Tech Support banner

Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter #1
i need some help with virtumondo...i have some serious serious problems with my pc right now...i'm wondering if this is the culprit...it seems to be the only thing ad-aware and ms anti-spyware can't get rid of....any help would be appreciated. Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:50:52 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\program files\iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\Dit.exe
C:\Eric\Spyware Tools\MS\gcasServ.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Eric\Spyware Tools\MS\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Eric\Spyware Tools\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
R3 - URLSearchHook: (no name) - {F8FAC2AD-9558-CC60-470F-6679CD8E1B6A} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\mlljk.dll
O3 - Toolbar: (no name) - {3BA619EB-00EE-4BFD-B82E-14C467926CB7} - (no file)
O3 - Toolbar: (no name) - {9F29DC6E-F66C-464A-93DE-DF41DC70F1FE} - (no file)
O3 - Toolbar: (no name) - {820D1A6E-2E8E-B42B-9DFC-5CBC0CC81B24} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Eric\LOCALS~1\Temp\app3C.tmp
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Iomega Drive Icons] c:\program files\iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [EOYJTBLV] C:\WINDOWS\EOYJTBLV.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Deskup] c:\program files\iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [COALSOFTWARE] C:\PROGRA~1\comp barb face\pure aim settings.exe
O4 - HKLM\..\Run: [CNXISAK] C:\WINDOWS\CNXISAK.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Eric\Spyware Tools\MS\gcasServ.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://webmail.chi.ddb.com/iNotes6.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks in advance....you guys are life savers....
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions. Exit the program after you have updated.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the Microsoft AntiSpyware icon located in the system tray
  • Click on Security Agents Status (Enabled)
  • Click on Disable Real-time Protection

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

Launch & use the diagnostic version of SpySweeper & configure it as followed:
  • Click on the Start button
  • After it has finished scanning, click the Next button
  • Allow Spysweeper to reboot your machine to remove the infected files.
# Reboot back to Normal Mode

Launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

## IMPORTANT - do not use your computer as you scan.
 

·
Registered
Joined
·
6 Posts
Discussion Starter #3
spysweeper results

here's what spysweeper logged:

