Ah, spyware! Help!!

AlyssaM · 06-09-2008, 08:48 AM

Hey! Well I have quite a few problems.

Here's the story: A few days ago I visited an old site that I used to frequently visit a few years back. Well, something is wrong with the site, and it installed a lot of spyware onto my computer. Ugh- honestly, I havnt had problems with spyware or a virus in such a long time. Anyway- I ran Ad-Aware, which got rid of only a few problems.... and after that, I ran Spybot S&D- which got rid of a lot of things (though not all of them).

Well here's some problems I'm still having:

1) Automatic Updates: Somehow, the spyware disabled my automatic updates. I've tried looking up solutions on the internet, even on Microsoft's website, but none of them helped. When I try to enable the updates, a window pops up saying "We're sorry. The Security Center could not change your Automatic Updates settings. Try...blahblah" -- that didn't work. Microsoft's solution said to go to Run>and type in Services.msc, and go from there. But when I switch to Automatic in the Startup Type, and try to click "Start", a little window-thing just pops up saying "Could not start the Automatic Updates on Local Computer... Error 1058: The service cannot be started, either because it is disabled or it has no enabled devices associated with it." well DUH its disabled! I'm TRYING to enable it!!!! ugh.... Not to mention, because of this, I can't even download updates straight from Microsoft's site anyway.

2) Desktop Gone: At first, when I would re-start my Windows, windows would pop up (windows from the cmd thing in run) would come up and say stuff about errors, and most of the time cause my desktop to dissapear, only leaving my background to see. Well, I fixed the error things, but even though I fixed them, my desktop still seems to dissapear on me at times after a while. And I'll have to just reboot the computer at least 2 times just for my desktop to show up again! (like just a few minutes ago, i tried to open something from my desktop- and it freaked out on me and my taskbar/icons dissapeared. but luckily i had my internet explorer window still up, and when i typed "c:\Documents and Settings", they all came back. :/ )

Panda Activscan Log: well, i dont think it did much. :/

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-06-09 09:49:55
PROTECTIONS: 8
MALWARE: 45
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Avira AntiVir PersonalEdition Classic 6.38.1.98
Yes Yes
Avira AntiVir PersonalEdition Classic 7.0.3.33
Yes Yes
Avira AntiVir PersonalEdition Classic 0.0.0.0 Yes Yes
Avira AntiVir PersonalEdition Classic 7.0.1.129
Yes Yes
Avira AntiVir PersonalEdition Classic 0.0.0.0 Yes No
Avira AntiVir PersonalEdition Classic 7.0.1.129
Yes Yes
Avira AntiVir PersonalEdition 8.0.1.18 Yes Yes
Avira AntiVir PersonalEdition Classic 0.0.0.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00013512 adware/searchaid Adware No 0 Yes No hkey_classes_root\clsid\{f18b8f19-2940-0876-54d4-fbe52283d28c}
00013512 adware/searchaid Adware No 0 Yes No hkey_classes_root\clsid\{dd33dd18-4d26-b41e-13da-43f55e371dd6}
00013512 adware/searchaid Adware No 0 Yes No hkey_classes_root\clsid\{5df43c22-150c-58be-5a1e-a8ead02a98c7}
00013512 adware/searchaid Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{0A897F02-3691-B9B2-22B5-29117868FF15}
00013512 adware/searchaid Adware No 0 Yes No hkey_classes_root\clsid\{0a897f02-3691-b9b2-22b5-29117868ff15}
00013512 adware/searchaid Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{F18B8F19-2940-0876-54D4-FBE52283D28C}
00013512 adware/searchaid Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{DD33DD18-4D26-B41E-13DA-43F55E371DD6}
00013512 adware/searchaid Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{5DF43C22-150C-58BE-5A1E-A8EAD02A98C7}
00020302 adware/ncase Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\search bar_bak
00020302 adware/ncase Adware No 0 Yes No c:\windows\msbb.exe.temp
00020302 adware/ncase Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\search page_bak
00029007 adware/tvmedia Adware No 0 Yes No c:\documents and settings\alyssa\application data\tvmknwrd.dll
00029007 adware/tvmedia Adware No 0 Yes No c:\program files\tv media
00032724 adware/portalscan Adware No 0 Yes No c:\program files\common files\slmss
00032724 adware/portalscan Adware No 0 Yes No hkey_local_machine\software\whpbgjb
00036016 adware/topmoxie Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
00039204 adware/cws Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\start page_bak
00039209 adware/virtualbouncer Adware No 0 Yes No c:\windows\system32\inneradinstall.log
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{a986f4db-792e-4571-8974-0bb6e024766f}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{830d3aed-2fa9-454f-b266-d931862bbf34}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{49db48ff-02b5-4645-b676-94a4df1aa026}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{bccab53d-0895-40c3-a942-a03538ce227a}
00040415 adware/wintools Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{8992b6ca-b8c9-4aed-bf89-0a17f6296a06}
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\software\classes\protocols\name-space handler\res
00040415 adware/wintools Adware No 0 Yes No hkey_classes_root\protocols\name-space handler\res
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_wintoolssvc
00041904 adware/sidesearch Adware No 0 Yes No c:\documents and settings\alyssa\application data\lycos
00047863 adware/ieplugin Adware No 0 Yes No c:\windows\kwv2.dat
00047888 adware/iedriver Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{1a00c40b-da85-4aa3-a67f-582d9347eecd}
00047888 adware/iedriver Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\extensions\cmdmapping\{1a00c40b-da85-4aa3-a67f-582d9347eecd}
00065260 adware/ipinsight Adware No 0 Yes No c:\windowsinf\polall1r.inf
00092990 Spyware/Apropos Spyware No 1 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[apropos_client_loader.exe]
00092990 Spyware/Apropos Spyware No 1 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[apropos_client_loader.exe]
00092990 Spyware/Apropos Spyware No 1 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[apropos_client_loader.exe]
00092990 Spyware/Apropos Spyware No 1 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[apropos_client_loader.exe]
00097668 Adware/PurityScan Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[install_tag002.exe]
00097668 Adware/PurityScan Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[install_tag002.exe]
00097668 Adware/PurityScan Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[install_tag002.exe]
00097668 Adware/PurityScan Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[install_tag002.exe]
00111250 Trj/Downloader.OE Virus/Trojan No 0 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
00111250 Trj/Downloader.OE Virus/Trojan No 0 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
00111250 Trj/Downloader.OE Virus/Trojan No 0 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
00111250 Trj/Downloader.OE Virus/Trojan No 0 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
00117819 Spyware/New.net Spyware No 1 Yes No C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0294764.EXE
00120350 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe][sx.htm]
00120350 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe][sx.htm]
00120350 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[setup233.exe][sx.htm]
00120350 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[setup233.exe][sx.htm]
00127080 Backdoor Program Virus/Trojan No 0 Yes Yes C:\WINDOWS\SYSTEM32\WwuwSer.exe
00127080 Backdoor Program Virus/Trojan No 0 Yes Yes C:\WINDOWS\SYSTEM32\VgmTO8q.exe
00127080 Backdoor Program Virus/Trojan No 0 Yes Yes C:\WINDOWS\SYSTEM32\JapXq.exe
00132447 adware program Adware No 0 Yes No c:\windows\ss3unstl.exe
00134624 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[setup233.exe][ieupdate.exe]
00134624 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe][ieupdate.exe]
00134624 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe][ieupdate.exe]
00134624 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[setup233.exe][ieupdate.exe]
00134625 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe][td.exe]
00134625 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[setup233.exe][td.exe]
00134625 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[setup233.exe][td.exe]
00134625 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe][td.exe]
00134626 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
00134626 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
00134626 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
00134626 Adware/IEDriver Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
00137181 Adware/BrowserAid Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[dist1_1_00.exe]
00137181 Adware/BrowserAid Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[dist1_1_00.exe]
00137181 Adware/BrowserAid Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[dist1_1_00.exe]
00137181 Adware/BrowserAid Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[dist1_1_00.exe]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Alyssa\Cookies\alyssa@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Alyssa\Local Settings\Temp\Cookies\alyssa@trafficmp[2].txt
00145348 Cookie/Gator TrackingCookie No 0 Yes No C:\FOUND.032\FILE0000.CHK
00145454 Cookie/Centralmedia TrackingCookie No 0 Yes No C:\FOUND.037\FILE0017.CHK
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Alyssa\Local Settings\Temp\Cookies\alyssa@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\FOUND.053\FILE0178.CHK
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\FOUND.058\FILE0006.CHK
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\FOUND.050\FILE0109.CHK
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alyssa\Local Settings\Temp\Cookies\alyssa@advertising[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Alyssa\Local Settings\Temp\Cookies\alyssa@realmedia[2].txt
00193504 Adware/eZula Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[ezStub.exe]
00193504 Adware/eZula Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[ezStub.exe]
00193504 Adware/eZula Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[ezStub.exe]
00193504 Adware/eZula Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[ezStub.exe]
00193712 Adware/WindowEnhancer Adware No 0 Yes No C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll.tcf
00200583 adware/block-checker Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\tkqlhce.com\
00200583 adware/block-checker Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\cc-dt.com\
00200583 adware/block-checker Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\anrdoezrs.net\
00200583 adware/block-checker Adware No 1 Yes No c:\windows\system32\ustart.exe
00200583 adware/block-checker Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\jdoqocy.com\
00200583 adware/block-checker Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\dpbolvw.net\
00208670 Spyware/New.net Spyware No 1 Yes No C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0296743.EXE
00217379 adware/dollarrevenue Adware No 0 No No c:\windows\timessquare1.dat
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\currentcontrolset\services\cmdservice
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_cmdservice
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\services\cmdservice
00243573 Adware/SaveNow Adare No 0 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[SaveInstCsSm.exe]
00243573 Adware/SaveNow Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[SaveInstCsSm.exe]
00243573 Adware/SaveNow Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[SaveInstCsSm.exe]
00243573 Adware/SaveNow Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[SaveInstCsSm.exe]
00262492 Adware/CommAd Adware No 0 Yes No C:\WINDOWS\SmVyaSBEZW5raW5z\mApVum1HtqcOuqcW.vbs
00350959 Spyware/New.net Spyware No 1 Yes No C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0296742.EXE
00461206 Adware/TVMedia Adware Yes 1 Yes No C:\WINDOWS\SYSTEM32\MAD.DLL
00527204 Application/PRScheduler HackTools No 0 Yes No C:\WINDOWS\PSS\PowerReg Scheduler V3.exeStartup
00527204 Application/PRScheduler HackTools No 0 Yes No C:\Documents and Settings\Alyssa\Desktop\Installations\SpyWare Helpers\Anti-Vir Backups\backup-20050616-084336-271-PowerReg Scheduler V3.exe
00778290 Trj/Qhost.FM Virus/Trojan No 1 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[SvcHost.exe]
00778290 Trj/Qhost.FM Virus/Trojan No 1 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[SvcHost.exe]
00778290 Trj/Qhost.FM Virus/Trojan No 1 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[SvcHost.exe]
00778290 Trj/Qhost.FM Virus/Trojan No 1 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[SvcHost.exe]
02901943 Adware/AdsInContext Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[icinstaller.exe]
02901943 Adware/AdsInContext Adware No 0 No No C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[icinstaller.exe]
02901943 Adware/AdsInContext Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\Data\all_files4.exe[icinstaller.exe]
02901943 Adware/AdsInContext Adware No 0 No No C:\Documents and Settings\Guest\My Documents\Data\all_files4.exe[icinstaller.exe]
03020910 Bck/BEnergy.M Virus/Trojan No 1 Yes Yes C:\WINDOWS\SYSTEM32\MSSRV32.EXE
03020910 Bck/BEnergy.M Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0298743.EXE
03020910 Bck/BEnergy.M Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0298754.EXE
03020910 Bck/BEnergy.M Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0298762.EXE
03020910 Bck/BEnergyM Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0296738.EXE
03020910 Bck/BEnergy.M Virus/Trojan No 1 Yes Yes C:\WINDOWS\TEMP\BN2.TMP
03032060 Adware/VapSup Adware No 0 Yes No C:\WINDOWS\XBQMFSED.EXE
03052662 W32/Socks.E.worm Virus/Worm Yes 1 No No C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\CFTMON.EXE
03052662 W32/Socks.E.worm Virus/Worm No 0 No No C:\DOCUMENTS AND SETTINGS\ALYSSA\CFTMON.EXE
03052662 W32/Socks.E.worm Virus/Worm No 0 No No C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
;===================================================================================================================================================================================
SUSPECTS
Sent Location ^,
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ^,
;===================================================================================================================================================================================
120815 HIGH MS06-022 ^,
;===================================================================================================================================================================================

