Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Lots of spyware including winantiviruspro2006 popups and more [resolve


  • Please log in to reply

#1
Jessicapetway

Jessicapetway

    Member

  • Member
  • PipPip
  • 25 posts
Limewire keeps opening itself and my task manager has been disabled and I can't get it to open. Also I have advertisements everywhere. I'm getting them on my desktop, as popups and my sytem is really really slow.

Also winantiviruspro2006 popups keep coming up and I can't get them to stop.

I've ran numerous spyware scans and virus scans and nothing gets these things out.

Any help would be greatly appreciated!



Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:36:24 PM, on

10/2/2006
Platform: Windows XP SP2 (WinNT

5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows

Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EX

E
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program

Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\System32\inetsrv\ineti

nfo.exe
C:\WINDOWS\Explorer.EXE
c:\program

files\mcafee.com\agent\mcdetect.ex

e
c:\PROGRA~1\mcafee.com\agent\mc

tskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvs

rte.exe
C:\Program Files\Common

Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MCAFEE.COM\PERSON

~1\MPFSERVICE.exe
C:\Program Files\Norton

SystemWorks\Norton

Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1

\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\

SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\LXSUPMON.

EXE
C:\Program Files\Roxio\Easy CD

Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD

Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common

Files\Microsoft Shared\Works

Shared\WkUFind.exe
C:\Program Files\MSN Video

Enhanced\MSNVE.exe
C:\WINDOWS\system32\Pelmiced.ex

e
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program

Files\dvd43\dvd43_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvs

shld.exe
c:\progra~1\mcafee.com\vso\mcvses

cn.exe
C:\Program

Files\Java\jre1.5.0_06\bin\jusched.e

xe
C:\WINDOWS\system32\msvcmm32.e

xe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\EXSHOW95.E

XE
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\

MOVIEL~2.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON

~1\MPFTRAY.EXE
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Windows

Defender\MSASCui.exe
c:\PROGRA~1\mcafee.com\vso\mcsh

ield.exe
C:\Program Files\Roxio\Easy CD

Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Adobe\Photoshop

Album Starter

Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN

Messenger\msnmsgr.exe
c:\program

files\mcafee.com\agent\mcagent.ex

e
C:\PROGRA~1\MCAFEE.COM\PERSON

~1\MPFAGENT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtr

as\mssysmgr.exe
C:\Program Files\Siber Systems\AI

RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft

AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsft

sn.exe
C:\Program

Files\Messenger\msmsgs.exe
C:\Program

Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Kodak\Kodak

EasyShare

software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK

Software

Updater\7288971\Program\Kodak

Software Updater.exe
C:\Program Files\Adobe\Acrobat

5.0\Distillr\AcroTray.exe
C:\Documents and Settings\All

Users\Start

Menu\Programs\Startup\svchost.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Program

Files\limewire\limewire.exe
C:\Program

Files\HijackThis\HijackThis.exe

R0 -

HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.yahoo.com/
R1 -

HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/

defaults/su/msgr8/*http://www.yaho

o.com
R1 -

HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/

defaults/sb/msgr8/*http://www.yaho

o.com/ext/search/search.html
R1 -

HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/

defaults/sp/msgr8/*http://www.yaho

o.com
R0 -

HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?Link

Id=56626&homepage=http://www.ya

hoo.com/
R0 -

HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://as.weatherstudio.com/dp/sear

ch?x=wKX1ILEOi+Vh7AfA98Gm4Me6

9ZMbubcDzJ8gIalwXoz0RBquG6+yio

8FFVsU1NQbrIqXfmIcth8XnS/fxka98

3XZdh/8sGsTcdLvt+ufZmaq7L9aPH5

AcxlHj3/v2SnFmaAJvF3c6Yk=
R1 -

HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://as.weatherstudio.com/dp/sear

