Here is what the infection does to my computer and what I have discovered so far. ** The infection is re-creating itself when I reboot. When I look into my C:/ the program files delextra.exe, starts.exe, and sometimes some others are there even after I delete them before reboot. The creation date on the files are always when I turn my computer back on or it boots back up. If I delete the files while my computer is on they still reappear eventually. The infection so far does the following that I've noticed. When I log in my desktop is blank and I have to use taskmanager to open anything and I can see taska being ran that are named things like 903sdbsbxc380 etc... and I cannot switch to them, but only end them. When I open a .exe file through Tskmanager it does "Loading Personalized Settings" then shows my desktop, start menu, etc... and I can go about things the normal way. It still does not allow me to see images on the internet, I cannot turn my FIREWALL on, when I click links I get the not connected to internet message alot, and it also gives me system messages saying buy this anti-spyware, your systems infected with blah blah, etc...
I have followed the directions on http://www.geekstogo...-Log-t2852.html. I was unable to do the following:
1-Panda Activescan
2-and I did not download the AVG yet, was going to wait until my system was clean to DL it.
Here are my logs:
1) Malware Log File
Malwarebytes' Anti-Malware 1.11
Database version: 694
Scan type: Quick Scan
Objects scanned: 35311
Time elapsed: 7 minute(s), 20 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 35
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 18
Memory Processes Infected:
c:\Documents and Settings\Owner\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Unloaded process successfully.
Memory Modules Infected:
c:\WINDOWS\system32\WLCtrl32.dll (Trojan.DownLoader) -> Unloaded module successfully.
c:\WINDOWS\system32\jfiehayd.dll (Trojan.DownLoader) -> Unloaded module successfully.
C:\WINDOWS\system32\awtqoLBT.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUoOHbA.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\winhdn32.dll (Dialer) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlctrl32 (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d611188-5205-4077-9922-bb58c2387832} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d611188-5205-4077-9922-bb58c2387832} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr.1 (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c03fd59d-9104-44b7-929a-9eaa0ba05211} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7c109800-a5d5-438f-9640-18d17e168b88} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aaa7fb6f-1b1c-4425-8303-05ec68f250ba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0bb6ef78-ffc8-4f7a-bd2c-09da1169a4b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0bb6ef78-ffc8-4f7a-bd2c-09da1169a4b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvuoohba (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winhdn32 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\E404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0bb6ef78-ffc8-4f7a-bd2c-09da1169a4b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM47bb20eb (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\some (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\start (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqolbt -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqolbt -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\WLCtrl32.dll (Trojan.DownLoader) -> Delete on reboot.
c:\WINDOWS\system32\jfiehayd.dll (Trojan.DownLoader) -> Delete on reboot.
c:\Documents and Settings\Owner\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtqoLBT.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\TBLoqtwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TBLoqtwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddfrseuy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yuesrfdd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\cftmon.exe (Worm.Socks) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUoOHbA.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\2877899108.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\3917899108.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\453745766.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phveaqlj.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hqiopa.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winzlo32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhdn32.dll (Dialer) -> Delete on reboot.
C:\WINDOWS\system32\WLCtrl32.dl_ (Trojan.Downloader) -> Quarantined and deleted successfully.
2) SuperAntiSpyware Scan Log
SUPERAntiSpyware Scan Log
Generated 04/28/2008 at 06:56 PM
Application Version : 3.6.1000
Core Rules Database Version : 3449
Trace Rules Database Version: 1441
Scan type : Complete Scan
Total Scan Time : 00:45:04
Memory items scanned : 297
Memory threats detected : 2
Registry items scanned : 4754
Registry threats detected : 10
File items scanned : 52145
File threats detected : 142
Trojan.Unknown Origin/System
C:\WINDOWS\SYSTEM32\WINHDN32.DLL
C:\WINDOWS\SYSTEM32\WINHDN32.DLL
Rootkit.Runtime3/Mutant-A
C:\WINDOWS\SYSTEM32\WLCTRL32.DLL
C:\WINDOWS\SYSTEM32\WLCTRL32.DLL
Rootkit.Runtime3/Mutant
HKLM\System\ControlSet001\Services\iyr03
C:\WINDOWS\SYSTEM32\DRIVERS\IYR03.SYS
HKLM\System\controlset002\Services\iyr03
HKLM\System\ControlSet003\Services\iyr03
HKLM\System\CurrentControlSet\Services\iyr03
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167231.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167239.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167263.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167288.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167299.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167393.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167405.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167414.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167475.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167794.SYS
Adware.Tracking Cookie
C:\Documents and Settings\Owner\cookies\owner@pro-market[2].txt
C:\Documents and Settings\Owner\cookies\owner@dealtime[1].txt
C:\Documents and Settings\Owner\cookies\owner@adecn[1].txt
C:\Documents and Settings\Owner\cookies\owner@toseeka[1].txt
C:\Documents and Settings\Owner\cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\cookies\owner@overture[2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\system@adrevolver[2].txt
C:\Documents and Settings\LocalService\Cookies\system@advertising[1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\system@apmebf[2].txt
C:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt
C:\Documents and Settings\LocalService\Cookies\system@clickbank[1].txt
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\system@onlinerewardcenter[1].txt
C:\Documents and Settings\LocalService\Cookies\system@precisionclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@specificclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@statcounter[2].txt
C:\Documents and Settings\LocalService\Cookies\system@tacoda[1].txt
C:\Documents and Settings\LocalService\Cookies\system@trafficmp[1].txt
C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\system@xiti[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@adknowledge[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@atwola[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@azjmp[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@bannerspace[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@belnk[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@bizrate[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@bluestreak[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@burstnet[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@clickability[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@hitbox[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@insightexpressai[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@primediamags[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@qksrv[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@revenue[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@roiservice[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@tacoda[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@admarketplace[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@keywordmax[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@montgomeryadvertiser[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@nextag[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@qksrv[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@roiservice[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@statcounter[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@zedo[2].txt
Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167503.EXE
Rogue.NetProject-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP476\A0167250.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167419.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167433.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167746.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167747.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167748.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167750.EXE
Adware.E404 Helper/Variant-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167753.DLL
Trojan.WinBo32
C:\WINDOWS\SYSTEM32\COMBOPLUSCTL.OCX
3) HiJackThis Log File
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:45 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lcss.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Owner\Application Data\U3\000015A08A602DAC\LaunchPad.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\delextra.exe
c:\delextra.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = htpp://wpad.wildblue.com/wpad.dat
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [16E5] C:\DOCUME~1\Owner\LOCALS~1\Temp\16E5.exe
O4 - HKLM\..\Run: [Winjava vil] sys32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\DOCUME~1\Owner\LOCALS~1\Temp\3C46.tmp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fileplanet.com
O15 - Trusted Zone: http://*.runuo.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: jqvm465hmygebkpp6 - Unknown owner - C:\WINDOWS\system32\lcss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
--
End of file - 6948 bytes
I believe thats all of the log files from following the instructions given in the post mentioned above. I really hate that this is happening to my computer. I did start to just restore it. I have the CD, but I can't find the XP authentication number so, I just have to fix it this way. Thanks for being here to help!