My DSS main log:
and, of course, the extra.txt log-thingy will be attatched.

Deckard's System Scanner v20071014.68
Run by Alyssa on 2008-06-09 10:08:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
53: 2008-06-09 14:09:32 UTC - RP1338 - Deckard's System Scanner Restore Point
52: 2008-06-07 01:36:33 UTC - RP1337 - Avira AntiVir Personal - 6/6/2008 21:35
51: 2008-06-07 00:17:24 UTC - RP1336 - Last known good configuration
50: 2008-06-06 23:45:43 UTC - RP1335 - Installed Windows Live
49: 2008-06-06 23:44:16 UTC - RP1334 - Installed Windows Live installer

-- First Restore Point --
1: 2008-04-23 07:46:58 UTC - RP1286 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Alyssa.exe) ----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-09 10:15:12
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\LocalService\cftmon.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Alyssa\Desktop\Installations\SpyWare Helpers\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daizex.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {c212643f-e3bb-4797-8458-d7d1c455677f} - C:\WINDOWS\SYSTEM32\qoMeBrqo.dll
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O2 - BHO: (no name) - {DA7DC5AC-FD40-45FA-9F03-A66A4D467B63} - C:\WINDOWS\SYSTEM32\jkkICtrO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: nmwegbsf - {8BCDB708-77A2-4C1C-B35C-C81FDCC045EF} - C:\WINDOWS\nmwegbsf.dll (file missing)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Alyssa\LOCALS~1\Temp\rbnpsrv.exe/r
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Alyssa\cftmon.exe
O4 - HKLM\..\Run: [10551e76] rundll32.exe "C:\WINDOWS\system32\mmyqocpv.dll",b
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Alyssa\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [InstallProgram] C:\DOCUME~1\Alyssa\LOCALS~1\Temp\setup_526_1_.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Alyssa\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Alyssa\cftmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [oiwo] C:\PROGRA~1\COMMON~1\oiwo\oiwom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [oiwo] C:\PROGRA~1\COMMON~1\oiwo\oiwom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\SYSTEM32\nwprovau.dll
O15 - Trusted Zone: https://www.dbgforums.com (HKCU)
O15 - Trusted IP Range: (HKLM)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/fhg.CAB
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/voxacm.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (GINBOARDS Class) - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} () - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} () - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} () - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - AppInit_DLLs: mad.dll
O20 - Winlogon Notify: qomebrqo - C:\WINDOWS\system32\qoMeBrqo.dll
O20 - Winlogon Notify: winctrl32 - C:\WINDOWS\system32\WinCtrl32.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - C:\WINDOWS\SYSTEM32\mssrv32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12184 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,2
.exe - exefile - shell\open\command - C:\WINDOWS\system32\drivers\spools.exe "%1" %*
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - shell\open\command - unable to read value
.txt - txtfile - shell\open\command - notepad.exe %1
.vbs - VBSFile - shell\open\command - unable to read value

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 winot73 - c:\windows\system32\drivers\winot73.sys (file missing)
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S0 Teefer (Teefer for NT) - c:\windows\\systemroot\system32\drivers\teefer.sys (file missing)
S1 hcnwg4u - c:\windows\system32\hcnwg4u.sys
S1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys (file missing)
S2 PAVDRV (Panda anti-virus driver) - c:\windows\system32\drivers\pavdrv51.sys (file missing)
S2 wg3n (SyGate for NT, wg3n) - c:\windows\system32\drivers\wg3n.sys (file missing)
S3 ComFiltr (Panda Anti-Dialer) - c:\windows\system32\drivers\comfiltr.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 rdriv - c:\windows\system32\rdriv.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 antivirscheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 AIM (AOL Instant Messanger) - "c:\windows\aim.exe" (file missing)
S2 msupdate (Microsoft security update service) - c:\windows\system32\mssrv32.exe
S2 PAVFIRES (Panda Firewall Service) - c:\program files\panda software\panda platinum internet security\firewall\pavfires.exe (file missing)
S2 PAVSRV (Panda anti-virus service) - "c:\program files\panda software\panda platinum internet security\pavsrv51.exe" (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-07 10:30:02 390 --a------ C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job
2008-06-07 09:00:02 502 --a------ C:\WINDOWS\Tasks\Tune-up Application Start.job
2008-06-03 01:00:04 494 --a------ C:\WINDOWS\Tasks\Maintenance-Defragment programs.job
2008-06-01 00:30:02 532 --a------ C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job
2004-08-25 15:59:32 346 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1085255803.job

-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-09 09:59:46 0 dr-h----- C:\Documents and Settings\Alyssa\Recent
2008-06-09 02:23:34 92544 --a------ C:\WINDOWS\system32\mmyqocpv.dll
2008-06-08 19:55:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-08 19:51:26 0 d-------- C:\Program Files\Panda Security
2008-06-08 19:51:11 0 d-------- C:\WINDOWS\LastGood
2008-06-08 18:42:12 7680 --a------ C:\Documents and Settings\Guest\cftmon.exe
2008-06-08 08:08:58 92544 --a------ C:\WINDOWS\system32\qawcoiug.dll
2008-06-08 06:34:20 7680 --a------ C:\Documents and Settings\Alyssa\cftmon.exe
2008-06-08 06:33:41 7680 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-06-07 23:10:33 12792 -----n--- C:\WINDOWS\system32\mssrv32.exe
2008-06-06 21:37:45 0 d-------- C:\Program Files\Avira
2008-06-06 21:37:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-06 21:17:42 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-06 20:18:26 92544 --a------ C:\WINDOWS\system32\cbblbqiu.dll
2008-06-06 20:16:35 391428 --ahs---- C:\WINDOWS\system32\OrtCIkkj.ini2
2008-06-06 20:16:27 320256 --a------ C:\WINDOWS\system32\jkkICtrO.dll
2008-06-06 20:11:23 15360 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-06-06 20:11:05 29824 --a------ C:\WINDOWS\system32\qoMeBrqo.dll
2008-06-06 20:10:44 139264 --a------ C:\WINDOWS\eslm.exe
2008-06-06 20:10:43 81920 --a------ C:\WINDOWS\xbqmfsed.exe
2008-06-06 20:10:43 245760 --a------ C:\WINDOWS\nogxfvblqld.dll
2008-06-06 20:07:44 0 --a------ C:\274013913
2008-06-06 20:07:36 7680 --a------ C:\WINDOWS\system32\drivers\spools.exe
2008-06-06 20:07:22 71602 --a------ C:\WINDOWS\system32\hcnwg4u.sys
2008-06-06 20:07:20 7680 --a------ C:\xnphs.exe
2008-06-06 19:44:52 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-06 19:44:28 0 d-------- C:\Program Files\Windows Live
2008-06-06 19:43:24 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-04 08:39:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-11 14:27:00 0 d-------- C:\Program Files\TV Media

-- Find3M Report ---------------------------------------------------------------

2008-05-11 14:21:58 7168 --ahs---- C:\Program Files\Common Files\Thumbs.db
2008-04-22 15:55:20 0 d-------- C:\Documents and Settings\Alyssa\Application Data\acccore
2008-04-22 15:46:54 0 d-------- C:\Program Files\AIM6

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c212643f-e3bb-4797-8458-d7d1c455677f}]
06/06/2008 08:11 PM 29824 --a------ C:\WINDOWS\system32\qoMeBrqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d}]
C:\WINDOWS\system32\jfiehayd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA7DC5AC-FD40-45FA-9F03-A66A4D467B63}]
06/06/2008 08:16 PM 320256 --a------ C:\WINDOWS\system32\jkkICtrO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [06/06/2008 08:07 PM]
"advap32"="C:\DOCUME~1\Alyssa\LOCALS~1\Temp\rbnpsrv.exe/r" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/24/2006 03:24 AM]
"autoload"="C:\Documents and Settings\Alyssa\cftmon.exe" [06/06/2008 08:07 PM]
"10551e76"="C:\WINDOWS\system32\mmyqocpv.dll" [06/09/2008 02:23 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jdgf894jrghoiiskd"="C:\DOCUME~1\Alyssa\LOCALS~1\Temp\winlogan.exe" []
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [06/06/2008 08:07 PM]
"InstallProgram"="C:\DOCUME~1\Alyssa\LOCALS~1\Temp\setup_526_1_.exe" []
"Jnskdfmf9eldfd"="C:\DOCUME~1\Alyssa\LOCALS~1\Temp\csrssc.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"autoload"="C:\Documents and Settings\Alyssa\cftmon.exe" [06/06/2008 08:07 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"oiwo"=C:\PROGRA~1\COMMON~1\oiwo\oiwom.exe
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"autoload"=C:\Documents and Settings\LocalService\cftmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\jfiehayd.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C212643F-E3BB-4797-8458-D7D1C455677F}"= C:\WINDOWS\system32\qoMeBrqo.dll [06/06/2008 08:11 PM 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomebrqo]
qoMeBrqo.dll 06/06/2008 08:11 PM 29824 C:\WINDOWS\SYSTEM32\qoMeBrqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winctrl32]
WinCtrl32.dll 06/08/2008 08:05 AM 15360 C:\WINDOWS\SYSTEM32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=mad.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkICtrO

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winot73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Runner.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Runner.LNK
backup=C:\WINDOWS\pss\Runner.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jerisue^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\jerisue\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
C:\Program Files\Bargain Buddy\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate]
C:\WINDOWS\DHUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
C:\PROGRA~1\Web Offer\wo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIUL.EXE]
C:\Program Files\Alset\HelpExpress\jerisue\HXIUL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer]
C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
C:\Program Files\VVSN\VVSN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
msblast.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqjibmmkbzwl]
C:\WINDOWS\System32\qnlrbt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyStartUp"=C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"HPStart"=c:\hp\hpcoach\hpstart.wsf
"Tour"=C:\WINDOWS\wincool.exe /30m

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"mgavrtclexe"=C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
"wcmdmgr"=C:\WINDOWS\wt\wcmdmgrl.exe -launch
"LoadQM"=loadqm.exe
"CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
"webHancer Agent"="C:\Program Files\webHancer\Programs\whAgent.exe"
"OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*Newly Created Service* - RKPAVPROC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

-- End of Deckard's System Scanner: finished at 2008-06-09 10:20:48 ------------

Also, i noticed after I scanned with the Deckard's Scanner, some stuff got put into my documents, like some images, and something called "desktop.ini", "hpothb07.dat", "hpothb07.tif", and "Thumbs.db" -

I can delete them, right? What are they?