ch?x=wKX1ILEOi+UdWpSlz2q9Dzn13

Emww/YwfLYZRZ8Id0VfYBzsQJeIS9

IsjXqRqGhuZ5ZkRUwO2OFqNAoBha

NTPmS/q5f8uu7a9j6NAcq0ebdQb2g

YpnhnYA0g0yETwJGR0vbrOHNknWU

=
R1 -

HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title =

Microsoft Internet Explorer provided

by Verizon Online
R0 -

HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - -

(no file)
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236

F6F655} -

c:\progra~1\mcafee.com\vso\mcvssh

l.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-009027

1D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn

4\yt.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027

A5CD4F} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm -

{724d43a0-0d85-11d4-9908-0040052

3e39a} - C:\Program Files\Siber

Systems\AI RoboForm\roboform.dll
O3 - Toolbar: WeatherStudio -

{C6139A57-16FB-4FA4-8045-A847FB

FFD695} - C:\Program

Files\WeatherStudio\bin\WeatherStu

dio.dll
O3 - Toolbar: CouponBar -

{5BED3930-2E9E-76D8-BACC-80DF21

88D455} -

C:\WINDOWS\CouponBarIE.dll
O3 - Toolbar: &VSToolBar -

{821F87FF-8245-4972-9E28-732E92E

C2F51} - C:\Program

Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Motive

SmartBridge]

C:\PROGRA~1\VERIZO~1\SUPPOR~1\

SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LXSUPMON]

C:\WINDOWS\system32\LXSUPMON.

EXE RUN
O4 - HKLM\..\Run:

[RoxioEngineUtility] "C:\Program

Files\Common Files\Roxio

Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc]

"C:\Program Files\Roxio\Easy CD

Creator

6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run:

[RoxioAudioCentral] "C:\Program

Files\Roxio\Easy CD Creator

6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Mouse Suite 98

Daemon] ICO.EXE
O4 - HKLM\..\Run: [Microsoft Works

Update Detection] C:\Program

Files\Common Files\Microsoft

Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MSN Video

Enhanced] "C:\Program Files\MSN

Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [MsmqIntCert]

regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG]

AGRSMMSG.exe
O4 - HKLM\..\Run: [dvd43]

C:\Program

Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"c:\PROGRA~1\mcafee.com\vso\mcm

nhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online]

c:\PROGRA~1\mcafee.com\vso\mcvs

shld.exe
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mc

agent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

c:\PROGRA~1\mcafee.com\agent\Mc

Update.exe
O4 - HKLM\..\Run:

[SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.e

xe
O4 - HKLM\..\Run: [LoadMSvcmm]

C:\WINDOWS\system32\msvcmm32.e

xe
O4 - HKLM\..\Run: [TkBellExe]

"C:\Program Files\Common

Files\Real\Update_OB\realsched.exe

" -osboot
O4 - HKLM\..\Run: [EXSHOW95.EXE]

EXSHOW95.EXE
O4 - HKLM\..\Run: [MPFExe]

C:\PROGRA~1\MCAFEE.COM\PERSON

~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck]

%systemroot%\system32\dumprep 0

-u
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.e

xe
O4 - HKLM\..\Run:

[KernelFaultCheck]

%systemroot%\system32\dumprep 0

-k
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program

Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [CloneCDTray]

"C:\Program

Files\SlySoft\CloneCD\CloneCDTray.

exe" /s
O4 - HKLM\..\Run: [LXBSCATS]

rundll32

C:\WINDOWS\System32\spool\DRIVE

RS\W32X86\3\LXBStime.dll,_RunDLL

[email protected]
O4 - HKLM\..\Run:

[MemoryCardManager] C:\Program

Files\Lexmark\Lexmark Precision

Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [Windows

Defender] "C:\Program

Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo

Downloader] "C:\Program

Files\Adobe\Photoshop Album

Starter

Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [gcasServ]

"C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [outlook]

C:\Program

Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [swfjzvl.dll]

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\swfjzvl.dll,vi

qjmaf
O4 - HKCU\..\Run: [msnmsgr]

"C:\Program Files\MSN

Messenger\msnmsgr.exe"

/background
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow

Deluxe Media Manager]

C:\PROGRA~1\Ahead\Ahead\data\Xtr

as\mssysmgr.exe
O4 - HKCU\..\Run: [RoboForm]

"C:\Program Files\Siber Systems\AI

RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft

Office.lnk = C:\Program

Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: GoBack.lnk =

C:\Program

Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Kodak

EasyShare software.lnk =

C:\Program Files\Kodak\Kodak

EasyShare

software\bin\EasyShare.exe
O4 - Global Startup: KODAK

Software Updater.lnk = C:\Program

Files\Kodak\KODAK Software

Updater\7288971\Program\Kodak

Software Updater.exe
O4 - Global Startup: Adobe Reader

Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat

Assistant.lnk = C:\Program

Files\Adobe\Acrobat

5.0\Distillr\AcroTray.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item:

&Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cms

earch.html
O8 - Extra context menu item:

&Search -

http://edits.mywebsearch.com/toolb

aredits/menusearch.jhtml?p=ZNxmk

762YYUS
O8 - Extra context menu item:

&Translate English Word -

res://c:\program

files\google\GoogleToolbar2.dll/cmw

ordtrans.html
O8 - Extra context menu item:

&Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item:

Backward Links - res://c:\program

files\google\GoogleToolbar2.dll/cmb

acklinks.html
O8 - Extra context menu item:

Cached Snapshot of Page -

res://c:\program

files\google\GoogleToolbar2.dll/cmc

ache.html
O8 - Extra context menu item:

Customize Menu - file://C:\Program

Files\Siber Systems\AI

RoboForm\RoboFormComCustomizeI

EMenu.html
O8 - Extra context menu item:

E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office

10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill

Forms - file://C:\Program Files\Siber

Systems\AI

RoboForm\RoboFormComFillForms.h

tml
O8 - Extra context menu item:

RemindU - file://C:\Program

Files\Upromise_RemindU\Sy1050\Tp

1050\scri1050a.htm
O8 - Extra context menu item:

RoboForm Toolbar - file://C:\Program

Files\Siber Systems\AI

RoboForm\RoboFormComShowToolb

ar.html
O8 - Extra context menu item: Save

Forms - file://C:\Program Files\Siber

Systems\AI

RoboForm\RoboFormComSavePass.h

tml
O8 - Extra context menu item:

Similar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsi

milar.html
O8 - Extra context menu item:

Translate Page into English -

res://c:\program

files\google\GoogleToolbar2.dll/cmtr

ans.html
O8 - Extra context menu item:

Yahoo! &Dictionary -

file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item:

Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item:

Yahoo! &SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C

608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun

Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C

608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms -

{320AF880-6646-11D3-ABEE-C5DBF3

571F46} - file://C:\Program

Files\Siber Systems\AI

RoboForm\RoboFormComFillForms.h

tml
O9 - Extra 'Tools' menuitem: Fill

Forms -

{320AF880-6646-11D3-ABEE-C5DBF3

571F46} - file://C:\Program

Files\Siber Systems\AI

RoboForm\RoboFormComFillForms.h

tml
O9 - Extra button: Save -

{320AF880-6646-11D3-ABEE-C5DBF3

571F49} - file://C:\Program

Files\Siber Systems\AI

RoboForm\RoboFormComSavePass.h

tml
O9 - Extra 'Tools' menuitem: Save

Forms -

{320AF880-6646-11D3-ABEE-C5DBF3

571F49} - file://C:\Program

Files\Siber Systems\AI

RoboForm\RoboFormComSavePass.h

tml
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0D

E4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm -

{724d43aa-0d85-11d4-9908-0040052

3e39a} - file://C:\Program Files\Siber

Systems\AI

RoboForm\RoboFormComShowToolb

ar.html
O9 - Extra 'Tools' menuitem:

RoboForm Toolbar -

{724d43aa-0d85-11d4-9908-0040052

3e39a} - file://C:\Program Files\Siber

Systems\AI

RoboForm\RoboFormComShowToolb

ar.html
O9 - Extra button: (no name) -

{85d1f590-48f4-11d9-9669-0800200c

9a66} - %windir%\bdoscandel.exe

(file missing)
O9 - Extra 'Tools' menuitem:

Uninstall BitDefender Online

Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c

9a66} - %windir%\bdoscandel.exe

(file missing)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F

795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem:

Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F

795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU -

{2863ACA1-9AA0-4432-8CFE-88C12B

3B2E5E} -

C:\WINDOWS\System32\shdocvw.dll

(HKCU)
O9 - Extra button: WeatherBug -

{AF6CABAB-61F9-4f12-A198-B7D41E

F1CB52} -

C:\WINDOWS\System32\shdocvw.dll

(HKCU)
O12 - Plugin for .spop: C:\Program

Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg.com/us.yimg.co

m/i/chat/applet/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB -

http://photos.groups.yahoo.com/ocx/

us/yexplorer1_8us.cab
O16 - DPF:

