Tech Support Forum banner
Cancel

New win32/downloader-AQV/spam-mailbot.c all on my pc

Jump to Latest Follow
Status
Not open for further replies.
1 - 5 of 5 Posts
S

· Registered
Joined
·
2 Posts
Discussion Starter · #1 ·
hi all
Can anyone please help?

I keep getting messages from McAfee stating that the following files have been infected, it then says that it has cleaned and deleted this files but the same deleted/cleaned message keeps appearing. Apart from the win32 which it states that it can not clean, but gices me the option to quarntine or delete, but even doing this it keeps reappearing.

these are the following messages i keep getting from McAfee:

Local Settings\Temporary internet files\content.IE5\N3YVIEEM\mad[1].exe was infected by the spam-mailbot.c trojan has been deleted.

File C:\upate20558381.exe was infected by the spam-mailbot.c trojan and has been deleted. (the updatexxxxxx changes each time)

Local\settings\tempoary internet files\content.IE5\SDKHU3KP\install_config[1].exe is infected by the New Win32 virus and can not be cleaned.

Local settings\Temporary internet files\content.IE5\N3YVIEEM\message[1].exe was infected by the Downloader-AVQ and has been deleted.



I have run the virus scan after and it has found nothing at all, but as soon as i log on the message keep reappearing.

The only difference to my pc is when i first log onto the net, it will give me a message in a gray box, saying "i can not view the web page" and to either continue working offine or to connect. I have tried just closing this but i am then unablw to view any pages at all, until i select connect.

I've tried deleting temp files and ran all the checks and deleted what was required on the forum, but still these messages keep coming back and now i'm totally stuck (not that i was too sure in the begining). Now i'm unsure if i should mails or use msn. So at a bit of a lose end and would appreciate your help loads.


Logfile of HijackThis v1.99.1
Scan saved at 13:45:30, on 07/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\1133273827\ee\AOLSoftware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\aol\1133273827\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1133273827\ee\aolsoftware.exe
C:\Program Files\AOL\Broadband Assistant\bin\mpbtn.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=33568
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69BE9CBB-53C8-F4C3-7636-00DA74F44D88} - C:\WINDOWS\system32\mrhxaz.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133273827\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [wupdate] rundll32.exe c:\winupdtm.dll,wupdate
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: AOL Broadband Assistant.lnk = C:\Program Files\AOL\Broadband Assistant\bin\matcli.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm227YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://aoluk.midasplayer.com/midasa.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165497993718
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomgames.com/activex/zylomgamesplayer.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86B0D3FB-03FB-4BAF-9BBE-A1B5453CBD14}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 
A

· Registered
Joined
·
2,010 Posts
#2 ·
Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.


We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

regards
alba
 
A

· Registered
Joined
·
2,010 Posts
#3 ·
Hello Steveow

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

=================

Please download ATF Cleaner - http://www.atribune.org/ccount/click.php?id=1

=================


Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.


=================



Download combofix from here.

**Save it directly to your desktop**

Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v mrhxaz rpcc






When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



===============================================


Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

=================

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O2 - BHO: (no name) - {69BE9CBB-53C8-F4C3-7636-00DA74F44D88} - C:\WINDOWS\system32\mrhxaz.dll
O4 - HKLM\..\Run: [wupdate] rundll32.exe c:\winupdtm.dll,wupdate
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxdm227YYGB
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll



Please remember to close all other windows, including browsers then click Fix checked.

===============================================


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files:
  • c:\winupdtm.dll

=================

ATF Cleaner

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

=================

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

=================

Reboot into Normal Mode.


Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Run combofix once again in the following manner:

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



=================

Run a new scan with HijackThis and save the log.

=================

Please include the following in your next reply, in the following order:

ComboFix2.txt
AVG Anti-Spyware's Log
Panda results
ComboFix.txt
New HijackThis log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 
S

· Registered
Joined
·
2 Posts
Discussion Starter · #4 ·
I followed all the instructions and the reports are below:

combofix2:
Steve - 06-12-08 14:43:37.20 Service Pack 2
ComboFix 06-12-01W-BetaE - Running from: "C:\Documents and Settings\Steve\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-08 to 2006-12-08 ))))))))))))))))))))))))))))))))))