********
6:54 PM: | Start of Session, Monday, October 31, 2005 |
6:54 PM: Spy Sweeper started
6:54 PM: Sweep initiated using definitions version 564
6:54 PM: Starting Memory Sweep
6:55 PM: Found Adware: virtumonde
6:55 PM: Detected running threat: C:\WINDOWS\system32\mlljk.dll (ID = 77)
6:55 PM: Memory Sweep Complete, Elapsed Time: 00:00:53
6:55 PM: Starting Registry Sweep
6:55 PM: Found Trojan Horse: 2nd-thought
6:55 PM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
6:55 PM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
6:55 PM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
6:55 PM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
6:55 PM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
6:55 PM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
6:55 PM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
6:55 PM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
6:55 PM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
6:55 PM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
6:55 PM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
6:55 PM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
6:55 PM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
6:55 PM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
6:55 PM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
6:55 PM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
6:55 PM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
6:55 PM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
6:55 PM: Found Adware: addestroyer
6:55 PM: HKCR\interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}\ (8 subtraces) (ID = 102730)
6:55 PM: HKCR\interface\{545f6b24-9fa2-411f-96fb-d9cc5fd6cf5c}\ (8 subtraces) (ID = 102731)
6:55 PM: HKCR\interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}\ (8 subtraces) (ID = 102733)
6:55 PM: HKLM\software\classes\interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}\ (8 subtraces) (ID = 102739)
6:55 PM: HKLM\software\classes\interface\{545f6b24-9fa2-411f-96fb-d9cc5fd6cf5c}\ (8 subtraces) (ID = 102740)
6:55 PM: HKLM\software\classes\interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}\ (8 subtraces) (ID = 102742)
6:55 PM: HKLM\software\classes\typelib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}\ (18 subtraces) (ID = 102746)
6:55 PM: HKCR\typelib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}\ (18 subtraces) (ID = 102750)
6:55 PM: Found Adware: bookedspace
6:55 PM: HKLM\software\configuration manager\cfgmgr52\ (452 subtraces) (ID = 104873)
6:55 PM: Found Adware: delfin
6:55 PM: HKLM\software\dsi\ (2 subtraces) (ID = 124852)
6:55 PM: Found Adware: deltaclick
6:55 PM: HKCR\interface\{2d5b230a-4c9b-43cb-ae84-697cfab0d6d1}\ (8 subtraces) (ID = 124904)
6:55 PM: Found Adware: eplugin
6:55 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/eplugin.ocx\ (2 subtraces) (ID = 125818)
6:55 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\eplugin.ocx (ID = 125820)
6:55 PM: Found Adware: isearch toolbar
6:55 PM: HKU\.default\software\microsoft\internet explorer\extensions\cmdmapping\ || {1a00c40b-da85-4aa3-a67f-582d9347eecd} (ID = 129018)
6:55 PM: Found Adware: multidial
6:55 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\unidist.ocx (ID = 135372)
6:55 PM: Found Adware: purityscan
6:55 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
6:55 PM: Found Adware: websearch toolbar
6:55 PM: HKLM\software\microsoft\windows\currentversion\installer\userdata\aui\ (1 subtraces) (ID = 146479)
6:55 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/qdow.dll\ (2 subtraces) (ID = 146481)
6:55 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\qdow.dll (ID = 146496)
6:55 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
6:55 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
6:55 PM: HKCR\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (12 subtraces) (ID = 749140)
6:55 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
6:55 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
6:55 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (ID = 749160)
6:55 PM: HKLM\software\classes\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (12 subtraces) (ID = 749166)
6:55 PM: HKLM\software\classes\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\progid\ (1 subtraces) (ID = 749172)
6:55 PM: HKU\WRSS_Profile_S-1-5-21-2376740472-357967339-2079644369-1007\software\stc\ (ID = 102020)
6:55 PM: Found Adware: browseraid
6:55 PM: HKU\WRSS_Profile_S-1-5-21-2376740472-357967339-2079644369-1007\software\microsoft\windows\currentversion\updt\ (1 subtraces) (ID = 105189)
6:55 PM: Found Adware: clocksync
6:55 PM: HKU\WRSS_Profile_S-1-5-21-2376740472-357967339-2079644369-1007\software\microsoft\windows\currentversion\run\ || clocksync (ID = 106141)