{1663ed61-23eb-11d2-b92f-008048fd

d814} (MeadCo ScriptX Advanced) -

http://69.41.164.115/smsx.cab
O16 - DPF:

{17492023-C23A-453E-A040-C7C580

BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linki

d=39204
O16 - DPF:

{2BC66F54-93A8-11D3-BEB6-00105A

A9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/

SharedContent/vc/bin/AvSniff.cab
O16 - DPF:

{30528230-99F7-4BB4-88D8-FA1D4F

56A2AB} (YInstStarter Class) -

C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF:

{31932A5C-9234-4377-A920-72E7DD

340DB4} (Snapfish File Upload

ActiveX Control) -

http://www.clarkcolor.com/ClarkUpl

oad.cab
O16 - DPF:

{33E54F7F-561C-49E6-929B-D7E76D

3AFEB1} (Pool Control) -

http://www.worldwinner.com/games/

v45/pool/pool.cab
O16 - DPF:

{406B5949-7190-4245-91A9-30A17D

E16AD0} (Snapfish Activia) -

http://www.snapfish.com/SnapfishA

ctivia.cab
O16 - DPF:

{4E888414-DB8F-11D1-9CD9-00C04F

98436A} (Microsoft.WinRep) -

https://webresponse.one.microsoft.c

om/oas/ActiveX/winrep.cab
O16 - DPF:

{4ED9DDF0-7479-4BBE-9335-5A1EDB

1D8A21} (McAfee.com Operating

System Class) -

http://download.mcafee.com/molbin/

shared/mcinsctl/en-us/4,0,0,84/mcin

sctl.cab
O16 - DPF:

{5D86DDB5-BDF9-441B-9E9E-D4730F

4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/res

ources/scan8/oscan8.cab
O16 - DPF:

{62969CF2-0F7A-433B-A221-FD8818

C06C2F} (Blockwerx Control) -

http://mirror.worldwinner.com/game

s/v47/blockwerx/blockwerx.cab
O16 - DPF:

{644E432F-49D3-41A1-8DD5-E09916

2EEEC5} (Symantec RuFSI Utility

Class) -

http://security.symantec.com/sscv6/

SharedContent/common/bin/cabsa.c

ab
O16 - DPF:

{65FDEDF3-8ED9-4F5B-825E-18C2D4

4191A7} (OneCCCtl Class) -

https://as00.estara.com/UI/proxyhtt

ps.php?a=downloads.estara.com./&

hash=889654fb70de3e056ce09f2e74

62c482&url=http%3A%2F%2Fd.69.2

5.47.73.downloads.estara.com.%2Fa

s%2FOneCCDM.php&template=3002

1&sessionid=172070144_69.25.47.7

3_39442&=&req=1108680307804One

CC.cab
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA9

1D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microso

ftupdate/v6/V5Controls/en/x86/client

/muweb_site.cab?1132265268644
O16 - DPF:

{6F750200-1362-4815-A476-88533DE

61D0C} (Ofoto Upload Manager

Class) -

http://www.ofoto.com/downloads/BU

M/BUM_WIN_IE_1/axofupld.cab
O16 - DPF:

{8A94C905-FF9D-43B6-8708-F0F22D

22B1CB} (Wwlaunch Control) -

http://mirror.worldwinner.com/game

s/shared/wwlaunch.cab
O16 - DPF:

{94299420-321F-4FF9-A247-62A23EB

B640B} (WordMojo Control) -

http://www.worldwinner.com/games/

v45/wordmojo/wordmojo.cab
O16 - DPF:

{9522B3FB-7A2B-4646-8AF6-36E7F5

93073C} (cpbrkpie Control) -

http://a19.g.akamai.net/7/19/7125/14

52/ftp.coupons.com/r3302/cpbrkpie.

cab
O16 - DPF:

{97438FE9-D361-4279-BA82-98CC08

77A717} (Cubis Control) -

http://www.worldwinner.com/games/

v55/cubis/cubis.cab
O16 - DPF:

{9903F4ED-B673-456A-A15F-ED90C7

DE9EF5} (Sol Control) -

http://mirror.worldwinner.com/game

s/v44/sol/sol.cab
O16 - DPF:

{9A9307A0-7DA4-4DAF-B042-5009F2

9E09E1} -

http://acs.pandasoftware.com/active

scan/as5free/asinst.cab
O16 - DPF:

{9D8D7672-93FF-417E-9024-C16AD1

41C50C} (Haunted Control) -

http://mirror.worldwinner.com/game

s/v48/haunted/haunted.cab
O16 - DPF:

{A7E092C3-692A-11D0-A7E5-08002B

322F3B} (WebResponseAttachments

Control) -

https://webresponse.one.microsoft.c

om/oas/ActiveX/FileXfer.cab
O16 - DPF:

{A7EA8AD2-287F-11D3-B120-006008

C39542} (CBSTIEPrint Class) -

http://offers.e-centives.com/cif/dow

nload/bin/actxcab.cab
O16 - DPF:

{B8BE5E93-A60C-4D26-A2DC-220313

175592} (ZoneIntro Class) -

http://zone.msn.com/binFramework/v

10/ZIntro.cab33902.cab
O16 - DPF:

{B9191F79-5613-4C76-AA2A-398534

BB8999} -

http://us.dl1.yimg.com/download.yah

oo.com/dl/installs/suite/yautocompl

ete.cab
O16 - DPF:

{BCC0FF27-31D9-4614-A68E-C18E1A

DA4389} (DwnldGroupMgr Class) -

http://download.mcafee.com/molbin/

shared/mcgdmgr/en-us/1,0,0,21/mcg

dmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://mirror.worldw...chess/chess.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldw...sol/golfsol.cab
O16 - DPF: {ED2E4BB5-60EA-4624-9DE2-998E441C699B} (OpenSiteInstall.opensite_install) - http://www.zuvio.com...SiteInstall.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...377/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - blank
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Can you please repost your hijack log. I not sure why it posted the way it did, maybe wordwrap. Lets try this

Rescan with hijack and save the log.
When notepad open click on format and uncheck wordwrap

Then copy and paste the log into this thread
  • 0

#3
Jessicapetway

Jessicapetway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay I redone it also I wanted to say now I am getting popups for drivecleaner and stuff like that saying I have spyware in the computer and wanting me to use there program. So now its more than antiviruspro


anyways heres the log

Logfile of HijackThis v1.99.1
Scan saved at 5:23:18 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Video Enhanced\MSNVE.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\EXSHOW95.EXE
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\limewire\limewire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft..../www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.weatherstu...SnFmaAJvF3c6Yk=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.weatherstu...JGR0vbrOHNknWU=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: WeatherStudio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,[email protected]
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [swfjzvl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\swfjzvl.dll,viqjmaf
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxmk762YYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://69.41.164.115/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.clarkcolo...ClarkUpload.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara....307804OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1132265268644
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldw...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v44/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://mirror.worldw...ted/haunted.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://mirror.worldw...chess/chess.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldw...sol/golfsol.cab
O16 - DPF: {ED2E4BB5-60EA-4624-9DE2-998E441C699B} (OpenSiteInstall.opensite_install) - http://www.zuvio.com...SiteInstall.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...377/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - blank
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Much better, We have a couple things to deal with but we will get it, lets do this first

Richt click Hijackthis.exe and rename it to HJT.exe

Next

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis(HJT) log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Edited by loophole, 02 October 2006 - 04:00 PM.

  • 0

#5
Jessicapetway

Jessicapetway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay so that this don't confuse you. I ran Vundo and it removed all but one thing. I rebooted and started the next scan. My son came in and turned the computer off during the scan :whistling: So I turned it back on and went back into windows and done the scan again. Luckly it removed it the third time without me having to reboot and go for a fourth scan.

Anyways heres the Vundo txt


VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.2

Java version is 1.5.0.4

Java version is 1.5.0.6

Scan started at 6:41:33 PM 10/2/2006

Listing files found while scanning....

C:\WINDOWS\system32\winxia32.dll
C:\WINDOWS\system32\tuvwvvv.dll
C:\WINDOWS\system32\cmnkqbwx.dll
C:\Program Files\Common Files\{00000EB5-0B75-1033-0805-040203200001}\services.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winxia32.dll
C:\WINDOWS\system32\winxia32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\tuvwvvv.dll
C:\WINDOWS\system32\tuvwvvv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cmnkqbwx.dll
C:\WINDOWS\system32\cmnkqbwx.dll Has been deleted!