2006-12-08 10:21 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-08 08:34 <DIR> d-------- C:\WINDOWS\temp
2006-12-08 08:33 <DIR> d-------- C:\WINNT
2006-12-08 08:07 <DIR> d-------- C:\WINDOWS\erdnt
2006-12-08 07:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-08 07:47 <DIR> d-------- C:\Program Files\Grisoft
2006-12-08 07:44 6,469,352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2006-12-08 07:43 47,104 --a------ C:\Program Files\ATF-Cleaner.exe
2006-12-07 18:27 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-12-07 18:13 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-12-07 18:13 <DIR> d-------- C:\949f585e7d945aa1b4133e2687
2006-12-07 17:43 <DIR> dr-h----- C:\Documents and Settings\Steve\Recent
2006-12-07 17:29 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL
2006-12-07 17:29 <DIR> d-------- C:\Program Files\Registry Mechanic
2006-12-07 16:56 <DIR> d-------- C:\Program Files\CCleaner
2006-12-07 16:53 <DIR> d-------- C:\WINDOWS\pss
2006-12-07 13:09 <DIR> d-------- C:\Program Files\Trend Micro
2006-12-07 13:01 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-07 13:01 <DIR> d-------- C:\Documents and Settings\Steve\.housecall6.6
2006-12-07 12:52 910,336 --a------ C:\vx2cleaner.dll
2006-12-07 12:52 164,864 --a------ C:\UNWISE.EXE
2006-12-07 12:12 <DIR> d-------- C:\Documents and Settings\Steve\DoctorWeb
2006-12-07 11:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-07 11:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-06 20:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-12-06 19:29 3,584 -r-hs---- C:\update9531090011505125.exe
2006-12-06 15:40 44,544 --a------ C:\eied_s7_c_231bf2.exe
2006-12-06 15:40 15,872 --a------ C:\wupdmng.dll
2006-11-21 10:28 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SecondLife
2006-11-21 10:27 <DIR> d-------- C:\Program Files\SecondLife
2006-11-21 09:39 <DIR> d-------- C:\Program Files\Trymedia
2006-11-21 09:38 <DIR> d-------- C:\Program Files\Global Star
2006-11-21 09:22 <DIR> d-------- C:\Program Files\Archipelago
2006-11-20 10:10 <DIR> d-------- C:\Program Files\iTunes
2006-11-20 10:06 <DIR> d-------- C:\Program Files\Apple Software Update
2006-11-12 22:09 <DIR> d-------- C:\Program Files\Common Files\xing shared
2006-11-08 19:29 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Motive
2006-11-08 19:09 <DIR> d-------- C:\WINDOWS\Motive
2006-11-08 19:09 <DIR> d-------- C:\Program Files\Common Files\Motive
2006-11-08 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2006-11-08 19:08 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-11-08 19:08 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-11-08 19:08 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-11-08 19:08 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-11-08 19:08 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-11-08 19:08 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-11-08 19:08 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-11-08 19:08 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-11-08 19:08 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-11-08 19:08 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-11-08 19:08 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-11-08 19:08 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-11-08 19:08 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-11-08 19:08 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-11-08 19:08 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-11-08 19:08 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-11-08 19:08 <DIR> d-------- C:\Program Files\Motive