6:55 PM: Found Adware: cws-aboutblank
6:55 PM: HKU\WRSS_Profile_S-1-5-21-2376740472-357967339-2079644369-1007\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
6:55 PM: HKU\WRSS_Profile_S-1-5-21-2376740472-357967339-2079644369-1007\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
6:55 PM: HKU\WRSS_Profile_S-1-5-21-2376740472-357967339-2079644369-1007\software\microsoft\internet explorer\extensions\cmdmapping\ || {1a00c40b-da85-4aa3-a67f-582d9347eecd} (ID = 129028)
6:55 PM: Found Adware: sidesearch
6:55 PM: HKU\WRSS_Profile_S-1-5-21-2376740472-357967339-2079644369-1007\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
6:55 PM: HKU\WRSS_Profile_S-1-5-21-2376740472-357967339-2079644369-1007\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
6:55 PM: HKU\S-1-5-21-2376740472-357967339-2079644369-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {1a00c40b-da85-4aa3-a67f-582d9347eecd} (ID = 129028)
6:55 PM: Found Adware: mirar webband
6:55 PM: HKU\S-1-5-21-2376740472-357967339-2079644369-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
6:55 PM: HKU\S-1-5-21-2376740472-357967339-2079644369-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
6:55 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {1a00c40b-da85-4aa3-a67f-582d9347eecd} (ID = 129028)
6:55 PM: Registry Sweep Complete, Elapsed Time:00:00:20
6:56 PM: Starting Cookie Sweep
6:56 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:56 PM: Starting File Sweep
6:57 PM: c:\windows\cfgmgr52 (84 subtraces) (ID = -2147479590)
6:57 PM: c:\documents and settings\gleenda\application data\{2cf0b992-5eeb-4143-99c0-5297ef71f444} (ID = -2147481310)
6:58 PM: Found Adware: cydoor peer-to-peer dependency
6:58 PM: cd_clint.dll (ID = 57300)
7:02 PM: inneradinstall.log (ID = 49035)
7:04 PM: Found Adware: tvmedia
7:04 PM: tvmknwrd.dll (ID = 81726)
7:05 PM: cnxrspb.xlx (ID = 164416)
7:05 PM: chjkiub.bkl (ID = 158998)
7:05 PM: tvomkik.ite (ID = 159040)
7:05 PM: sqexlnko.buz (ID = 159013)
7:05 PM: mljlusvd.vsn (ID = 159017)
7:05 PM: gmppeiyozz.zoo (ID = 159027)
7:05 PM: oryojnbvmw.off (ID = 158991)
7:05 PM: kskoliqlfkn.omh (ID = 164416)
7:05 PM: zrcaupyfllp.wvg (ID = 158998)
7:05 PM: bziqayv.ywr (ID = 159040)
7:05 PM: dsopvrkpqe.xzu (ID = 159005)
7:05 PM: lornzgnbu.pmk (ID = 159013)
7:05 PM: vfofhkjray.nvi (ID = 159017)
7:05 PM: fimefatwta.bbf (ID = 159027)
7:05 PM: fysrrnr.fxs (ID = 159030)
7:05 PM: jghgellh.zbk (ID = 159004)
7:05 PM: jiqnylp.wfg (ID = 159003)
7:05 PM: obqddvso.lck (ID = 158995)
7:05 PM: sgiggzzqhyg.tsx (ID = 159020)
7:05 PM: ipyhropn.vgu (ID = 159037)
7:05 PM: onhuvfdybz.nrd (ID = 159016)
7:05 PM: dedcuhgpqnd.slw (ID = 158991)
7:05 PM: wkogkzfif.yzr (ID = 159005)
7:05 PM: pjsiprwj.qma (ID = 159030)
7:05 PM: kgtftpkgmzf.ubl (ID = 159004)
7:05 PM: nzgahjhnh.aoc (ID = 158988)
7:05 PM: xnvmrjaism.qlr (ID = 159047)
7:05 PM: oduqded.vfr (ID = 159045)
7:05 PM: gfinezsu.gqt (ID = 159060)
7:05 PM: brwlkzfom.qfg (ID = 158986)
7:05 PM: yxjiibjsaz.uki (ID = 164361)
7:05 PM: jhdtjailcs.skp (ID = 159003)
7:05 PM: sndyysxdzii.gdm (ID = 158995)
7:05 PM: dqiwjif.kcp (ID = 159020)
7:05 PM: jiqmvameio.nla (ID = 159037)
7:05 PM: etjvohiwbfy.wov (ID = 159024)
7:05 PM: dyqvqyagdy.uaj (ID = 159019)
7:05 PM: jfldzhbijc.gwz (ID = 159056)
7:05 PM: todmrlrqqe.iwo (ID = 159014)
7:05 PM: cgygflrlc.kvu (ID = 159016)
7:05 PM: uhqbmxvrzf.fst (ID = 158988)
7:05 PM: ollmlexf.geu (ID = 159047)
7:05 PM: sbsldmqagc.kfu (ID = 159058)
7:05 PM: bapuqre.yqz (ID = 159045)
7:05 PM: qxzrhgfiihq.rhc (ID = 159053)
7:05 PM: rjpbyry.bmk (ID = 159028)
7:05 PM: jwcanpk.hxy (ID = 159061)
7:05 PM: rwloamq.moh (ID = 159012)
7:05 PM: leotkjfmyyw.ydf (ID = 159025)
7:05 PM: jxuxocwljcv.xvl (ID = 159060)
7:05 PM: wzexdavahp.chu (ID = 158986)
7:05 PM: ypljubos.fye (ID = 164361)
7:05 PM: lpguswudw.gks (ID = 159024)
7:05 PM: wpjcmre.zls (ID = 159019)
7:05 PM: zztvksax.mpl (ID = 159056)
7:05 PM: nyfourb.cif (ID = 159014)
7:05 PM: tjddmvr.bgn (ID = 159058)
7:05 PM: vdeejhmtjw.vyv (ID = 164390)
7:05 PM: fzflveqafm.iff (ID = 159026)
7:05 PM: ckygwid.uhy (ID = 159018)
7:05 PM: vlvfuay.ore (ID = 158994)
7:05 PM: abmlwbimh.ngi (ID = 159031)
7:05 PM: whpxcnj.hhz (ID = 159028)
7:05 PM: dpkcfsic.nwg (ID = 159061)
7:05 PM: ydkgwpp.yxo (ID = 159012)
7:05 PM: xtiknengavo.tsh (ID = 159025)
7:05 PM: iohispzhh.ywr (ID = 164390)
7:05 PM: yvtydnpd.thc (ID = 159035)
7:05 PM: nvnchxtl.omz (ID = 158987)
7:05 PM: daepdmttx.qkg (ID = 159052)
7:05 PM: oslrtjh.wmv (ID = 159026)
7:05 PM: jqkzdrhfvm.zsz (ID = 159038)
7:05 PM: mtynnfk.bzj (ID = 159001)
7:05 PM: xyyeelfhlm.xzq (ID = 159018)
7:05 PM: nmtzlomamf.wxc (ID = 158994)
7:05 PM: ypudtvjmt.ill (ID = 159031)
7:05 PM: cevwdohehp.hll (ID = 159051)
7:05 PM: vbsblxn.qds (ID = 159035)
7:05 PM: gzklqmg.cgd (ID = 158987)
7:05 PM: ebrucpbogqc.rac (ID = 158990)