AlyssaM · 06-12-2008, 08:28 AM

Bump!

tetonbob · 06-12-2008, 09:13 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

We may not be able to solve all these issues. This machine is heavily infected.

Quite often when a system exhibits such behavior, it's best to reinstall the operating system. We can try to clean the infection, and see if it gets better.

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------

Please do not wrap logs in size 1 tags; it makes them more difficult to review.

Thanks.

---------------------------------------------------------------------------------------------

Quote:

"desktop.ini", "hpothb07.dat", "hpothb07.tif", and "Thumbs.db"

These are legit files which are typically hidden. Part of what DSS does is, unhide hidden/system files. We restore that to normal when we're done.

---------------------------------------------------------------------------------------------

Run DSS again, using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"C:\Documents and Settings\Alyssa\Desktop\Installations\SpyWare Helpers\dss.exe" /daft

Click on Scan.

Tick the boxes which should appear for these entries:

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,2
.exe - exefile - shell\open\command - C:\WINDOWS\system32\drivers\spools.exe "%1" %*
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - shell\open\command - unable to read value
.txt - txtfile - shell\open\command - notepad.exe %1
.vbs - VBSFile - shell\open\command - unable to read value

then Click on Fix

Click Scan again, you should get a message "All Associations OK!" Next, click Save Log, and post this log in your next reply.

---------------------------------------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

If you have any questions along the way, STOP and ask them before proceeding.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

You are using an outdated version of HijackThis. Please uninstall from Add or Remove Programs, and then delete your current version.

Next, download HijackThis to your desktop

Alternate link

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Please post a new log with the updated version.. Do not fix anything in HijackThis since they may be harmless.

---------------------------------------------------------------------------------------------

AlyssaM · 06-13-2008, 09:29 PM

Thank you for replying! Ok, I followed the steps for downloading the recovery console and combofix, but after i dragged the recover console file into Combofixed, a little window popped up saying "instillation failed". What should I do? Should I try the whole thing over again with re-downloading it, or should I just try dragging it into Combofix again?

Also, while that was popped up, the other window for... Combofix I assume (?) was still up, saying "Roughly 1/100 machines failed to make it though the disinfection process.....etc", but I'm honestly scared to click anything before I know what to do.

tetonbob · 06-13-2008, 09:34 PM

Quote:

Originally Posted by AlyssaM

Thank you for replying! Ok, I followed the steps for downloading the recovery console and combofix, but after i dragged the recover console file into Combofixed, a little window popped up saying "instillation failed". What should I do? Should I try the whole thing over again with re-downloading it, or should I just try dragging it into Combofix again?

Try renaming ComboFix.exe to CombbFx.exe and redo the process

Also, while that was popped up, the other window for... Combofix I assume (?) was still up, saying "Roughly 1/100 machines failed to make it though the disinfection process.....etc", but I'm honestly scared to click anything before I know what to do.

That is part of the ComboFix disclaimer process. As I stated, this machine is quite infected. Some do not make it through the disinfection process. Most do.

Installing the Recovery Console first gives us options should something go wrong.

AlyssaM · 06-14-2008, 07:33 AM

I renamed it to CombbFx, yet it still pops up as Installation Failed. :/

Do you think that could somehow be from the virus?

I know I downloaded the right one.... I've got an XP Home edition with Service Pack 2 (I dont have the Windows XP CD-- so I followed their steps on how to download the recovery console from Microsoft's website. :/ )

tetonbob · 06-14-2008, 08:19 AM

If you get to ComboFix disclaimer screen, which it seems you are, simply follow those prompts, and ignore the "installation failed". If there's an OK box for "installation failed" message, click on it, and continue.

AlyssaM · 06-14-2008, 10:48 AM

Thank you! Though after Combofix ran it's scan, I didn't notice anything about a report- it just re-booted my computer. But I did notice I got my automatic updates back. :]

So I have only my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48, on 2008-06-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware 2008\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BitDefender\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Documents and Settings\Alyssa\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {AE8A5A64-468B-4052-869C-7179FB9CCAE3} - C:\WINDOWS\system32\jkkICtrO.dll (file missing)
O2 - BHO: (no name) - {C212643F-E3BB-4797-8458-D7D1C455677F} - C:\WINDOWS\system32\qoMeBrqo.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\IEToolbar.dll
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab
O20 - Winlogon Notify: qomebrqo - C:\WINDOWS\SYSTEM32\qoMeBrqo.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8109 bytes

tetonbob · 06-14-2008, 11:05 AM

Please explain why I now see three antivirus applications installed...

Avira, Panda and now Bitdefender

I see you have more than one Anti-Virus program installed, Avira, Panda Platinum Internet Security and now Bitdefender. While this may seem like greater protection, it can cause problems including slowdowns and system hangs. Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

Of the three, I would keep Avira. It's free, and effective. Your choice, though...but the choice must be made before we continue.

-----------------------------------------------------------------------

Once you've done that, please doubleclick on ComboFix.exe to run it. Post the log when it's completed it's tasks. Also post a new HIjackThis log.

AlyssaM · 06-14-2008, 01:26 PM

Sorry. Ok, I kept Avira. But as for Panda-- we had installed that onto our computer a few years ago, but soon afterwards, I tried uninstalling it. It's still in the Add/Remove programs though, and when I try to click "Remove" to uninstall it, nothing happens. So I don't technically still have it, because I can't even access or open it-- the program isn't on my computer anywhere-- yet when I put the CD in to reinstall it, it says "a version of it is already installed". Yet it doesnt work or even really act like it's still installed. It's been like that for about 2 years now. Is that still bad?

And, although HijackThis says it's under C:\Program Files\Panda Software.... I don't seem to actually have that folder in my program files.

ComboFix 08-06-12.2 - Alyssa 2008-06-14 14:58:14.2 - FAT32x86
Running from: C:\Documents and Settings\Alyssa\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\qoMeBrqo.dll
.
---- Previous Run -------
.
C:\Documents and Settings\Alyssa\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
C:\Program Files\Common Files\SLMSS
C:\Program Files\Common Files\SLMSS\acp1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\nogxfvblqld.dll
C:\WINDOWS\start.exe
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\SYSTEM32\guiocwaq.ini
C:\WINDOWS\system32\ho.ln
C:\WINDOWS\system32\jkkICtrO.dll
C:\WINDOWS\system32\ko.o
C:\WINDOWS\system32\mn.n
C:\WINDOWS\SYSTEM32\OrtCIkkj.ini
C:\WINDOWS\SYSTEM32\OrtCIkkj.ini2
C:\WINDOWS\system32\qawcoiug.dll
C:\WINDOWS\SYSTEM32\siqsadqq.ini
C:\WINDOWS\system32\uiqblbbc.ini
C:\WINDOWS\SYSTEM32\vpcoqymm.ini
C:\WINDOWS\system32\wcpsvcc.exe
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\xxtdnecc.ini
C:\WINDOWS\timessquare1.dat
C:\WINDOWS\Web\default.htt
C:\WINDOWS\xbqmfsed.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_msupdate
-------\Legacy_RDRIV
-------\Service_cmdService
-------\Service_hcnwg4u
-------\Service_msupdate
-------\Service_rdriv