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-08 13:30 -------- d-------- C:\Program Files\QuickTime
2006-12-08 13:21 -------- d-------- C:\Program Files\Common Files\Scanner
2006-12-08 13:19 -------- d-------- C:\Program Files\Common Files\aol
2006-12-08 13:19 -------- d-------- C:\Program Files\AOL 9.0a
2006-12-08 12:39 -------- d-------- C:\Program Files\Windows Media Player
2006-12-08 10:14 9344 --a------ C:\Documents and Settings\Steve\Application Data\wklnhst.dat
2006-12-08 08:45 -------- d-------- C:\Program Files\Hijackthis
2006-12-07 18:09 -------- d-------- C:\Program Files\Outlook Express
2006-12-07 18:09 -------- d-------- C:\Program Files\Internet Explorer
2006-12-07 18:09 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 16:51 -------- d-------- C:\Program Files\iWin.com
2006-12-07 13:21 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-07 13:18 -------- d-------- C:\Program Files\Java
2006-12-06 22:49 -------- d-------- C:\Program Files\LimeWire
2006-12-06 22:49 -------- d-------- C:\Documents and Settings\Steve\Application Data\LimeWire
2006-11-20 17:07 -------- d-------- C:\Program Files\ShotOnline International
2006-11-20 16:50 -------- d-------- C:\Documents and Settings\Steve\Application Data\AdobeUM
2006-11-20 16:49 -------- d-------- C:\Program Files\Adobe
2006-11-20 15:57 -------- d-------- C:\Documents and Settings\Steve\Application Data\Adobe
2006-11-20 10:10 -------- d-------- C:\Program Files\iPod
2006-11-12 22:11 -------- d-------- C:\Documents and Settings\Steve\Application Data\Real
2006-11-12 22:09 -------- d-------- C:\Program Files\Common Files\Real
2006-11-12 22:09 -------- d-------- C:\Program Files\Common Files
2006-11-08 21:56 -------- d-------- C:\Program Files\My Downloaded Games
2006-11-08 21:51 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-11-08 19:08 -------- d-------- C:\Program Files\AOL
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-01 16:46 -------- d-------- C:\Program Files\Gamescampus
2006-10-29 22:38 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-29 22:37 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 12:24 -------- d-------- C:\Documents and Settings\Steve\Application Data\PlayFirst
2006-10-24 16:22 -------- d---s---- C:\Documents and Settings\Steve\Application Data\Microsoft
2006-10-24 16:22 -------- d-------- C:\Program Files\Microsoft Picture It! 9
2006-10-24 15:03 -------- d-------- C:\Program Files\Microsoft Encarta
2006-10-24 14:55 -------- d-------- C:\Program Files\SlotWords
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 17:28 -------- d-------- C:\Program Files\Microsoft AutoRoute
2006-09-19 15:43 109360 --a------ C:\WINDOWS\system32\GEARAspi.dll
2006-09-18 18:11 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-09-18 18:11 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-09-18 18:11 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-09-18 18:11 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-18 11:02 203264 --a------ C:\WINDOWS\system32\HC.scr
2006-09-13 05:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\ATI-CPanel\\atiptaxx.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1133273827\\ee\\AOLSoftware.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe"
"RegistryMechanic"=""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="file:///C:/DOCUME~1/Steve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Steve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:00000001
"OriginalStateInfo"=hex:18,00,00,00,fe,03,00,00,e2,01,00,00,5a,00,00,00,78,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,57,02,f3,99,83,7c,70,9a,80,7c,ff,ff,ff,ff,66,9a,\
80,7c,66,9a,80,7c

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,3e,03,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (1) (WILLIAMS-Steve).job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (WILLIAMS-Steve).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Charlie).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Justine).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Kirsty).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Leah).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Michelle).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Mum).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Steve).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Tanya).job

Completion time: 06-12-08 14:48:21.71
C:\ComboFix2.txt ... 06-12-08 08:37


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:13:16 08/12/2006

+ Scan result:



C:\Documents and Settings\Steve\Desktop\Tropix-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\AgeofSail2Setup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\FamilyFeudIISetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\system.exe -> Downloader.Small.dul : Cleaned with backup (quarantined).
C:\WINDOWS\system32\protector.exe -> Proxy.Wopla.ac : Cleaned with backup (quarantined).


::Report end

panda scan:


Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\Steve\Favorites\Antivirus Test Online.url
Adware:adware/cws Not disinfected C:\Documents and Settings\Steve\Favorites\Fun & Games
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/surfaccuracy Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Steve\Cookies\[email protected][2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Steve\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\Hijackthis\backups\backup-20060613-162316-735.inf
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Downloaded Program Files\pinstall.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\swreg.exe
Possible Virus. Not disinfected C:\wupdmng.dll
combofix:
Steve - 06-12-08 7:59:47.57 Service Pack 2
ComboFix 06-12-01W-BetaE - Running from: "C:\Documents and Settings\Steve\desktop"
Command switches used :: /v mrhxaz rpcc

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mrhxaz.dll
C:\WINDOWS\system32\rpcc.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\r.exe
C:\INSTALL.LOG
C:\WINDOWS\system32\aamd532.dll
C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\rpcc.dll


((((((((((((((((((((((((((((((( Files Created from 2006-11-08 to 2006-12-08 ))))))))))))))))))))))))))))))))))