7:05 PM: vlfqjfout.ojj (ID = 159052)
7:05 PM: dvkjqyg.xak (ID = 159038)
7:05 PM: mtztesoqqqj.vpx (ID = 159029)
7:05 PM: vkscavatlm.afm (ID = 159001)
7:05 PM: zjyutdzahv.axa (ID = 159051)
7:05 PM: vasrlchhte.oim (ID = 158990)
7:05 PM: olnpirdbi.zls (ID = 159029)
7:05 PM: ixbmcwh.jdf (ID = 159010)
7:05 PM: goywgauvxy.iaa (ID = 159015)
7:05 PM: uoojydyf.lwi (ID = 159046)
7:05 PM: txmsecyd.bis (ID = 159010)
7:05 PM: wydfodu.uea (ID = 159015)
7:05 PM: yzqcokscbt.bey (ID = 159046)
7:05 PM: ogfhcjjrk.cvy (ID = 159059)
7:05 PM: ctoobqpnxwb.wzo (ID = 159023)
7:05 PM: uneyoznxf.mfi (ID = 158997)
7:05 PM: slfxcsz.gaj (ID = 159059)
7:05 PM: wjtmzkwew.kvg (ID = 159023)
7:05 PM: sxasnzkeak.ugc (ID = 158997)
7:05 PM: Found Adware: shopathomeselect
7:05 PM: 213fv51f.dat (ID = 121494)
7:05 PM: 3rmfk7qd.dat (ID = 159521)
7:05 PM: 4d7chk78.dat (ID = 121494)
7:05 PM: Found Adware: lopdotcom
7:05 PM: hzcvdwli.exe (ID = 147722)
7:05 PM: imbqvitwu.qea (ID = 158990)
7:05 PM: thmvkkax.ohy (ID = 164416)
7:05 PM: xfcwuxrtgdz.loo (ID = 158998)
7:05 PM: xxsswruxyoq.kns (ID = 159040)
7:05 PM: zfncvnqat.oft (ID = 159013)
7:05 PM: iuxfohzwwtb.qyw (ID = 159017)
7:05 PM: vnbxjblw.wft (ID = 159027)
7:05 PM: ayteyzhxh.zjl (ID = 158991)
7:05 PM: ofjerif.ivn (ID = 159005)
7:05 PM: mmkomuuhv.dto (ID = 159030)
7:05 PM: xmnutgasa.hsm (ID = 159004)
7:05 PM: xitdyibuj.nra (ID = 159003)
7:05 PM: mozvgfexr.bnv (ID = 158995)
7:05 PM: fpezvhgcmi.bms (ID = 159020)
7:05 PM: qcxzqyghfk.ezf (ID = 159037)
7:05 PM: lehqqfboe.gmv (ID = 159016)
7:05 PM: fmegluyu.tir (ID = 158988)
7:05 PM: mxfiutqarr.kal (ID = 159047)
7:05 PM: aogegdwrz.zkf (ID = 159045)
7:05 PM: gxdechiir.vbd (ID = 159060)
7:05 PM: thwjuos.mmc (ID = 158986)
7:05 PM: abvjznmhubq.plp (ID = 159024)
7:05 PM: efkqebmt.dhv (ID = 159019)
7:05 PM: tggmvtzt.qty (ID = 159056)
7:05 PM: sfuuvkzpsdy.kym (ID = 159014)
7:05 PM: pxqzcgn.ofy (ID = 159058)
7:05 PM: mppnxpnf.qvf (ID = 159053)
7:05 PM: ccraqattdy.cxn (ID = 159028)
7:05 PM: wktwnqyiahq.avt (ID = 159061)
7:05 PM: vhhisejk.ccz (ID = 159012)
7:05 PM: auegtwv.vvn (ID = 159025)
7:05 PM: xwdobwbjced.elt (ID = 159026)
7:05 PM: hsksxtv.cri (ID = 159018)
7:05 PM: ujghmftizai.pyr (ID = 158994)
7:05 PM: qnlsietyk.lcv (ID = 159031)
7:05 PM: tcqaubmknvk.yse (ID = 159035)
7:05 PM: uemxmddfqmr.wtw (ID = 158987)
7:05 PM: lktmbmzxmqa.gta (ID = 159052)
7:05 PM: colugwblu.drf (ID = 159038)
7:05 PM: qflpgosd.kfy (ID = 159001)
7:05 PM: vglxpwubapl.vdz (ID = 159051)
7:05 PM: odksyzkcfu.igi (ID = 159029)
7:05 PM: avusrgfgx.ggn (ID = 159010)
7:05 PM: zjizotcyxim.iqy (ID = 159015)
7:05 PM: dolntohsqjq.jto (ID = 159046)
7:05 PM: ybsnutw.asl (ID = 159059)
7:05 PM: ohcbasjpx.zoo (ID = 159023)
7:05 PM: ufxgpquyky.ouy (ID = 158997)
7:05 PM: Found Adware: instant access
7:05 PM: tmlpcert2005 (ID = 63918)
7:06 PM: Found Adware: downloadware
7:06 PM: activeinstall2.inf (ID = 131020)
7:06 PM: Found Adware: abetterinternet
7:06 PM: belt.inf (ID = 83154)
7:06 PM: File Sweep Complete, Elapsed Time: 00:10:49
7:06 PM: Full Sweep has completed. Elapsed time 00:12:18
7:06 PM: Traces Found: 1022
7:07 PM: Removal process initiated
7:07 PM: Quarantining All Traces: virtumonde
7:07 PM: virtumonde is in use. It will be removed on reboot.
7:07 PM: C:\WINDOWS\system32\mlljk.dll is in use. It will be removed on reboot.
7:07 PM: Quarantining All Traces: 2nd-thought
7:08 PM: Quarantining All Traces: addestroyer
7:08 PM: Quarantining All Traces: bookedspace
7:09 PM: Quarantining All Traces: delfin
7:09 PM: Quarantining All Traces: deltaclick
7:09 PM: Quarantining All Traces: eplugin
7:09 PM: Quarantining All Traces: isearch toolbar
7:10 PM: Quarantining All Traces: multidial
7:10 PM: Quarantining All Traces: purityscan
7:10 PM: Quarantining All Traces: websearch toolbar
7:10 PM: Quarantining All Traces: browseraid
7:10 PM: Quarantining All Traces: clocksync
7:10 PM: Quarantining All Traces: cws-aboutblank
7:11 PM: Quarantining All Traces: sidesearch
7:11 PM: Quarantining All Traces: mirar webband
7:12 PM: Quarantining All Traces: cydoor peer-to-peer dependency
7:12 PM: Quarantining All Traces: tvmedia
7:12 PM: Quarantining All Traces: shopathomeselect
7:12 PM: Quarantining All Traces: lopdotcom
7:12 PM: Quarantining All Traces: instant access
7:12 PM: Quarantining All Traces: downloadware
7:12 PM: Quarantining All Traces: abetterinternet
7:13 PM: Preparing to restart your computer. Please wait...
7:13 PM: Removal process completed. Elapsed time 00:05:55
********
6:42 PM: | Start of Session, Monday, October 31, 2005 |
6:42 PM: Spy Sweeper started
6:43 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
6:45 PM: Your spyware definitions have been updated.
6:54 PM: Program Version 4.5.5 (Build 607) Using Spyware Definitions 564
6:54 PM: | End of Session, Monday, October 31, 2005
|