Attempting to delete C:\Program Files\Common Files\{00000EB5-0B75-1033-0805-040203200001}\services.dll
C:\Program Files\Common Files\{00000EB5-0B75-1033-0805-040203200001}\services.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.2

Java version is 1.5.0.4

Java version is 1.5.0.6

Scan started at 8:16:45 PM 10/2/2006

Listing files found while scanning....

C:\WINDOWS\system32\winxia32.dll

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.2

Java version is 1.5.0.4

Java version is 1.5.0.6

Scan started at 9:32:26 PM 10/2/2006

Listing files found while scanning....

C:\WINDOWS\system32\winxia32.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winxia32.dll
C:\WINDOWS\system32\winxia32.dll Has been deleted!

Performing Repairs to the registry.
Done!
  • 0

#6
Jessicapetway

Jessicapetway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay Im not sure what you meant by renameing the hijackthis.exe file. I figured you meant to change the name of the program. But I had no idea why I would be doing that so I figured that was wrong. So you will have to explain more if thats not what you meant.

Anyways here the Hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 11:49:18 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mqsvc.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\MSN Video Enhanced\MSNVE.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\EXSHOW95.EXE
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\limewire\limewire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft..../www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.weatherstu...yjU/qHaxCNXjM8i
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.weatherstu...JGR0vbrOHNknWU=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {126BC8C6-C2ED-B88D-814F-07D49926E17D} - C:\WINDOWS\system32\znnmfqb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: TTB000000 Class - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: WeatherStudio - {849CC480-5983-4D30-A12C-774E8E8D8291} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O2 - BHO: (no name) - {9A50D38F-92D0-405A-818B-3C5552A1616C} - C:\WINDOWS\system32\wvwwu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\cmnkqbwx.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: WeatherStudio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,[email protected]
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [swfjzvl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\swfjzvl.dll,viqjmaf
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxmk762YYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://69.41.164.115/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.clarkcolo...ClarkUpload.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara....307804OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1132265268644
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldw...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v44/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://mirror.worldw...ted/haunted.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://mirror.worldw...chess/chess.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldw...sol/golfsol.cab
O16 - DPF: {ED2E4BB5-60EA-4624-9DE2-998E441C699B} (OpenSiteInstall.opensite_install) - http://www.zuvio.com...SiteInstall.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...377/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - blank
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wvwwu - C:\WINDOWS\system32\wvwwu.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

Edited by Jessicapetway, 02 October 2006 - 09:50 PM.

  • 0

#7
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts

I figured you meant to change the name of the program.

Yes that is what I meant :whistling: This infection will sometimes hide entries, when it sees hijackthis.exe running.
Click start, then click run copy and paste this C:\Program Files\HijackThis into the box and press OK

Find hijackthis.exe and RIGHT click it.
Choose rename, then type HJT.exe now rescan with it and post a new log please
  • 0

#8
Jessicapetway

Jessicapetway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
The last log was after I changed the name

See under running processes the last one shows it named HJT.exe

Is that right?
  • 0

#9
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Looke like we cross posted, I see all the hidden entries now :whistling:

lauch VundoFix again

Scan for Vundo

Once scan is complete,right click inside the VundoFix Window and Select Add Files

Copy and paste the entries below in

C:\WINDOWS\system32\znnmfqb.dll
C:\WINDOWS\system32\wvwwu.dll



Click Remove Vundo. Let the tool run and when finished

Please post the C:\vundofix.txt , and a new Hijack log

Edited by loophole, 03 October 2006 - 01:18 AM.

  • 0

#10
Jessicapetway

Jessicapetway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay its a done deal.

However I did have to reboot to get it to remove the znnmfqb.dll file and when it rebooted again I got a message that said

Internet Explorer cannot open the Internet site http://tp.msn.com/en...px?ver=7.5.0324
Operation Aborted

I think it was trying to open the thing that comes up with msn messager. I've never seen it do that before so I thought I would mention it. It could have just been a one time fluke


anyways heres the vundo log



VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.2

Java version is 1.5.0.4

Java version is 1.5.0.6

Scan started at 11:41:09 AM 10/3/2006

Listing files found while scanning....


Beginning removal...

Attempting to delete C:\WINDOWS\system32\znnmfqb.dll
C:\WINDOWS\system32\znnmfqb.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\wvwwu.dll
C:\WINDOWS\system32\wvwwu.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\znnmfqb.dll
C:\WINDOWS\system32\znnmfqb.dll Has been deleted!