((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 13:47 . 2008-06-14 13:47 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-06-14 09:25 . 2008-06-14 09:25 <DIR> d-------- C:\Combbfx
2008-06-13 14:39 . 2008-06-13 14:39 126 --a------ C:\Temp\ECDC.CMD
2008-06-13 14:34 . 2008-06-13 14:34 264 --a------ C:\WINDOWS\_delis32.ini
2008-06-12 21:29 . 2008-06-13 23:11 121 --a------ C:\WINDOWS\bdagent.INI
2008-06-12 21:24 . 2008-06-12 21:24 <DIR> d-------- C:\Program Files\Ad-Aware 2008
2008-06-12 21:24 . 2008-06-12 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-12 21:21 . 2008-06-12 21:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 21:04 . 2008-06-12 21:04 <DIR> d-------- C:\Program Files\BitDefender
2008-06-12 20:57 . 2008-06-12 20:57 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-06-11 22:55 . 2008-06-11 22:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-06-11 12:44 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-06-11 12:44 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\dllcache\hidusb.sys
2008-06-11 11:11 . 2008-06-11 11:11 <DIR> d-------- C:\Program Files\TV Media
2008-06-10 09:49 . 2008-06-10 09:49 <DIR> d--hs---- C:\FOUND.069
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\Deckard
2008-06-08 08:28 . 2003-03-02 10:49 2,142 -ra------ C:\WINDOWS\SYSTEM32\autoexec.nt
2008-06-06 21:37 . 2008-06-06 21:37 <DIR> d-------- C:\Program Files\Avira
2008-06-06 21:37 . 2008-06-06 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-06 21:17 . 2008-06-06 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-06 20:10 . 2008-06-06 14:49 139,264 --a------ C:\WINDOWS\eslm.exe
2008-06-06 20:07 . 2008-06-06 20:07 0 --a------ C:\274013913
2008-06-06 19:44 . 2008-06-06 19:44 <DIR> d-------- C:\Program Files\Windows Live
2008-06-06 19:44 . 2008-06-06 19:44 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-06 19:43 . 2008-06-06 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-04 08:39 . 2008-06-04 08:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 18:21 7,168 --sha-w C:\Program Files\Common Files\Thumbs.db
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 19:55 --------- d-----w C:\Documents and Settings\Alyssa\Application Data\acccore
2008-04-22 19:46 --------- d-----w C:\Program Files\AIM6
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-02-04 21:09 49,985,276 ----a-w C:\Documents and Settings\Alyssa\My Documents.zip
2008-01-06 14:21 7,168 --sha-w C:\Program Files\Thumbs.db
2005-06-16 16:42 572 ---ha-w C:\Documents and Settings\Alyssa\hpothb07.dat
2004-11-24 00:19 0 ----a-w C:\Documents and Settings\Alyssa\romlst.dat
2004-11-14 23:02 230,237 ----a-w C:\Documents and Settings\Alyssa\Application Data\tvmknwrd.dll
2004-09-04 23:00 344 ----a-w C:\Program Files\ClearSearchcsie_ron_campaigns.dat
2004-09-04 23:00 296 ----a-w C:\Program Files\ClearSearchcsie_mpu_patterns.dat
2004-09-04 23:00 208 ----a-w C:\Program Files\ClearSearchcsie_mpu_rules.dat
2004-09-04 23:00 136 ----a-w C:\Program Files\ClearSearchcsie_ron_rules.dat
2004-09-04 22:59 88 ----a-w C:\Program Files\ClearSearchcsie_usb_rules.dat
2004-09-04 22:59 482 ----a-w C:\Program Files\ClearSearchcsie_checks.dat
2004-09-04 22:59 3,568 ----a-w C:\Program Files\ClearSearchcsie_usb_campaigns.dat
2004-09-04 22:59 256 ----a-w C:\Program Files\ClearSearchcsie_ss_rules.dat
2004-09-04 22:59 2,976 ----a-w C:\Program Files\ClearSearchcsie_tsb_patterns.dat
2004-09-04 22:59 2,560 ----a-w C:\Program Files\ClearSearchcsie_tsb_edomains.dat
2004-09-04 22:59 2,560 ----a-w C:\Program Files\ClearSearchcsie_ss_edomains.dat
2004-09-04 22:59 18,712 ----a-w C:\Program Files\ClearSearchcsie_usb_patterns.dat
2004-09-04 22:59 136 ----a-w C:\Program Files\ClearSearchcsie_tsb_campaigns.dat
2004-09-04 22:59 104 ----a-w C:\Program Files\ClearSearchcsie_tsb_rules.dat
2004-09-04 22:59 0 ----a-w C:\Program Files\ClearSearchcsie_ss_idomainsd.dat
2003-01-26 18:23 271 --sh--w C:\Program Files\desktop.ini
2003-01-26 18:23 23,357 ---h--w C:\Program Files\folder.htt
1999-02-22 21:46 148,992 ----a-w C:\Program Files\UNWISE.EXE
1984-11-08 16:21 500 ---ha-w C:\Documents and Settings\Alyssa\Application Data\MSWWINEDRVM7.DLL
2005-01-12 13:15 3,547 --sha-w C:\WINDOWS\geses.dat
2005-01-29 04:25 3,547 --sha-w C:\WINDOWS\klhww.dat
2005-01-16 17:40 3,547 --sha-w C:\WINDOWS\moxxj.dat
2006-10-29 16:29 2,516 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-10-29 16:29 88 --sh--r C:\WINDOWS\SYSTEM32\BC2E574C5F.sys
2003-12-18 17:41 1,133 --sh--w C:\WINDOWS\SYSTEM32\YgzI.exe
2005-01-10 10:24 4,354 --sha-w C:\WINDOWS\SYSTEM32\kntiz.dat
2005-01-02 07:02 0 --sha-w C:\WINDOWS\SYSTEM32\dzkrp.dat
2005-01-06 14:22 3,547 --sha-w C:\WINDOWS\SYSTEM32\kjulb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"oiwo"="C:\PROGRA~1\COMMON~1\oiwo\oiwom.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winot73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu27.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Runner.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Runner.LNK
backup=C:\WINDOWS\pss\Runner.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jerisue^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\jerisue\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
C:\Program Files\Bargain Buddy\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate]
C:\WINDOWS\DHUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
C:\PROGRA~1\Web Offer\wo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIUL.EXE]
C:\Program Files\Alset\HelpExpress\jerisue\HXIUL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
C:\WINDOWS\Downloaded Program Files\bridge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-18 10:28 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer]
C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
C:\Program Files\VVSN\VVSN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p C:\Program Files\WebSavingsfromEbates\System\Code Main lp: C:\Program Files\WebSavingsfromEbates

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqjibmmkbzwl]
C:\WINDOWS\System32\qnlrbt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyStartUp"=C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"HPStart"=c:\hp\hpcoach\hpstart.wsf
"Tour"=C:\WINDOWS\wincool.exe /30m

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"mgavrtclexe"=C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
"wcmdmgr"=C:\WINDOWS\wt\wcmdmgrl.exe -launch
"LoadQM"=loadqm.exe
"CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
"webHancer Agent"="C:\Program Files\webHancer\Programs\whAgent.exe"
"OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\ccapp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\Alyssa\\Desktop\\Installations\\uTorrent.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys [2001-10-24 19:16]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-04-21 00:33]
S0 winot73;winot73;C:\WINDOWS\system32\Drivers\Winot73.sys []
S0 Winpu27;Winpu27;C:\WINDOWS\system32\Drivers\Winpu27.sys []
S2 AIM;AOL Instant Messanger;"C:\WINDOWS\aim.exe" []
S2 PAVFIRES;Panda Firewall Service;C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe []
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\System32\DRIVERS\COMFiltr.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 13:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-06-14 19:10:22 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-06-03 05:00:04 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2008-06-01 04:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
"2004-08-25 19:59:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1085255803.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 15:14:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ad-Aware 2008\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-06-14 15:18:28 - machine was rebooted [Alyssa]
ComboFix-quarantined-files.txt 2008-06-14 19:18:12

Pre-Run: 5,022,629,888 bytes free
Post-Run: 5,011,767,296 bytes free

281 --- E O F --- 2008-05-28 16:01:22

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:23 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware 2008\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alyssa\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6638 bytes

tetonbob · 06-14-2008, 02:02 PM

OK, that looks better, and explains things.

Try using this approach to remove the Panda remnants.

Follow these instructions for Panda's removal:

Quote:

Download UNINST_v1012.exe

## It's IMPORTANT that you save this file to Desktop. This file should never be saved directly to the C:\ drive.

Double clicking UNINST_v1012.exe will open an MS-DOS window.
Press Y to start the process.
When the process completes, the message NEED REBOOT appears on screen.
Restart the computer to complete the process.

Note: This process could take a few minutes.

Post a new log from Deckard's System Scanner after that, and we'll proceed based on those results.

AlyssaM · 06-14-2008, 08:02 PM

Hah, thank you! I've needed that for a long time now!

Deckard's System Scanner v20071014.68
Run by Alyssa on 2008-06-14 21:57:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Alyssa.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:17 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware 2008\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Alyssa\Desktop\Installations\SpyWare Helpers\dss.exe
C:\DOCUME~1\Alyssa\Desktop\Alyssa.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6338 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 21:49:29 0 --a------ C:\Autoexec.bat
2008-06-14 21:13:57 0 dr-h----- C:\Documents and Settings\Alyssa\Recent
2008-06-14 13:47:48 0 d-------- C:\Program Files\Common Files\Panda Software
2008-06-14 11:48:45 0 d-------- C:\cmdcons
2008-06-14 09:25:34 0 d-------- C:\Combbfx
2008-06-13 23:12:20 68096 --a------ C:\WINDOWS\zip.exe
2008-06-13 23:12:20 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-13 23:12:20 98816 --a------ C:\WINDOWS\sed.exe
2008-06-13 23:12:20 80412 --a------ C:\WINDOWS\grep.exe
2008-06-13 23:12:20 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-13 23:12:19 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-13 23:12:19 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-13 23:12:19 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-12 21:24:40 0 d-------- C:\Program Files\Ad-Aware 2008
2008-06-12 21:24:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-12 21:21:51 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 21:04:09 0 d-------- C:\Program Files\BitDefender
2008-06-12 20:57:24 0 d-------- C:\Program Files\Common Files\BitDefender
2008-06-11 22:55:50 0 d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-06-11 11:11:02 0 d-------- C:\Program Files\TV Media
2008-06-10 09:49:04 0 d--hs---- C:\FOUND.069
2008-06-08 19:55:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-06 21:37:45 0 d-------- C:\Program Files\Avira
2008-06-06 21:37:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-06 21:17:42 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-06 20:10:44 139264 --a------ C:\WINDOWS\eslm.exe
2008-06-06 20:07:44 0 --a------ C:\274013913
2008-06-06 19:44:52 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-06 19:44:28 0 d-------- C:\Program Files\Windows Live
2008-06-06 19:43:24 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-04 08:39:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater

-- Find3M Report ---------------------------------------------------------------

2008-05-11 14:21:58 7168 --ahs---- C:\Program Files\Common Files\Thumbs.db
2008-04-22 15:55:20 0 d-------- C:\Documents and Settings\Alyssa\Application Data\acccore
2008-04-22 15:46:54 0 d-------- C:\Program Files\AIM6

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"oiwo"=C:\PROGRA~1\COMMON~1\oiwo\oiwom.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winot73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Runner.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Runner.LNK
backup=C:\WINDOWS\pss\Runner.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jerisue^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\jerisue\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
C:\Program Files\Bargain Buddy\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate]
C:\WINDOWS\DHUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
C:\PROGRA~1\Web Offer\wo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIUL.EXE]
C:\Program Files\Alset\HelpExpress\jerisue\HXIUL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer]
C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
C:\Program Files\VVSN\VVSN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
msblast.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqjibmmkbzwl]
C:\WINDOWS\System32\qnlrbt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyStartUp"=C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"HPStart"=c:\hp\hpcoach\hpstart.wsf
"Tour"=C:\WINDOWS\wincool.exe /30m

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"mgavrtclexe"=C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
"wcmdmgr"=C:\WINDOWS\wt\wcmdmgrl.exe -launch
"LoadQM"=loadqm.exe
"CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
"webHancer Agent"="C:\Program Files\webHancer\Programs\whAgent.exe"
"OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

-- End of Deckard's System Scanner: finished at 2008-06-14 21:59:55 ------------

tetonbob · 06-14-2008, 08:20 PM

Ok, great...now I need some more information about some files.