HJT LOG:
Logfile of HijackThis v1.99.1
Scan saved at 7:23:51 PM, on 10/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\program files\iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DitExp.exe
C:\Eric\Spyware Tools\MS\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Eric\Spyware Tools\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
R3 - URLSearchHook: (no name) - {F8FAC2AD-9558-CC60-470F-6679CD8E1B6A} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\mlljk.dll (file missing)
O3 - Toolbar: (no name) - {3BA619EB-00EE-4BFD-B82E-14C467926CB7} - (no file)
O3 - Toolbar: (no name) - {9F29DC6E-F66C-464A-93DE-DF41DC70F1FE} - (no file)
O3 - Toolbar: (no name) - {820D1A6E-2E8E-B42B-9DFC-5CBC0CC81B24} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Eric\LOCALS~1\Temp\app3C.tmp
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Iomega Drive Icons] c:\program files\iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [EOYJTBLV] C:\WINDOWS\EOYJTBLV.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Deskup] c:\program files\iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [COALSOFTWARE] C:\PROGRA~1\comp barb face\pure aim settings.exe
O4 - HKLM\..\Run: [CNXISAK] C:\WINDOWS\CNXISAK.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Eric\Spyware Tools\MS\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://webmail.chi.ddb.com/iNotes6.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

The PC still seems to be slow but that could be a result of other things. Should I perform another SpySweeper scan to confirm that I'm clean?