2006-12-08 08:33 <DIR> d-------- C:\WINNT
2006-12-08 08:07 <DIR> d-------- C:\WINDOWS\erdnt
2006-12-08 07:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-08 07:47 <DIR> d-------- C:\Program Files\Grisoft
2006-12-08 07:44 6,469,352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2006-12-08 07:43 47,104 --a------ C:\Program Files\ATF-Cleaner.exe
2006-12-07 18:27 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-12-07 18:13 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-12-07 18:13 <DIR> d-------- C:\949f585e7d945aa1b4133e2687
2006-12-07 17:43 <DIR> dr-h----- C:\Documents and Settings\Steve\Recent
2006-12-07 17:29 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL
2006-12-07 17:29 <DIR> d-------- C:\Program Files\Registry Mechanic
2006-12-07 16:56 <DIR> d-------- C:\Program Files\CCleaner
2006-12-07 16:53 <DIR> d-------- C:\WINDOWS\pss
2006-12-07 13:09 <DIR> d-------- C:\Program Files\Trend Micro
2006-12-07 13:01 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-07 13:01 <DIR> d-------- C:\Documents and Settings\Steve\.housecall6.6
2006-12-07 12:52 910,336 --a------ C:\vx2cleaner.dll
2006-12-07 12:52 164,864 --a------ C:\UNWISE.EXE
2006-12-07 12:12 <DIR> d-------- C:\Documents and Settings\Steve\DoctorWeb
2006-12-07 11:24 15,360 --a------ C:\WINDOWS\system32\protector.exe
2006-12-07 11:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-07 11:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-06 20:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-12-06 19:29 3,584 -r-hs---- C:\update9531090011505125.exe
2006-12-06 15:40 45,568 --a------ C:\winupdtm.dll
2006-12-06 15:40 44,544 --a------ C:\eied_s7_c_231bf2.exe
2006-12-06 15:40 15,872 --a------ C:\wupdmng.dll
2006-11-21 10:28 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SecondLife
2006-11-21 10:27 <DIR> d-------- C:\Program Files\SecondLife
2006-11-21 09:39 <DIR> d-------- C:\Program Files\Trymedia
2006-11-21 09:38 <DIR> d-------- C:\Program Files\Global Star
2006-11-21 09:22 <DIR> d-------- C:\Program Files\Archipelago
2006-11-20 10:10 <DIR> d-------- C:\Program Files\iTunes
2006-11-20 10:06 <DIR> d-------- C:\Program Files\Apple Software Update
2006-11-12 22:09 <DIR> d-------- C:\Program Files\Common Files\xing shared
2006-11-08 19:29 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Motive
2006-11-08 19:09 <DIR> d-------- C:\WINDOWS\Motive
2006-11-08 19:09 <DIR> d-------- C:\Program Files\Common Files\Motive
2006-11-08 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2006-11-08 19:08 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-11-08 19:08 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-11-08 19:08 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-11-08 19:08 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-11-08 19:08 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-11-08 19:08 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-11-08 19:08 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-11-08 19:08 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-11-08 19:08 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-11-08 19:08 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-11-08 19:08 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-11-08 19:08 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-11-08 19:08 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-11-08 19:08 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-11-08 19:08 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-11-08 19:08 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-11-08 19:08 <DIR> d-------- C:\Program Files\Motive


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-08 07:59 9344 --a------ C:\Documents and Settings\Steve\Application Data\wklnhst.dat
2006-12-07 18:16 -------- d-------- C:\Program Files\Windows Media Player
2006-12-07 18:09 -------- d-------- C:\Program Files\Outlook Express
2006-12-07 18:09 -------- d-------- C:\Program Files\Internet Explorer
2006-12-07 18:09 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 16:51 -------- d-------- C:\Program Files\iWin.com
2006-12-07 13:45 -------- d-------- C:\Program Files\Hijackthis
2006-12-07 13:21 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-07 13:18 -------- d-------- C:\Program Files\Java
2006-12-07 13:01 -------- d-------- C:\Program Files\AOL 9.0a
2006-12-06 22:49 -------- d-------- C:\Program Files\LimeWire
2006-12-06 22:49 -------- d-------- C:\Documents and Settings\Steve\Application Data\LimeWire
2006-11-20 17:07 -------- d-------- C:\Program Files\ShotOnline International
2006-11-20 16:50 -------- d-------- C:\Documents and Settings\Steve\Application Data\AdobeUM
2006-11-20 16:49 -------- d-------- C:\Program Files\Adobe
2006-11-20 15:57 -------- d-------- C:\Documents and Settings\Steve\Application Data\Adobe
2006-11-20 10:10 -------- d-------- C:\Program Files\iPod
2006-11-20 10:09 -------- d-------- C:\Program Files\QuickTime
2006-11-12 22:11 -------- d-------- C:\Documents and Settings\Steve\Application Data\Real
2006-11-12 22:09 -------- d-------- C:\Program Files\Common Files\Real
2006-11-12 22:09 -------- d-------- C:\Program Files\Common Files
2006-11-08 21:56 -------- d-------- C:\Program Files\My Downloaded Games
2006-11-08 21:51 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-11-08 19:08 -------- d-------- C:\Program Files\AOL
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-01 16:46 -------- d-------- C:\Program Files\Gamescampus
2006-10-30 17:34 1709 --a------ C:\system.exe
2006-10-29 22:38 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-29 22:37 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 12:24 -------- d-------- C:\Documents and Settings\Steve\Application Data\PlayFirst
2006-10-24 16:22 -------- d---s---- C:\Documents and Settings\Steve\Application Data\Microsoft
2006-10-24 16:22 -------- d-------- C:\Program Files\Microsoft Picture It! 9
2006-10-24 15:03 -------- d-------- C:\Program Files\Microsoft Encarta
2006-10-24 14:55 -------- d-------- C:\Program Files\SlotWords
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 17:28 -------- d-------- C:\Program Files\Microsoft AutoRoute
2006-09-19 15:43 109360 --a------ C:\WINDOWS\system32\GEARAspi.dll
2006-09-18 18:11 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-09-18 18:11 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-09-18 18:11 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-09-18 18:11 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-18 11:02 203264 --a------ C:\WINDOWS\system32\HC.scr
2006-09-13 05:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\ATI-CPanel\\atiptaxx.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1133273827\\ee\\AOLSoftware.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"wupdate"="rundll32.exe c:\\winupdtm.dll,wupdate"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe"
"RegistryMechanic"=""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="file:///C:/DOCUME~1/Steve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Steve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:00000001
"OriginalStateInfo"=hex:18,00,00,00,fe,03,00,00,e2,01,00,00,5a,00,00,00,78,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,57,02,f3,99,83,7c,70,9a,80,7c,ff,ff,ff,ff,66,9a,\
80,7c,66,9a,80,7c

