:24 --------- d-------- C:\Program Files\Dell Photo AIO Printer 942
2007-07-19 21:04 --------- d-------- C:\Program Files\Outlook Express Backup Wizard
2007-07-19 20:27 --------- d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\McAfee.com Personal Firewall
2007-07-19 20:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-07-19 19:58 --------- d-------- C:\Program Files\MSXML 4.0
2007-07-19 18:55 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall
2007-07-19 02:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 19:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 10:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 10:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 10:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 10:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 10:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 10:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 10:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 10:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 10:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 10:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 10:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 10:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 10:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 10:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 10:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 10:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 10:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 10:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 10:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 10:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 04:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 04:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 04:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 03:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 14:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 22:05]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-19 22:52]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-16 09:52]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-20 22:58]
"SnoopFreeUI"="SnoopFreeUI.exe" [2007-07-21 08:22 C:\WINDOWS\SnoopFreeUI.exe]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 21:12]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 21:17]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 21:13]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 12:35]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"VVLauncher 2"="C:\Program Files\ViceVersa Pro 2\VVLAUNCHER\VVLAUNCHER.EXE" [2007-05-09 18:02]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" []

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\Bob\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\DOCUME~1\CHRIST~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Christine^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Christine\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM


Contents of the 'Scheduled Tasks' folder
2007-08-25 14:35:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-27 18:44:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-27 18:45:02
C:\ComboFix-quarantined-files.txt ... 2007-08-27 18:44
C:\ComboFix2.txt ... 2007-08-26 15:12

--- E O F ---

Panda Results


Incident Status Location

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\7ouhbwr4.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\7ouhbwr4.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\7ouhbwr4.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bob\Cookies\bob@2o7[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Bob\Desktop\ComboFix.exe[nircmd.exe]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.advertising.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[ads.pointroll.com/PRServe/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[www.burstbeacon.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/WinAntiVirus2007 Not disinfected C:\WINDOWS\SYSTEM32\xoglgsks.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Documents and Settings\Bob\Desktop\ComboFix.exe[nircmd.exe]
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected F:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/PointRoll Not disinfected F:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[.2o7.net/]
Spyware:Cookie/WebtrendsLive Not disinfected F:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\Christine\Cookies\christine@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\Christine\Cookies\christine@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected F:\Documents and Settings\Christine\Cookies\christine@adrevolver[1].txt
Spyware:Cookie/PointRoll Not disinfected F:\Documents and Settings\Christine\Cookies\christine@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Christine\Cookies\christine@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Christine\Cookies\christine@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Christine\Cookies\christine@atwola[1].txt
Spyware:Cookie/Bridgetrack Not disinfected F:\Documents and Settings\Christine\Cookies\christine@citi.bridgetrack[1].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Christine\Cookies\christine@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected F:\Documents and Settings\Christine\Cookies\christine@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected F:\Documents and Settings\Christine\Cookies\christine@mediaplex[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Documents and Settings\Christine\Cookies\christine@realmedia[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected F:\Documents and Settings\Christine\Cookies\christine@statse.webtrendslive[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected F:\Documents and Settings\Christine\Cookies\christine@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected F:\Documents and Settings\Christine\Cookies\christine@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\Christine\Cookies\christine@zedo[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\WINDOWS\nircmd.exe
Adware:Adware/WinAntiVirus2007 Not disinfected F:\WINDOWS\SYSTEM32\xoglgsks.exe
Spyware:Cookie/Atwola Not disinfected G:\Documents and Settings\Christine\Cookies\christine@atwola[1].txt

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:48 PM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ViceVersa Pro 2\VVLAUNCHER\VVLAUNCHER.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nyyankees.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VVLauncher 2] "C:\Program Files\ViceVersa Pro 2\VVLAUNCHER\VVLAUNCHER.EXE"
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe

--
End of file - 11054 bytes

System Behavior

Everything seems to be fine.
and
Robert_R is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-27-2007, 08:13 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,938
OS: WinXP and Vista


Re: Bho [Moved from General Security]
Just a few remants left.

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Please ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files

C:\WINDOWS\SYSTEM32\ xoglgsks.exe
F:\WINDOWS\SYSTEM32\ xoglgsks.exe

--------------------------------------------------------------------

You have AVG Anti Spyware installed already. We'll use it clear out all those unwanted cookies and any other leftover junk on your system.

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

-----------------------------------------------------------------------

Reboot your system.

-----------------------------------------------------------------------

Post the AVG A-S results here please.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-28-2007, 06:53 PM   #10 (permalink)
Registered User
 
Robert_R's Avatar
 
Join Date: Jan 2005
Posts: 188
OS: Windows XP Professional


Re: Bho [Moved from General Security]
AVG Anti-Spyware results

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:46:57 PM 8/28/2007

+ Scan result:



:mozilla.115:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.66:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.68:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.85:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.73:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.74:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.75:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.76:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.15:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.96:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.97:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.19:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.20:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.112:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.10:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.11:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.12:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.14:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.16:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.17:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.18:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.6:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.7:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.69:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.70:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.77:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.78:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.79:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\c7e2dj6t.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.


::Report end
Robert_R is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-28-2007, 07:50 PM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,938
OS: WinXP and Vista


Re: Bho [Moved from General Security]
Hiya,

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Ensure Windows Auto Update is Enabled
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will flush out previous restore points (which contain the infections) and create a new restore point.

**************************************************************************************

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-28-2007, 08:16 PM   #12 (permalink)
Registered User
 
Robert_R's Avatar
 
Join Date: Jan 2005
Posts: 188
OS: Windows XP Professional


Re: Bho [Moved from General Security]
Thank you for all your help with this matter I appreciate it very, very much.
Robert_R is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-28-2007, 08:24 PM   #13 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,938
OS: WinXP and Vista


Re: Bho [Moved from General Security]
You're quite welcome.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:14 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85