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

C:\WINDOWS\eslm.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
Please repeat for the following files:
- C:\WINDOWS\SYSTEM32\YgzI.exe
- C:\Documents and Settings\Alyssa\Application Data\MSWWINEDRVM7.DLL

AlyssaM · 06-15-2008, 01:50 PM

for eslm.exe:

File has already been analysed:
MD5: b73ead57d9a00c4917d6beea4eb86f57
First received: 06.07.2008 02:19:36 (CET)
Date: 06.08.2008 05:03:05 (CET) [>7D]
Results: 4/33
Permalink: http://www.virustotal.com/analisis/0...20c53e283659d0

for YgzI.exe:

File size: 1133 bytes
MD5...: 4d9646ff4c2fa1c59416ac99278155ef
SHA1..: 98817ad61b23d212aa2d216abd34157ac6995825
SHA256: ee28667a4305f41f4df7a33d466eb2b10b8a4670be2f361315d28af0881480e4
SHA512: 88668c90b1969ef8da20b9f727d340e04c54c77b001f5a566cec85bab0d7bcd6
53ed8546372227ecb6dfb955a72b32b1504bed7971641bc20b3f801c2a4adce6
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403698
timedatestamp.....: 0x3fa467ed (Sun Nov 02 02:11:57 2003)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x30824 0x31000 0.00 d41d8cd98f00b204e9800998ecf8427e
.data 0x32000 0xf38 0x1000 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x33000 0x388b0 0x39000 0.00 d41d8cd98f00b204e9800998ecf8427e

( 0 imports )

( 0 exports )

packers (Kaspersky): PE_Patch

for kntiz.dat

AhnLab-V3 2008.6.13.1 2008.06.15 -
AntiVir 7.8.0.55 2008.06.15 -
Authentium 5.1.0.4 2008.06.15 -
Avast 4.8.1195.0 2008.06.15 -
AVG 7.5.0.516 2008.06.14 -
BitDefender 7.2 2008.06.15 -
CAT-QuickHeal 9.50 2008.06.14 -
ClamAV 0.92.1 2008.06.15 -
DrWeb 4.44.0.09170 2008.06.15 -
eSafe 7.0.15.0 2008.06.15 -
eTrust-Vet 31.6.5873 2008.06.14 -
Ewido 4.0 2008.06.15 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.15 -
Fortinet 3.14.0.0 2008.06.15 -
GData 2.0.7306.1023 2008.06.15 -
Ikarus T3.1.1.26.0 2008.06.15 -
Kaspersky 7.0.0.125 2008.06.15 -
McAfee 5317 2008.06.13 -
Microsoft 1.3604 2008.06.15 -
NOD32v2 3187 2008.06.15 -
Norman 5.80.02 2008.06.13 -
Panda 9.0.0.4 2008.06.15 -
Prevx1 V2 2008.06.15 -
Rising 20.48.62.00 2008.06.15 -
Sophos 4.30.0 2008.06.15 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.15 -
TheHacker 6.2.92.350 2008.06.14 -
VBA32 3.12.6.7 2008.06.14 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.15 -

Additional information
File size: 4354 bytes
MD5...: c7d99561430a97adfeb42d579e8e9f22
SHA1..: cfac6af675e79cf22d4b5b07b8d8a086af6501f0
SHA256: 2d9a757bb55c0cebc80dd8b5780dbfd4aa597d32895b74de24d865c3870945f0
SHA512: 5c195868d9f0e3845a4cc90b314ba116723129e2822f17133af611bcbcd5b52b
d078c6b1042d5145a590cfefca407ad5f23a8cccfb8767392e30786d76caab39
PEiD..: -
PEInfo: -

for mswwinedrvm7.dll:

AhnLab-V3 2008.6.13.1 2008.06.15 -
AntiVir 7.8.0.55 2008.06.15 -
Authentium 5.1.0.4 2008.06.15 -
Avast 4.8.1195.0 2008.06.15 -
AVG 7.5.0.516 2008.06.15 -
BitDefender 7.2 2008.06.15 -
CAT-QuickHeal 9.50 2008.06.14 -
ClamAV 0.92.1 2008.06.15 -
DrWeb 4.44.0.09170 2008.06.15 -
eSafe 7.0.15.0 2008.06.15 -
eTrust-Vet 31.6.5873 2008.06.14 -
Ewido 4.0 2008.06.15 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.15 -
Fortinet 3.14.0.0 2008.06.15 -
GData 2.0.7306.1023 2008.06.15 -
Ikarus T3.1.1.26.0 2008.06.15 -
Kaspersky 7.0.0.125 2008.06.15 -
McAfee 5317 2008.06.13 -
Microsoft 1.3604 2008.06.15 -
NOD32v2 3187 2008.06.15 -
Norman 5.80.02 2008.06.13 -
Panda 9.0.0.4 2008.06.15 -
Prevx1 V2 2008.06.15 -
Rising 20.48.62.00 2008.06.15 -
Sophos 4.30.0 2008.06.15 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.15 -
TheHacker 6.2.92.350 2008.06.14 -
VBA32 3.12.6.7 2008.06.14 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.15 -
Additional information
File size: 500 bytes
MD5...: b7ff783f3177b80b802257da1d00e20f
SHA1..: 9abfc033f26aa78e438f2c08b1f7ebf6d344d080
SHA256: becf981dd2178dcb5478127d3e8132c4fe4d6977babe958b2f6a47c787cb532b
SHA512: 84e5a327bbc179e0148287665683334033b64ef04d22ca4be30dfc9bf422e6cc
5159c59ed5c77db5bfea1e057a86dfaab27a83f9e3974ffe63491f9cf4f00422
PEiD..: -
PEInfo: -

tetonbob · 06-15-2008, 02:26 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disconnect from the internet....pull the plug!
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Web Savings from Ebates
Viewpoint Media Player
Viewpoint Manager<<<this is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Read this article: http://www.clickz.com/news/article.php/3561546

Additional info: http://vil.nai.com/vil/content/v_137262.htm

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\DHUpdt.exe
C:\Program Files\Alset\HelpExpress\jerisue\HXIUL.EXE
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\qnlrbt.exe
C:\WINDOWS\system32\Drivers\Winot73.sys
C:\WINDOWS\system32\Drivers\Winpu27.sys
C:\Documents and Settings\Alyssa\Application Data\tvmknwrd.dll
C:\Program Files\ClearSearchcsie_ron_campaigns.dat
C:\Program Files\ClearSearchcsie_mpu_patterns.dat
C:\Program Files\ClearSearchcsie_mpu_rules.dat
C:\Program Files\ClearSearchcsie_ron_rules.dat
C:\Program Files\ClearSearchcsie_usb_rules.dat
C:\Program Files\ClearSearchcsie_checks.dat
C:\Program Files\ClearSearchcsie_usb_campaigns.dat
C:\Program Files\ClearSearchcsie_ss_rules.dat
C:\Program Files\ClearSearchcsie_tsb_patterns.dat
C:\Program Files\ClearSearchcsie_tsb_edomains.dat
C:\Program Files\ClearSearchcsie_ss_edomains.dat
C:\Program Files\ClearSearchcsie_usb_patterns.dat
C:\Program Files\ClearSearchcsie_tsb_campaigns.dat
C:\Program Files\ClearSearchcsie_tsb_rules.dat
C:\Program Files\ClearSearchcsie_ss_idomainsd.dat
C:\WINDOWS\geses.dat
C:\WINDOWS\klhww.dat
C:\WINDOWS\moxxj.dat
C:\WINDOWS\SYSTEM32\YgzI.exe
C:\WINDOWS\SYSTEM32\kntiz.dat
C:\WINDOWS\SYSTEM32\dzkrp.dat
C:\WINDOWS\SYSTEM32\kjulb.dat
C:\WINDOWS\eslm.exe
C:\274013913

Folder::
C:\PROGRA~1\COMMON~1\oiwo
C:\Program Files\Bargain Buddy
C:\PROGRA~1\Web Offer
C:\PROGRA~1\VBOUNCER
C:\Program Files\VVSN
C:\Program Files\BitDefender
C:\Program Files\Common Files\BitDefender
C:\Program Files\TV Media

Driver::
winot73
Winpu27

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"oiwo"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winot73.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu27.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIUL.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqjibmmkbzwl]

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
Re-establish an internet connection.
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

AlyssaM · 06-15-2008, 05:33 PM

I attached the logs-- there were too many characters with them. :]

tetonbob · 06-15-2008, 07:00 PM

Hello -

It appears as though you've saved the logs in some text editor other than notepad. The formatting is off.

Edit:

Never mind...I converted them....:smile:

ComboFix 08-06-12.2 - Alyssa 2008-06-15 18:43:28.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.74 [GMT -4:00]
Running from: C:\Documents and Settings\Alyssa\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alyssa\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\274013913
C:\Documents and Settings\Alyssa\Application Data\tvmknwrd.dll
C:\Program Files\Alset\HelpExpress\jerisue\HXIUL.EXE
C:\Program Files\ClearSearchcsie_checks.dat
C:\Program Files\ClearSearchcsie_mpu_patterns.dat
C:\Program Files\ClearSearchcsie_mpu_rules.dat
C:\Program Files\ClearSearchcsie_ron_campaigns.dat
C:\Program Files\ClearSearchcsie_ron_rules.dat
C:\Program Files\ClearSearchcsie_ss_edomains.dat
C:\Program Files\ClearSearchcsie_ss_idomainsd.dat
C:\Program Files\ClearSearchcsie_ss_rules.dat
C:\Program Files\ClearSearchcsie_tsb_campaigns.dat
C:\Program Files\ClearSearchcsie_tsb_edomains.dat
C:\Program Files\ClearSearchcsie_tsb_patterns.dat
C:\Program Files\ClearSearchcsie_tsb_rules.dat
C:\Program Files\ClearSearchcsie_usb_campaigns.dat
C:\Program Files\ClearSearchcsie_usb_patterns.dat
C:\Program Files\ClearSearchcsie_usb_rules.dat
C:\WINDOWS\DHUpdt.exe
C:\WINDOWS\eslm.exe
C:\WINDOWS\geses.dat
C:\WINDOWS\klhww.dat
C:\WINDOWS\moxxj.dat
C:\WINDOWS\system32\Drivers\Winot73.sys
C:\WINDOWS\system32\Drivers\Winpu27.sys
C:\WINDOWS\SYSTEM32\dzkrp.dat
C:\WINDOWS\SYSTEM32\kjulb.dat
C:\WINDOWS\SYSTEM32\kntiz.dat
C:\WINDOWS\System32\qnlrbt.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\SYSTEM32\YgzI.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\274013913
C:\Documents and Settings\Alyssa\Application Data\tvmknwrd.dll
C:\PROGRA~1\COMMON~1\oiwo
C:\PROGRA~1\COMMON~1\oiwo\oiwoa.lck
C:\PROGRA~1\COMMON~1\oiwo\oiwod\class-barrel
C:\PROGRA~1\COMMON~1\oiwo\oiwol.lck
C:\PROGRA~1\COMMON~1\oiwo\oiwom.lck
C:\Program Files\BitDefender
C:\Program Files\BitDefender\NAG\Close2Exp\bgd_gas.jpg
C:\Program Files\BitDefender\NAG\Close2Exp\btn_black.png
C:\Program Files\BitDefender\NAG\Close2Exp\btn_red.png
C:\Program Files\BitDefender\NAG\Close2Exp\check.gif
C:\Program Files\BitDefender\NAG\Close2Exp\main_bgd.png
C:\Program Files\BitDefender\NAG\Close2Exp\restricted.gif
C:\Program Files\BitDefender\NAG\Close2Exp\Thumbs.db
C:\Program Files\BitDefender\NAG\Expired\bgd_expired.jpg
C:\Program Files\BitDefender\NAG\Expired\btn_black.png
C:\Program Files\BitDefender\NAG\Expired\btn_red.png
C:\Program Files\BitDefender\NAG\Expired\check.gif
C:\Program Files\BitDefender\NAG\Expired\main_bgd.png
C:\Program Files\BitDefender\NAG\Expired\restricted.gif
C:\Program Files\BitDefender\NAG\Expired\Thumbs.db
C:\Program Files\BitDefender\NAG\Invalid\bgd_invalid.jpg
C:\Program Files\BitDefender\NAG\Invalid\btn_black.png
C:\Program Files\BitDefender\NAG\Invalid\btn_red.png
C:\Program Files\BitDefender\NAG\Invalid\check.gif
C:\Program Files\BitDefender\NAG\Invalid\main_bgd.png
C:\Program Files\BitDefender\NAG\Invalid\restricted.gif
C:\Program Files\BitDefender\NAG\Invalid\Thumbs.db
C:\Program Files\BitDefender\NAG\Trial\bgd_av.jpg
C:\Program Files\BitDefender\NAG\Trial\bgd_expired.jpg
C:\Program Files\BitDefender\NAG\Trial\bgd_gas.jpg
C:\Program Files\BitDefender\NAG\Trial\box_av.jpg
C:\Program Files\BitDefender\NAG\Trial\btn_black.png
C:\Program Files\BitDefender\NAG\Trial\btn_red.png
C:\Program Files\BitDefender\NAG\Trial\check.gif
C:\Program Files\BitDefender\NAG\Trial\expired_trial.html
C:\Program Files\BitDefender\NAG\Trial\main_bgd.png
C:\Program Files\BitDefender\NAG\Trial\restricted.gif
C:\Program Files\BitDefender\NAG\Trial\Thumbs.db
C:\Program Files\BitDefender\NAG\Trial\trial_d1.html
C:\Program Files\BitDefender\NAG\Trial\trial_d2_d22.html
C:\Program Files\BitDefender\NAG\Trial\trial_d23_d30.html
C:\Program Files\ClearSearchcsie_checks.dat
C:\Program Files\ClearSearchcsie_mpu_patterns.dat
C:\Program Files\ClearSearchcsie_mpu_rules.dat
C:\Program Files\ClearSearchcsie_ron_campaigns.dat
C:\Program Files\ClearSearchcsie_ron_rules.dat
C:\Program Files\ClearSearchcsie_ss_edomains.dat
C:\Program Files\ClearSearchcsie_ss_idomainsd.dat
C:\Program Files\ClearSearchcsie_ss_rules.dat
C:\Program Files\ClearSearchcsie_tsb_campaigns.dat
C:\Program Files\ClearSearchcsie_tsb_edomains.dat
C:\Program Files\ClearSearchcsie_tsb_patterns.dat
C:\Program Files\ClearSearchcsie_tsb_rules.dat
C:\Program Files\ClearSearchcsie_usb_campaigns.dat
C:\Program Files\ClearSearchcsie_usb_patterns.dat
C:\Program Files\ClearSearchcsie_usb_rules.dat
C:\Program Files\Common Files\BitDefender
<snip>
C:\Program Files\TV Media
C:\Program Files\TV Media\TvmBho.dll
C:\WINDOWS\eslm.exe
C:\WINDOWS\geses.dat
C:\WINDOWS\klhww.dat
C:\WINDOWS\moxxj.dat
C:\WINDOWS\SYSTEM32\dzkrp.dat
C:\WINDOWS\SYSTEM32\kjulb.dat
C:\WINDOWS\SYSTEM32\kntiz.dat
C:\WINDOWS\SYSTEM32\YgzI.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_winot73
-------\Service_winot73
-------\Service_Winpu27

((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-15 00:51 . 2008-06-15 00:52 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-14 13:47 . 2008-06-14 13:47 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-06-14 12:27 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-14 09:25 . 2008-06-14 09:25 <DIR> d-------- C:\Combbfx
2008-06-13 14:39 . 2008-06-13 14:39 126 --a------ C:\Temp\ECDC.CMD
2008-06-13 14:34 . 2008-06-13 14:34 264 --a------ C:\WINDOWS\_delis32.ini
2008-06-12 21:29 . 2008-06-13 23:11 121 --a------ C:\WINDOWS\bdagent.INI
2008-06-12 21:24 . 2008-06-12 21:24 <DIR> d-------- C:\Program Files\Ad-Aware 2008
2008-06-12 21:24 . 2008-06-12 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-12 21:21 . 2008-06-12 21:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 22:55 . 2008-06-11 22:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-06-11 12:44 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-06-11 12:44 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\dllcache\hidusb.sys
2008-06-10 09:49 . 2008-06-10 09:49 <DIR> d--hs---- C:\FOUND.069
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\Deckard
2008-06-08 08:28 . 2003-03-02 10:49 2,142 -ra------ C:\WINDOWS\SYSTEM32\autoexec.nt
2008-06-06 21:37 . 2008-06-06 21:37 <DIR> d-------- C:\Program Files\Avira
2008-06-06 21:37 . 2008-06-06 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-06 21:17 . 2008-06-06 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-06 19:44 . 2008-06-06 19:44 <DIR> d-------- C:\Program Files\Windows Live
2008-06-06 19:44 . 2008-06-06 19:44 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-06 19:43 . 2008-06-06 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-04 08:39 . 2008-06-04 08:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 18:21 7,168 --sha-w C:\Program Files\Common Files\Thumbs.db
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-04-22 19:55 --------- d-----w C:\Documents and Settings\Alyssa\Application Data\acccore
2008-04-22 19:46 --------- d-----w C:\Program Files\AIM6
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-02-04 21:09 49,985,276 ----a-w C:\Documents and Settings\Alyssa\My Documents.zip
2008-01-06 14:21 7,168 --sha-w C:\Program Files\Thumbs.db
2005-06-16 16:42 572 ---ha-w C:\Documents and Settings\Alyssa\hpothb07.dat
2004-11-24 00:19 0 ----a-w C:\Documents and Settings\Alyssa\romlst.dat
2003-01-26 18:23 271 --sh--w C:\Program Files\desktop.ini
2003-01-26 18:23 23,357 ---h--w C:\Program Files\folder.htt
1999-02-22 21:46 148,992 ----a-w C:\Program Files\UNWISE.EXE
1984-11-08 16:21 500 ---ha-w C:\Documents and Settings\Alyssa\Application Data\MSWWINEDRVM7.DLL
2006-10-29 16:29 2,516 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-10-29 16:29 88 --sh--r C:\WINDOWS\SYSTEM32\BC2E574C5F.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-14_15.17.17.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 19:04:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 22:55:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:22 347,136 ------w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:22 214,528 ------w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:22 133,120 ------w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:22 63,488 ------w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:24 70,656 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:22 153,088 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:22 230,400 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:26 161,792 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:26 267,776 ------w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:52 13,824 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 ------w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:26 27,648 ------w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-01 22:36:30 3,591,680 ------w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 ------w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 ------w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:30 671,232 ------w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:30 102,912 ------w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:30 44,544 ------w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:40 213,216 ------w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:30 105,984 ------w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 ------w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:32 826,368 ------w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
- 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
- 2008-03-01 13:06:22 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
- 2008-03-01 13:06:22 214,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
- 2008-03-01 13:06:22 133,120 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
- 2008-03-01 13:06:22 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
+ 2008-04-23 04:16:28 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
- 2008-03-01 13:06:22 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
- 2008-03-01 13:06:22 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
- 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
- 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
- 2008-03-01 13:06:26 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
- 2008-03-01 13:06:26 27,648 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
- 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
- 2008-03-01 13:06:30 671,232 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
- 2008-03-01 13:06:30 102,912 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
- 2008-03-01 13:06:30 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
- 2008-03-01 13:06:30 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
+ 2008-04-23 04:16:30 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
- 2004-08-04 04:56:48 577,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\user32.dll
+ 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\SYSTEM32\dllcache\user32.dll
- 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
+ 2008-04-23 04:16:30 233,472 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
- 2008-03-01 13:06:32 826,368 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
+ 2008-04-23 04:16:30 826,368 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
- 2004-08-04 03:10:38 274,304 ------w C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
- 2008-03-01 13:06:22 347,136 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2008-03-01 13:06:22 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2008-03-01 13:06:22 133,120 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2008-03-01 13:06:22 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
- 2008-02-29 08:55:24 70,656 ----a-w C:\WINDOWS\SYSTEM32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\SYSTEM32\ie4uinit.exe
- 2008-03-01 13:06:22 153,088 ----a-w C:\WINDOWS\SYSTEM32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\SYSTEM32\ieakeng.dll
- 2008-03-01 13:06:22 230,400 ----a-w C:\WINDOWS\SYSTEM32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\SYSTEM32\ieaksie.dll
- 2008-02-15 05:44:26 161,792 ----a-w C:\WINDOWS\SYSTEM32\ieakui.dll
+ 2008-04-20 05:07:52 161,792 ----a-w C:\WINDOWS\SYSTEM32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\SYSTEM32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\SYSTEM32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\SYSTEM32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\iernonce.dll
- 2008-03-01 13:06:26 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
- 2008-02-22 10:00:52 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
- 2008-03-01 13:06:26 27,648 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-05-29 23:35:12 17,486,968 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
- 2008-03-01 22:36:30 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-04-24 02:16:30 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2008-03-01 13:06:30 671,232 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2008-03-01 13:06:30 102,912 ----a-w C:\WINDOWS\SYSTEM32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\SYSTEM32\occache.dll
- 2008-03-01 13:06:30 44,544 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2006-12-10 18:10:02 14,640 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2007-11-30 11:18:52 17,272 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
- 2008-03-01 13:06:30 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-04-23 04:16:30 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2004-08-04 04:56:48 577,024 ----a-w C:\WINDOWS\SYSTEM32\user32.dll
+ 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\SYSTEM32\user32.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
+ 2008-04-23 04:16:30 233,472 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
- 2008-03-01 13:06:32 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2008-04-23 04:16:30 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Runner.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Runner.LNK
backup=C:\WINDOWS\pss\Runner.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jerisue^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\jerisue\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
C:\WINDOWS\Downloaded Program Files\bridge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-18 10:28 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyStartUp"=C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"HPStart"=c:\hp\hpcoach\hpstart.wsf
"Tour"=C:\WINDOWS\wincool.exe /30m

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"mgavrtclexe"=C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
"wcmdmgr"=C:\WINDOWS\wt\wcmdmgrl.exe -launch
"LoadQM"=loadqm.exe
"CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
"webHancer Agent"="C:\Program Files\webHancer\Programs\whAgent.exe"
"OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\ccapp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\Alyssa\\Desktop\\Installations\\uTorrent.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys [2001-10-24 19:16]
S2 AIM;AOL Instant Messanger;"C:\WINDOWS\aim.exe" []
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\System32\DRIVERS\COMFiltr.sys []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-04-21 00:33]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 13:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-06-15 23:01:34 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-06-03 05:00:04 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2008-06-01 04:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
"2004-08-25 19:59:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1085255803.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 18:57:57
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\AD-AWARE 2008\AAWSERVICE.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-06-15 19:02:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 23:02:16
ComboFix2.txt 2008-06-14 19:18:32

Pre-Run: 5,291,556,864 bytes free
Post-Run: 5,285,806,080 bytes free

1326 --- E O F --- 2008-06-15 04:57:09

tetonbob · 06-15-2008, 07:01 PM

Never mind...I converted them

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:13 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware 2008\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Alyssa\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6114 bytes

tetonbob · 06-15-2008, 07:11 PM

Open HijackThis and click on 'Do a System Scan Only'. Place a check next to the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/
R3 - URLSearchHook: (no name) - <default> - (no file)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)

Close HijackThis now.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now. Also post a new HijackThis log. Please do not save it in Wordpad. Save it in Notepad. Thanks.