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,3e,03,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (1) (WILLIAMS-Steve).job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (WILLIAMS-Steve).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Charlie).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Justine).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Kirsty).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Leah).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Michelle).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Mum).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Steve).job
C:\WINDOWS\tasks\McAfee.com Update Check (WILLIAMS-Tanya).job

Completion time: 06-12-08 8:34:37.35

hijacklog:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:59, on 09/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\1133273827\ee\AOLSoftware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\common files\aol\1133273827\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1133273827\ee\aolsoftware.exe
C:\Program Files\AOL\Broadband Assistant\bin\mpbtn.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=33568
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133273827\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: AOL Broadband Assistant.lnk = C:\Program Files\AOL\Broadband Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://aoluk.midasplayer.com/midasa.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165497993718
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomgames.com/activex/zylomgamesplayer.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86B0D3FB-03FB-4BAF-9BBE-A1B5453CBD14}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


I only had one problem while doing the panda scan when my pc rebooted itself, but i was able to complete the scan with no problems at the 2nd attempt.

My pc is running fine, and all applications are working as normal. The messages that i was getting about new win32 and the others have now stopped.
 
A

· Registered
Joined
·
2,010 Posts
#5 ·
Hi Steveow
I apologise for the delay, in replying, there is still a bit of cleaning to do


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

=================

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

=================

Download this FxNetOpt
and run it.

Download this ISTbar Removal Tool and run it.


===============================================

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

===============================================

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

=================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Go to Start > Run and Copy and Paste: regsvr32 /u occache.dll and click 'OK'.

Locate and delete the following folders, if present:
  • C:\Documents and Settings\Steve\Favorites\Fun & Games

Locate and delete the following files:
  • C:\update9531090011505125.exe
    C:\winupdtm.dll
    C:\eied_s7_c_231bf2.exe
    C:\wupdmng.dll
    C:\WINDOWS\system32\protector.exe
    C:\WINDOWS\Downloaded Program Files\pinstall.dll
    C:\Documents and Settings\Steve\Favorites\Antivirus Test Online.url

Go to Start > Run and Copy and Paste: regsvr32 occache.dll and click 'OK'.

=================

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

=================

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following bolded text into Notepad:


REGEDIT4

[-hkey_classes_root\clsid\{07B18EA9-A523-4961-B6BB-170DE4475CCA}]


Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.


=================

REBOOT TO NORMAL MODE


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

=================

Run combofix once again in the following manner:

Double click on combo fix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

=================

Please Run a scan with HiJackThis and save the log

===============================================

In your next post, please include fresh logs from:
  1. C:\rapport.txt)
  2. Online scan
  3. ComboFix.txt
  4. HiJackThis
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 
1 - 5 of 5 Posts
Status
Not open for further replies.
About this Discussion
4 Replies
2 Participants
Last post:
alba
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top