BTW TetonBob, many thanks for your assistance here. Nice to know people are out there that care enough to help with stuff like this. Thanks.

I know there are no programs that can ensure a PC will stay clean but do you recommend any specifically? Is it better to purchase one, like the full version of Webroot SpySweeper or stick with freebies like Ad-Aware. I havent' seen any freebies catch nasties to the extent that Webroot did.

Happily awaiting your further expertise....
 

·
Registered
Joined
·
6 Posts
Discussion Starter #4
uh-oh...

tetonbob,

my PC just restarted by itself without any warning...any ideas what might be causing this?
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Now it's on to round two...you were severely infected. I'm very impressed with Webroot's Spysweeper. I generally stick with Adaware and Spybot, but if you're not averse to paying for a great product, this would be one. Let's worry about that later, though.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Download Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - {F8FAC2AD-9558-CC60-470F-6679CD8E1B6A} - (no file)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\mlljk.dll (file missing)
O3 - Toolbar: (no name) - {3BA619EB-00EE-4BFD-B82E-14C467926CB7} - (no file)
O3 - Toolbar: (no name) - {9F29DC6E-F66C-464A-93DE-DF41DC70F1FE} - (no file)
O3 - Toolbar: (no name) - {820D1A6E-2E8E-B42B-9DFC-5CBC0CC81B24} - (no file)
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Eric\LOCALS~1\Temp\app3C.tmp
O4 - HKLM\..\Run: [EOYJTBLV] C:\WINDOWS\EOYJTBLV.exe
O4 - HKLM\..\Run: [COALSOFTWARE] C:\PROGRA~1\comp barb face\pure aim settings.exe
O4 - HKLM\..\Run: [CNXISAK] C:\WINDOWS\CNXISAK.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll (file missing)



Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\EOYJTBLV.exe
C:\PROGRAM FILES\comp barb face
C:\WINDOWS\CNXISAK.exe


Restart in normal mode.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Choose Save, NOT run, and save to your desktop
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.



Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Restart and run a new HijackThis scan. Save the log file and post it here.

Download fl.zip
Extract the contents to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

Please return with results from:

Ewido
Antispyware.log
Panda ActiveScan
Findlop.txt
 

·
Registered
Joined
·
6 Posts
Discussion Starter #6
not good...

well, unfortunately I've run into a snag here. I've gotten up to the Panda scan but now my PC will not allow the scan to complete. It will hang before the scan even gets halfway on the progress bar and the only thing I can do is a manual power-down and reboot. It did this a couple times during the first instructions you gave me as well.

Next post will have the logs for what I did do....
 

·
Registered
Joined
·
6 Posts
Discussion Starter #7
Logs:

Ewido:
The logfile has no English...it's gibberish so I'm not going to bother posting it...a bunch of weird symbols, no letters. All I can tell you is that it found and cleaned 25 files.

HJT: Checked and "fixed" all the items you indicated. Got an error message for almost every entry. Something to the effect: "...bad file..." Went through them all and cleaned out whatever it allowed.

TrendMicro: Second scan had no log or option to make one. Although, I guarantee it had indicated "No spyware detected."

PandScan: my pc continues to crash/freeze before I can finish this scan...still trying.

Let me know what info you need at this point. I'll keep trying to finish the Panda scan..

thanks.
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Post another hijackthis log. Were is the Findlop log??
 

·
Registered
Joined
·
6 Posts
Discussion Starter #9
hmm

alright, well my PC is now freezing after about ten minutes of use and keeps telling me I have insufficient resources. would it be better to just wipe my hard drive and re-install xp? any threat of abything nasty sticking around despite wiping the hard drive?
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
No. If you want to wipe the drive...thats fine. Nothing should survive. I would suggest though that you install a firewall and make your first stop once back on the internet is to MS update page to make sure XP is fully patched. If you don't...you'll be right back here in a matter of days.
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top