AlyssaM · 06-16-2008, 09:44 AM

Things are going better. My updates are working- I updated my computer 2 days ago. Umm... I don't seem to be getting any more of those annoying popups that I got after all that had happened. And my desktop hasn't disappeared.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3188 (20080615)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=569b06674e678d418dc0ba8fa5796380
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-06-16 02:49:31
# local_time=2008-06-16 10:49:31 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=182634
# found=17
# scan_time=45822
C:\WINDOWS\SYSTEM32\exploit.pl Linux/Exploit.Ipb.A trojan AD94A6EC656B3C14AA484D8694FDFAF1
C:\QooBox\Quarantine\catchme2008-06-14_120308.49.zip a variant of Win32/Adware.Virtumonde application 931BF11B24EF6CE24D31011EC7A1AD9C
C:\QooBox\Quarantine\catchme2008-06-14_120308.49.zip »ZIP »qoMeBrqo.dll a variant of Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\xbqmfsed.exe.vir a variant of Win32/Adware.Vapsup.AJ application BE202F5912E12086D4E17F26656AC6C7
C:\QooBox\Quarantine\C\WINDOWS\eslm.exe.vir a variant of Win32/Adware.Vapsup.AM application B73EAD57D9A00C4917D6BEEA4EB86F57
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jkkICtrO.dll.vir probably a variant of Win32/Adware.Virtumonde.FP application 683412E42D838DE7CB773B60466D3C46
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0295733.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0297733.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0298733.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0298748.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0298796.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1346\A0302119.exe a variant of Win32/Adware.Vapsup.AJ application BE202F5912E12086D4E17F26656AC6C7
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1346\A0302120.dll a variant of Win32/Adware.Virtumonde application 4F2B6B16DB4C6037C79D8A1E5F90286A
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1346\A0302122.dll probably a variant of Win32/Adware.Virtumonde.FP application 683412E42D838DE7CB773B60466D3C46
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1349\A0302852.exe a variant of Win32/Adware.Vapsup.AM application B73EAD57D9A00C4917D6BEEA4EB86F57
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1338\A0300803.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B
C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1338\snapshot\MFEX-1.DAT Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:00 AM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware 2008\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alyssa\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6149 bytes

06-12-2008, 08:28 AM	#2 (permalink)
AlyssaM Registered User Join Date: Jun 2008 Posts: 12 OS: Windows XP	Re: Ah, spyware! Help!! Bump!

06-13-2008, 09:29 PM	#4 (permalink)
AlyssaM Registered User Join Date: Jun 2008 Posts: 12 OS: Windows XP	Re: Ah, spyware! Help!! Thank you for replying! Ok, I followed the steps for downloading the recovery console and combofix, but after i dragged the recover console file into Combofixed, a little window popped up saying "instillation failed". What should I do? Should I try the whole thing over again with re-downloading it, or should I just try dragging it into Combofix again? Also, while that was popped up, the other window for... Combofix I assume (?) was still up, saying "Roughly 1/100 machines failed to make it though the disinfection process.....etc", but I'm honestly scared to click anything before I know what to do.

06-14-2008, 07:33 AM	#6 (permalink)
AlyssaM Registered User Join Date: Jun 2008 Posts: 12 OS: Windows XP	Re: Ah, spyware! Help!! I renamed it to CombbFx, yet it still pops up as Installation Failed. :/ Do you think that could somehow be from the virus? I know I downloaded the right one.... I've got an XP Home edition with Service Pack 2 (I dont have the Windows XP CD-- so I followed their steps on how to download the recovery console from Microsoft's website. :/ )

06-14-2008, 08:19 AM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,202 OS: 2000 Pro; XP Pro; XP Home	Re: Ah, spyware! Help!! If you get to ComboFix disclaimer screen, which it seems you are, simply follow those prompts, and ignore the "installation failed". If there's an OK box for "installation failed" message, click on it, and continue. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-14-2008, 10:48 AM	#8 (permalink)
AlyssaM Registered User Join Date: Jun 2008 Posts: 12 OS: Windows XP	Re: Ah, spyware! Help!! Thank you! Though after Combofix ran it's scan, I didn't notice anything about a report- it just re-booted my computer. But I did notice I got my automatic updates back. :] So I have only my HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:48, on 2008-06-14 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Ad-Aware 2008\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\BitDefender\vsserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Documents and Settings\Alyssa\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - <default> - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {AE8A5A64-468B-4052-869C-7179FB9CCAE3} - C:\WINDOWS\system32\jkkICtrO.dll (file missing) O2 - BHO: (no name) - {C212643F-E3BB-4797-8458-D7D1C455677F} - C:\WINDOWS\system32\qoMeBrqo.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\IEToolbar.dll O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0 O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618 O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab O20 - Winlogon Notify: qomebrqo - C:\WINDOWS\SYSTEM32\qoMeBrqo.dll O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing) O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe (file missing) O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing) O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe -- End of file - 8109 bytes

06-14-2008, 11:05 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,202 OS: 2000 Pro; XP Pro; XP Home	Re: Ah, spyware! Help!! Please explain why I now see three antivirus applications installed... Avira, Panda and now Bitdefender I see you have more than one Anti-Virus program installed, Avira, Panda Platinum Internet Security and now Bitdefender. While this may seem like greater protection, it can cause problems including slowdowns and system hangs. Choose one to keep and uninstall the other. Any antivirus program must be removed via add/remove program. For any program that doesn't have an add/remove entry, you will have to do this: re-install the program -> reboot -> uninstall Of the three, I would keep Avira. It's free, and effective. Your choice, though...but the choice must be made before we continue. ----------------------------------------------------------------------- Once you've done that, please doubleclick on ComboFix.exe to run it. Post the log when it's completed it's tasks. Also post a new HIjackThis log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 06-14-2008 at 11:09 AM.

06-14-2008, 08:02 PM	#12 (permalink)
AlyssaM Registered User Join Date: Jun 2008 Posts: 12 OS: Windows XP	Re: Ah, spyware! Help!! Hah, thank you! I've needed that for a long time now! Deckard's System Scanner v20071014.68 Run by Alyssa on 2008-06-14 21:57:41 Computer is in Normal Mode. -------------------------------------------------------------------------------- Percentage of Memory in Use: 81% (more than 75%). Total Physical Memory: 255 MiB (512 MiB recommended). -- HijackThis (run as Alyssa.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:58:17 PM, on 6/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Ad-Aware 2008\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Alyssa\Desktop\Installations\SpyWare Helpers\dss.exe C:\DOCUME~1\Alyssa\Desktop\Alyssa.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - <default> - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0 O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618 O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing) O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6338 bytes -- Files created between 2008-05-14 and 2008-06-14 ----------------------------- 2008-06-14 21:49:29 0 --a------ C:\Autoexec.bat 2008-06-14 21:13:57 0 dr-h----- C:\Documents and Settings\Alyssa\Recent 2008-06-14 13:47:48 0 d-------- C:\Program Files\Common Files\Panda Software 2008-06-14 11:48:45 0 d-------- C:\cmdcons 2008-06-14 09:25:34 0 d-------- C:\Combbfx 2008-06-13 23:12:20 68096 --a------ C:\WINDOWS\zip.exe 2008-06-13 23:12:20 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-06-13 23:12:20 98816 --a------ C:\WINDOWS\sed.exe 2008-06-13 23:12:20 80412 --a------ C:\WINDOWS\grep.exe 2008-06-13 23:12:20 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-06-13 23:12:19 49152 --a------ C:\WINDOWS\VFind.exe 2008-06-13 23:12:19 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-06-13 23:12:19 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-06-12 21:24:40 0 d-------- C:\Program Files\Ad-Aware 2008 2008-06-12 21:24:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-12 21:21:51 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-12 21:04:09 0 d-------- C:\Program Files\BitDefender 2008-06-12 20:57:24 0 d-------- C:\Program Files\Common Files\BitDefender 2008-06-11 22:55:50 0 d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM 2008-06-11 11:11:02 0 d-------- C:\Program Files\TV Media 2008-06-10 09:49:04 0 d--hs---- C:\FOUND.069 2008-06-08 19:55:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe 2008-06-06 21:37:45 0 d-------- C:\Program Files\Avira 2008-06-06 21:37:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-06-06 21:17:42 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-06 20:10:44 139264 --a------ C:\WINDOWS\eslm.exe 2008-06-06 20:07:44 0 --a------ C:\274013913 2008-06-06 19:44:52 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-06 19:44:28 0 d-------- C:\Program Files\Windows Live 2008-06-06 19:43:24 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-06-04 08:39:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater -- Find3M Report --------------------------------------------------------------- 2008-05-11 14:21:58 7168 --ahs---- C:\Program Files\Common Files\Thumbs.db 2008-04-22 15:55:20 0 d-------- C:\Documents and Settings\Alyssa\Application Data\acccore 2008-04-22 15:46:54 0 d-------- C:\Program Files\AIM6 -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe "tscuninstall"=%systemroot%\system32\tscupgrd.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe "MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" "oiwo"=C:\PROGRA~1\COMMON~1\oiwo\oiwom.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winot73.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu27.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Runner.LNK] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Runner.LNK backup=C:\WINDOWS\pss\Runner.LNKCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jerisue^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe] path=C:\Documents and Settings\jerisue\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate] C:\WINDOWS\DHUpdt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO] C:\PROGRA~1\Web Offer\wo.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIUL.EXE] C:\Program Files\Alset\HelpExpress\jerisue\HXIUL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan] C:\Program Files\Power Scan\powerscan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent] C:\WINDOWS\System32\SahAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN] C:\Program Files\VVSN\VVSN.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update] msblast.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqjibmmkbzwl] C:\WINDOWS\System32\qnlrbt.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MoneyStartUp"=C:\Program Files\Microsoft Money\System\Money Startup.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe "Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers "Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe "HPStart"=c:\hp\hpcoach\hpstart.wsf "Tour"=C:\WINDOWS\wincool.exe /30m [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe "hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe "Delay"=C:\WINDOWS\delayrun.exe "MotiveMonitor"=C:\Program Files\Motive\motmon.exe "mgavrtclexe"=C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe "wcmdmgr"=C:\WINDOWS\wt\wcmdmgrl.exe -launch "LoadQM"=loadqm.exe "CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE" "webHancer Agent"="C:\Program Files\webHancer\Programs\whAgent.exe" "OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE /O "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl -- End of Deckard's System Scanner: finished at 2008-06-14 21:59:55 ------------

06-14-2008, 08:20 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,202 OS: 2000 Pro; XP Pro; XP Home	Re: Ah, spyware! Help!! Ok, great...now I need some more information about some files. Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following in BOLD: C:\WINDOWS\eslm.exe Then click the "Send File " button just below. This will scan the file. Please be patient. Once scanned, copy and paste the results in your next reply. Please repeat for the following files: C:\WINDOWS\SYSTEM32\YgzI.exe C:\WINDOWS\SYSTEM32\kntiz.dat C:\Documents and Settings\Alyssa\Application Data\MSWWINEDRVM7.DLL __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 06-14-2008 at 08:34 PM.