Performing Repairs to the registry.
Done!




And here is the new HJT log



Logfile of HijackThis v1.99.1
Scan saved at 1:56:11 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Video Enhanced\MSNVE.exe
C:\WINDOWS\System32\igfxtray.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\WINDOWS\system32\EXSHOW95.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\mqtgsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\limewire\limewire.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft..../www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.weatherstu...SnFmaAJvF3c6Yk=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.weatherstu...JGR0vbrOHNknWU=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {126BC8C6-C2ED-B88D-814F-07D49926E17D} - C:\WINDOWS\system32\znnmfqb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: TTB000000 Class - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: WeatherStudio - {849CC480-5983-4D30-A12C-774E8E8D8291} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O2 - BHO: (no name) - {9A50D38F-92D0-405A-818B-3C5552A1616C} - C:\WINDOWS\system32\wvwwu.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\cmnkqbwx.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: WeatherStudio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,[email protected]
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [swfjzvl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\swfjzvl.dll,viqjmaf
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxmk762YYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://69.41.164.115/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.clarkcolo...ClarkUpload.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara....307804OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1132265268644
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldw...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v44/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://mirror.worldw...ted/haunted.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://mirror.worldw...chess/chess.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldw...sol/golfsol.cab
O16 - DPF: {ED2E4BB5-60EA-4624-9DE2-998E441C699B} (OpenSiteInstall.opensite_install) - http://www.zuvio.com...SiteInstall.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...377/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - blank
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
  • 0

Advertisements


#11
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello again

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.

    Now click >>start>>control panel >>add/remove programs and uninstall the following if present:
    VSToolbar
    coupon deals


    Please run a scan with HijackThis and check the following lines for removal:

    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: (no name) - {126BC8C6-C2ED-B88D-814F-07D49926E17D} - C:\WINDOWS\system32\znnmfqb.dll (file missing)

    O2 - BHO: TTB000000 Class - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL
    O2 - BHO: (no name) - {9A50D38F-92D0-405A-818B-3C5552A1616C} - C:\WINDOWS\system32\wvwwu.dll (file missing)

    O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\cmnkqbwx.dll (file missing)
    O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll
    O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [swfjzvl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\swfjzvl.dll,viqjmaf
    O4 - Global Startup: svchost.exe
    O16 - DPF: {ED2E4BB5-60EA-4624-9DE2-998E441C699B} (OpenSiteInstall.opensite_install) - <a href="http://www.zuvio.com...iteInstall.CAB" target="_blank">http://www.zuvio.com...Install.CAB</a>

    Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

    Run Killbox
    • Please double-click Killbox.exe to run it.
    • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
    C:\WINDOWS\system32\swfjzvl.dll
    C:\WINDOWS\system32\viqjmaf
    C:\WINDOWS\CouponBarIE.dll
    C:\Program Files\VSToolbar



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


After the reboot

Clean out your Temporary Internet files[/color]. Proceed as follows:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.
Thanks

Edited by loophole, 03 October 2006 - 02:29 PM.

  • 0

#12
Jessicapetway

Jessicapetway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay I havent done all of this yet..

I got the this first part where I was taking stuff out with HJT.

I tried to get rid of

O4- Global Startup: svchost.exe

I got a message saying it might be open and that it couldn't get rid of it and to try to close it
so I tried to close it and then I got a message saying

The process could not be killed it may already be closed or protected by windows. This process may be a service, which you can stop from the services applet in Admin Tools
(To load, this window, click start, run and enter 'services.msc')

I wanted to see what you wanted me to do before I go on to the rest of what you said to do
  • 0

#13
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Just skip that one from the hijack fixes. After you reboot following the killbox instructions you may recieve an error about svchost not found, we will fix it later
  • 0

#14
Jessicapetway

Jessicapetway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay I went to try do the activescan

and did the active X and then clicked install.

Then it said Erro on downloading Activescan
An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try again

Possible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...




It did this the other day when I tried to use this activescan

So now what ?
  • 0

#15
Jessicapetway

Jessicapetway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Oh also those causes can't be the reason.

I did allow the active X control to be downloaded
My internet connection is fine
and this profile does have admin priviledges and there is plenty of disk space
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP