Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Warning: Spyware Threat has been Detected on your computer [RESOLVED]

Started by mmscully , May 21 2008 05:03 AM

  • This topic is locked This topic is locked

#1
mmscully
Posted 21 May 2008 - 05:03 AM

mmscully

    Member

  • Member
  • PipPip
  • 15 posts
Hello. Just like a lot of others that I have seen on your forum I to have the blue screen with the Spyware threat warning showing as my wallpaper. I have followed your instructions on removing Malware and am still having problems. I don't seem to be getting the automatic pop-up to the spyware website anymore but the blue wallpaper is still showing and my computer is very slow when rebooting. I have never posted to a forum like this so I hope I am doing this correctly. I will attach the logs from each of the scans below in the order that they were performed. Thank you for your help. :)

Malwarebytes' Anti-Malware 1.12
Database version: 768

Scan type: Full Scan (C:\|)
Objects scanned: 161773
Time elapsed: 1 hour(s), 53 minute(s), 56 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 17

Memory Processes Infected:
C:\WINDOWS\SYSTEM32\xwusuhzh.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d51e91c-e917-4b7f-89ff-abe471e16927} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1e5b2693-d348-4ca7-8364-4f5e51bf9c6d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2e54ac53-efa4-4831-a3f6-b47b1a1937cf} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{54a3f8b7-228e-4ed8-895b-de832b2c3959} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{90c61707-c8f8-43db-a25c-c1f4b18ee41e} (Spyware.Comet.Cursor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{edc4193f-34ad-4d07-aa87-e3fdb89e3e76} (Spyware.Comet.Cursor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{4d51e91c-e917-4b7f-89ff-abe471e16927} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\[email protected] (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\xwusuhzh.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Margaret\Application Data\PrivacyProtector Free (Rogue.PrivacyProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\Application Data\PrivacyProtector Free\Logs (Rogue.PrivacyProtector) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\102.qit (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\Local Settings\Temp\nsm6F5.tmp\blowfish.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP550\A0172948.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP550\A0172949.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0179276.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TMP00000056D72D15A6B6F23B7F (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\Application Data\PrivacyProtector Free\Logs\update.log (Rogue.PrivacyProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xwusuhzh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\Application Data\Microsoft\dtsc\32122.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\000060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\Local Settings\Temp\ac8zt2\eotv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\Local Settings\Temp\ac8zt2\npqtsrak.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\Local Settings\Temp\ac8zt2\rtqmekwg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\Local Settings\Temp\ac8zt2\pmsoarbf.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-21 06:13:35
PROTECTIONS: 1
MALWARE: 94
SUSPECTS: 2
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
McAfee VirusScan Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00003992 spyware/adclicker Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00110011-4b0b-44d5-9718-90c88817369b}
00013512 adware/searchaid Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{587DBF2D-9145-4C9E-92C2-1F953DA73773}
00013512 adware/searchaid Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}
00029036 adware/superspider Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{467FAEB2-5F5B-4C81-BAE0-2A4752CA7F4E}
00029036 adware/superspider Adware No 1 Yes No c:\windows\mssys.exe
00029343 adware/mssearch Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{fd9bc004-8331-4457-b830-4759ff704c22}
00029343 adware/mssearch Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}
00035633 adware/cws.nfo Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E3EEBBE8-9CAB-4C76-B26A-747E25EBB4C6}
00035722 adware/comet Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE6BC4EF-5676-484B-88AE-883323913256}
00036156 adware/winres Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D38A51A-23C9-48a1-A33C-48675AA2B494}
00039204 adware/cws Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}
00039204 adware/cws Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}
00039204 adware/cws Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}
00039204 adware/cws Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}
00040007 adware/cws.yexe Adware No 0 Yes No c:\windows\loader.exe
00040007 adware/cws.yexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
00040377 adware/adultlinks Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{965e6b07-6832-4738-bdbe-25f226ba2ab0}
00046490 adware/azesearch Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7bf3304-138b-4dd5-86ee-491bb6a2286c}
00065497 Adware/Comet Adware No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDF.tmp
00065497 Adware/Comet Adware No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDD.tmp
00103389 adware/noname Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf021f40-3e14-23a5-cba2-717765721306}
00110259 dialer.py Dialers No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}
00110532 spyware/clientman Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
00119488 application/mediapipe HackTools No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B3E19860-0CD5-4991-A066-4FCA2704DE59}
00132447 adware program Adware No 0 Yes No c:\windows\x.exe
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\82.qit
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11E.tmp
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF3.tmp
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFA.tmp
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\45.qit
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-20-42-32\0.qit
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-28-26\5.qit
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\20-05-2008-05-56-03\4.qit
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\33.qit
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqEB.tmp
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-28-26\2.qit
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\SYSTEM32\Process.exe
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11D.tmp
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE4.tmp
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\0.qit
00145433 Cookie/Mammamediasolutions TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11C.tmp
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-28-26\6.qit
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\20-05-2008-05-56-03\7.qit
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFE.tmp
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\49.qit
00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10A.tmp
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11F.tmp
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\83.qit
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq104.tmp
00145792 Cookie/SexList TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10C.tmp
00146967 Cookie/PayCounter TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq105.tmp
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\1.qit
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqEC.tmp
00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\50.qit
00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqED.tmp
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\44.qit
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF9.tmp
00167706 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq113.tmp
00167730 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFC.tmp
00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq123.tmp
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11A.tmp
00167759 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq118.tmp
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq101.tmp
00167761 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq117.tmp
00167764 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq116.tmp
00167770 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq110.tmp
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\66.qit
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\20-05-2008-05-56-03\0.qit
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\3.qit
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-28-26\0.qit
00168057 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10D.tmp
00168058 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq114.tmp
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-28-26\1.qit
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\28.qit
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\20-05-2008-05-56-03\3.qit
00168069 Cookie/Bilbo.counted TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqEE.tmp
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\20-05-2008-05-56-03\5.qit
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\40.qit
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF2.tmp
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-28-26\3.qit
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\75.qit
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10B.tmp
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\39.qit
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF1.tmp
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\20-05-2008-05-56-03\13.qit
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\91.qit
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-28-26\10.qit
00168101 Cookie/Falkag TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFD.tmp
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\63.qit
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\23.qit
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqEA.tmp
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\20-05-2008-05-56-03\2.qit
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq119.tmp
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\20-05-2008-05-56-03\12.qit
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq121.tmp
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\88.qit
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-28-26\9.qit
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\69.qit
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq106.tmp
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\65.qit
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq109.tmp
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\73.qit
00171842 trj/downloader.coy Virus/Trojan No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA}
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq108.tmp
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-28-26\8.qit
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\72.qit
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq124.tmp
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF0.tmp
00177226 spyware/lefeat Spyware No 1 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B847676D-72AC-4393-BFFF-43A1EB979352}
00180153 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq112.tmp
00180154 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq111.tmp
00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq122.tmp
00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\92.qit
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\35.qit
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\20.qit
00193807 dialer.bny Dialers No 0 Yes No c:\windows\pcconfig.dat
00206953 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10F.tmp
00218977 adware/affilred Adware No 0 Yes No c:\windows\msupdate.exe
00219327 adware/conspy Adware No 0 Yes No c:\windows\waol.exe
00219327 adware/conspy Adware No 0 Yes No c:\windows\editpad.exe
00226936 adware/cws.payfortraffic Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98DBBF16-CA43-4c33-BE80-99E6694468A4}
00251542 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq115.tmp
00262024 Cookie/ErrorSafe TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\48.qit
00262025 Cookie/ErrorSafe TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\47.qit
00262033 adware/emediacodec Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{134F7664-943D-3BB9-65F5-70B91DF46C86}
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFF.tmp
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\13.qit
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\37.qit
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF4.tmp
02261869 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10E.tmp
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\21.qit
02908816 Cookie/Starware TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\54.qit
02909984 Cookie/PCCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\68.qit
02919041 Adware/PCCleaner Adware No 0 Yes No C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\914.qit
02936685 Adware/VirusAlert Adware No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP550\A0172941.exe
02936689 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP550\A0172944.exe
02936691 Adware/VideoAccessCodec Adware No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP550\A0172945.dll
02980351 Adware/NaviPromo Adware No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP588\A0179664.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location (
;===============================================================================
=================================================================================
===================
No C:\PROGRAM FILES\ANTISPYWAREAPP\TCL.DLL (
No C:\PROGRAM FILES\ANTISPYWAREAPP\ZLIB.DLL (
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description (
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================


SUPERAntiSpyware Scan Log
Generated 05/20/2008 at 08:29 PM

Application Version : 3.6.1000

Core Rules Database Version : 3464
Trace Rules Database Version: 1455

Scan type : Quick Scan
Total Scan Time : 01:01:36

Memory items scanned : 677
Memory threats detected : 0
Registry items scanned : 910
Registry threats detected : 10
File items scanned : 33735
File threats detected : 13

Parasite.CoolWebSearch Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}
C:\WINDOWS\OLEHELP.EXE

HTMLCore Module BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}

CoolWebSearch Parasite Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}

Browser Hijacker.Tubby
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}

ClientMan BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}

Adware.Zango Toolbar/Hb
C:\Documents and Settings\Margaret\Application Data\Zango

Adware.Casino Games (Golden Palace Casino)
C:\BODOG CASINO\CASINO.EXE

Adware.AdSponsor/ISM
C:\DOCUMENTS AND SETTINGS\MARGARET\APPLICATION DATA\ANTISPYWARE\QUARANTINE\19-05-2008-15-00-29\803.QIT

Worm.EXPLORER32
C:\WINDOWS\EXPLORER32.EXE

Trojan.Downloader-Gen/Win
C:\WINDOWS\IEDLL.EXE
C:\WINDOWS\WIN32E.EXE

Trojan.IEXPLORER
C:\WINDOWS\IEXPLORER.EXE

Trojan.Unclassified/Loader-Suspicious
C:\WINDOWS\LOADER.EXE

RUNDLL16.EXE
C:\WINDOWS\RUNDLL16.EXE

Worm.Rbot Variant
C:\WINDOWS\SVCHOST32.EXE

Trojan.Downloader-Systeem
C:\WINDOWS\SYSTEEM.EXE

Trojan.Downloader-SystemCritcial/Fake Alert
C:\WINDOWS\SYSTEMCRITICAL.EXE


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:14 AM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AntiSpywareApp\Antispyware.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [Antispyware] C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Addiction by pogo - http://game3.pogo.co...ction-en_US.cab
O16 - DPF: Bingo Luau by pogo - http://game3.pogo.co...bingo-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...kjack-en_US.cab
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.co...jack2-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.co...wling-en_US.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.co...nasta-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game3.pogo.co...z/ytz-en_US.cab
O16 - DPF: Dominoes v2 by pogo - http://game3.pogo.co...mino2-en_US.cab
O16 - DPF: Euchre by pogo - http://game3.pogo.co...uchre-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game3.pogo.co...bingo-en_US.cab
O16 - DPF: Golf Solitaire by pogo - http://game3.pogo.co...taire-en_US.cab
O16 - DPF: High Stakes Pool by pogo - http://game3.pogo.co.../pool-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...ottso-en_US.cab
O16 - DPF: Mahjong Safari by Pogo - http://game3.pogo.co...afari-en_US.cab
O16 - DPF: Makeover Madness by pogo - http://game1.pogo.co...shoes-en_US.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.co...ochle-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...popfu-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...ppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.co...treak-en_US.cab
O16 - DPF: Spades 2 by pogo - http://game3.pogo.co...ades2-en_US.cab
O16 - DPF: Squelchies by pogo - http://game3.pogo.co...chies-en_US.cab
O16 - DPF: Super Dominoes by pogo - http://game1.pogo.co...omino-en_US.cab
O16 - DPF: Sweet Tooth 2 by Pogo - http://game1.pogo.co...ooth2-en_US.cab
O16 - DPF: Thousand Island Solitaire by pogo - http://game1.pogo.co...lbrae-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game3.pogo.co...peaks-en_US.cab
O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.co...rbo22-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.co...ories-en_US.cab
O16 - DPF: Word Search Daily by pogo - http://game3.pogo.co...earch-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O
  • 0

Advertisements

#2
Essexboy
Posted 24 May 2008 - 03:21 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay, If I could have a fresh look at your system

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#3
mmscully
Posted 24 May 2008 - 04:36 PM

mmscully

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thank you for your reply. Attached is the log from OTScanit.

Attached Files


  • 0

#4
mmscully
Posted 24 May 2008 - 05:28 PM

mmscully

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I now have a new wallpaper background showing on my computer. It is blue with Red and white printing

WARNING!
YOUR'RE IN DANGER!
YOUR COMPUTER IS INFECTED WITH SPYWARE!

ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YIOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMVOE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOU BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDRE.

Every site you or somebody or even something, like spyware, opened in your browsers, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!