06-15-2008, 01:50 PM	#14 (permalink)
AlyssaM Registered User Join Date: Jun 2008 Posts: 12 OS: Windows XP	Re: Ah, spyware! Help!! for eslm.exe: File has already been analysed: MD5: b73ead57d9a00c4917d6beea4eb86f57 First received: 06.07.2008 02:19:36 (CET) Date: 06.08.2008 05:03:05 (CET) [>7D] Results: 4/33 Permalink: http://www.virustotal.com/analisis/0...20c53e283659d0 for YgzI.exe: File size: 1133 bytes MD5...: 4d9646ff4c2fa1c59416ac99278155ef SHA1..: 98817ad61b23d212aa2d216abd34157ac6995825 SHA256: ee28667a4305f41f4df7a33d466eb2b10b8a4670be2f361315d28af0881480e4 SHA512: 88668c90b1969ef8da20b9f727d340e04c54c77b001f5a566cec85bab0d7bcd6 53ed8546372227ecb6dfb955a72b32b1504bed7971641bc20b3f801c2a4adce6 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x403698 timedatestamp.....: 0x3fa467ed (Sun Nov 02 02:11:57 2003) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x30824 0x31000 0.00 d41d8cd98f00b204e9800998ecf8427e .data 0x32000 0xf38 0x1000 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0x33000 0x388b0 0x39000 0.00 d41d8cd98f00b204e9800998ecf8427e ( 0 imports ) ( 0 exports ) packers (Kaspersky): PE_Patch for kntiz.dat AhnLab-V3 2008.6.13.1 2008.06.15 - AntiVir 7.8.0.55 2008.06.15 - Authentium 5.1.0.4 2008.06.15 - Avast 4.8.1195.0 2008.06.15 - AVG 7.5.0.516 2008.06.14 - BitDefender 7.2 2008.06.15 - CAT-QuickHeal 9.50 2008.06.14 - ClamAV 0.92.1 2008.06.15 - DrWeb 4.44.0.09170 2008.06.15 - eSafe 7.0.15.0 2008.06.15 - eTrust-Vet 31.6.5873 2008.06.14 - Ewido 4.0 2008.06.15 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 6.70.13260.0 2008.06.15 - Fortinet 3.14.0.0 2008.06.15 - GData 2.0.7306.1023 2008.06.15 - Ikarus T3.1.1.26.0 2008.06.15 - Kaspersky 7.0.0.125 2008.06.15 - McAfee 5317 2008.06.13 - Microsoft 1.3604 2008.06.15 - NOD32v2 3187 2008.06.15 - Norman 5.80.02 2008.06.13 - Panda 9.0.0.4 2008.06.15 - Prevx1 V2 2008.06.15 - Rising 20.48.62.00 2008.06.15 - Sophos 4.30.0 2008.06.15 - Sunbelt 3.0.1153.1 2008.06.15 - Symantec 10 2008.06.15 - TheHacker 6.2.92.350 2008.06.14 - VBA32 3.12.6.7 2008.06.14 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.15 - Additional information File size: 4354 bytes MD5...: c7d99561430a97adfeb42d579e8e9f22 SHA1..: cfac6af675e79cf22d4b5b07b8d8a086af6501f0 SHA256: 2d9a757bb55c0cebc80dd8b5780dbfd4aa597d32895b74de24d865c3870945f0 SHA512: 5c195868d9f0e3845a4cc90b314ba116723129e2822f17133af611bcbcd5b52b d078c6b1042d5145a590cfefca407ad5f23a8cccfb8767392e30786d76caab39 PEiD..: - PEInfo: - for mswwinedrvm7.dll: AhnLab-V3 2008.6.13.1 2008.06.15 - AntiVir 7.8.0.55 2008.06.15 - Authentium 5.1.0.4 2008.06.15 - Avast 4.8.1195.0 2008.06.15 - AVG 7.5.0.516 2008.06.15 - BitDefender 7.2 2008.06.15 - CAT-QuickHeal 9.50 2008.06.14 - ClamAV 0.92.1 2008.06.15 - DrWeb 4.44.0.09170 2008.06.15 - eSafe 7.0.15.0 2008.06.15 - eTrust-Vet 31.6.5873 2008.06.14 - Ewido 4.0 2008.06.15 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 6.70.13260.0 2008.06.15 - Fortinet 3.14.0.0 2008.06.15 - GData 2.0.7306.1023 2008.06.15 - Ikarus T3.1.1.26.0 2008.06.15 - Kaspersky 7.0.0.125 2008.06.15 - McAfee 5317 2008.06.13 - Microsoft 1.3604 2008.06.15 - NOD32v2 3187 2008.06.15 - Norman 5.80.02 2008.06.13 - Panda 9.0.0.4 2008.06.15 - Prevx1 V2 2008.06.15 - Rising 20.48.62.00 2008.06.15 - Sophos 4.30.0 2008.06.15 - Sunbelt 3.0.1153.1 2008.06.15 - Symantec 10 2008.06.15 - TheHacker 6.2.92.350 2008.06.14 - VBA32 3.12.6.7 2008.06.14 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.15 - Additional information File size: 500 bytes MD5...: b7ff783f3177b80b802257da1d00e20f SHA1..: 9abfc033f26aa78e438f2c08b1f7ebf6d344d080 SHA256: becf981dd2178dcb5478127d3e8132c4fe4d6977babe958b2f6a47c787cb532b SHA512: 84e5a327bbc179e0148287665683334033b64ef04d22ca4be30dfc9bf422e6cc 5159c59ed5c77db5bfea1e057a86dfaab27a83f9e3974ffe63491f9cf4f00422 PEiD..: - PEInfo: -

06-15-2008, 07:01 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,202 OS: 2000 Pro; XP Pro; XP Home	Re: Ah, spyware! Help!! Never mind...I converted them Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:07:13 PM, on 6/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Ad-Aware 2008\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Alyssa\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - <default> - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0 O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618 O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing) O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 6114 bytes __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-15-2008, 07:11 PM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,202 OS: 2000 Pro; XP Pro; XP Home	Re: Ah, spyware! Help!! Open HijackThis and click on 'Do a System Scan Only'. Place a check next to the following entries if they exist (make sure you do not miss any) and click Fix Checked R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/ R3 - URLSearchHook: (no name) - <default> - (no file) O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file) Close HijackThis now. --------------------------------------------------------------------------------------------- Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop. Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- Go here to run an online scannner from ESET. Note: You will need to use Internet explorer for this scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic and also let me know how things are now. Also post a new HijackThis log. Please do not save it in Wordpad. Save it in Notepad. Thanks. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-16-2008, 09:44 AM	#20 (permalink)
AlyssaM Registered User Join Date: Jun 2008 Posts: 12 OS: Windows XP	Re: Ah, spyware! Help!! Things are going better. My updates are working- I updated my computer 2 days ago. Umm... I don't seem to be getting any more of those annoying popups that I got after all that had happened. And my desktop hasn't disappeared. # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3188 (20080615) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=569b06674e678d418dc0ba8fa5796380 # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-06-16 02:49:31 # local_time=2008-06-16 10:49:31 (-0500, Eastern Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=182634 # found=17 # scan_time=45822 C:\WINDOWS\SYSTEM32\exploit.pl Linux/Exploit.Ipb.A trojan AD94A6EC656B3C14AA484D8694FDFAF1 C:\QooBox\Quarantine\catchme2008-06-14_120308.49.zip a variant of Win32/Adware.Virtumonde application 931BF11B24EF6CE24D31011EC7A1AD9C C:\QooBox\Quarantine\catchme2008-06-14_120308.49.zip »ZIP »qoMeBrqo.dll a variant of Win32/Adware.Virtumonde application 00000000000000000000000000000000 C:\QooBox\Quarantine\C\WINDOWS\xbqmfsed.exe.vir a variant of Win32/Adware.Vapsup.AJ application BE202F5912E12086D4E17F26656AC6C7 C:\QooBox\Quarantine\C\WINDOWS\eslm.exe.vir a variant of Win32/Adware.Vapsup.AM application B73EAD57D9A00C4917D6BEEA4EB86F57 C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jkkICtrO.dll.vir probably a variant of Win32/Adware.Virtumonde.FP application 683412E42D838DE7CB773B60466D3C46 C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0295733.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0297733.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0298733.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0298748.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1337\A0298796.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1346\A0302119.exe a variant of Win32/Adware.Vapsup.AJ application BE202F5912E12086D4E17F26656AC6C7 C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1346\A0302120.dll a variant of Win32/Adware.Virtumonde application 4F2B6B16DB4C6037C79D8A1E5F90286A C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1346\A0302122.dll probably a variant of Win32/Adware.Virtumonde.FP application 683412E42D838DE7CB773B60466D3C46 C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1349\A0302852.exe a variant of Win32/Adware.Vapsup.AM application B73EAD57D9A00C4917D6BEEA4EB86F57 C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1338\A0300803.dll Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B C:\System Volume Information\_restore{789BB6A8-3318-4B86-BAB2-86DEB9753979}\RP1338\snapshot\MFEX-1.DAT Win32/Wigon.CF trojan C621BA6C705134B62AAF11DE1EC3EE2B Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:44:00 AM, on 6/16/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Ad-Aware 2008\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Alyssa\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0 O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618 O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing) O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 6149 bytes