SECURE YOUR SELF RIGHT NOW!
REMOVE ALL SPYWARE FROM YOUR PC!
  • 0

#5
Essexboy
Posted 25 May 2008 - 04:16 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK then I can now see what we are fighting

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> sysragfchqs.exe -> %SystemRoot%\sysragfchqs.exe
YY -> syscdupretn.exe -> %SystemRoot%\syscdupretn.exe
YY -> sysgycnafek.exe -> %SystemRoot%\sysgycnafek.exe
YY -> sysnwqdfbta.exe -> %SystemRoot%\sysnwqdfbta.exe
YY -> sysuxvmschr.exe -> %SystemRoot%\sysuxvmschr.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> ~EmptyValue -> []
YN -> {1989CEB5-CC50-4314-9FD6-597E6F7CC50F} -> sysgycnafek.exe ["C:\WINDOWS\sysgycnafek.exe"]
YN -> {6739EFCB-69CF-41db-ADD7-79047E1BB2C0} -> syscdupretn.exe ["C:\WINDOWS\syscdupretn.exe"]
YN -> {7D5C078D-6337-46a1-852E-D1A97B8EBB8C} -> sysragfchqs.exe ["C:\WINDOWS\sysragfchqs.exe"]
YN -> {B774C456-2718-417d-AC6E-E0049682876F} -> sysnwqdfbta.exe ["C:\WINDOWS\sysnwqdfbta.exe"]
YN -> {F93D8433-BFDA-4e2c-ABB9-EBA2716CD140} -> sysuxvmschr.exe ["C:\WINDOWS\sysuxvmschr.exe"]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Antispyware -> Antispyware.exe [C:\Program Files\AntiSpywareApp\Antispyware.exe -boot]
YN -> QdrModule16 -> QdrModule16.exe ["C:\Program Files\QdrModule\QdrModule16.exe"]
< Run [HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\] > -> HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Antispyware -> Antispyware.exe [C:\Program Files\AntiSpywareApp\Antispyware.exe -boot]
YN -> QdrModule16 -> QdrModule16.exe ["C:\Program Files\QdrModule\QdrModule16.exe"]
< IFEO [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
YN -> Your Image File Name Here without a path -> [Debugger]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {150fa160-130d-451f-b863-b655061432ba} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {2d38a51a-23c9-48a1-a33c-48675aa2b494} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {2e9caff6-30c7-4208-8807-e79d4ec6f806} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {79369d5c-2903-4b7a-ade2-d5e0dee14d24} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {799a370d-5993-4887-9df7-0a4756a77d00} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {a55581dc-2cdb-4089-8878-71a080b22342} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {b847676d-72ac-4393-bfff-43a1eb979352} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {bc97b254-b2b9-4d40-971d-78e0978f5f26} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {e2ddf680-9905-4dee-8c64-0a5de7fe133c} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {e7afff2a-1b57-49c7-bf6b-e5123394c970} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\] > -> HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\] > -> HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_05\bin\ssv.dll [Sun Java Console]
YN -> {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}:{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [AT&T Yahoo! Services]
YN -> {7F9DB11C-E358-4ca6-A83D-ACC663939424}:BandCLSID -> %ProgramFiles%\Bonjour\ExplorerPlugin.dll [Bonjour]
< Default Protocols [HKEY_USERS\.DEFAULT\] - Select to Repair > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
< Default Protocols [HKEY_USERS\S-1-5-18\] - Select to Repair > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
< Default Protocols [HKEY_USERS\S-1-5-19\] - Select to Repair > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
< Default Protocols [HKEY_USERS\S-1-5-20\] - Select to Repair > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
[Files/Folders - Created Within 90 days]
NY -> antispyware.sys -> %SystemRoot%\System32\drivers\antispyware.sys
NY -> hljwugsf.bin -> %SystemRoot%\System32\hljwugsf.bin
NY -> accesss.exe -> %SystemRoot%\accesss.exe
NY -> astctl32.ocx -> %SystemRoot%\astctl32.ocx
NY -> avpcc.dll -> %SystemRoot%\avpcc.dll
NY -> clrssn.exe -> %SystemRoot%\clrssn.exe
NY -> cpan.dll -> %SystemRoot%\cpan.dll
NY -> ctfmon32.exe -> %SystemRoot%\ctfmon32.exe
NY -> ctrlpan.dll -> %SystemRoot%\ctrlpan.dll
NY -> default.htm -> %SystemRoot%\default.htm
NY -> directx32.exe -> %SystemRoot%\directx32.exe
NY -> dnsrelay.dll -> %SystemRoot%\dnsrelay.dll
NY -> editpad.exe -> %SystemRoot%\editpad.exe
NY -> explore.exe -> %SystemRoot%\explore.exe
NY -> funniest.exe -> %SystemRoot%\funniest.exe
NY -> funny.exe -> %SystemRoot%\funny.exe
NY -> gfmnaaa.dll -> %SystemRoot%\gfmnaaa.dll
NY -> helpcvs.exe -> %SystemRoot%\helpcvs.exe
NY -> inetinf.exe -> %SystemRoot%\inetinf.exe
NY -> Instlog.lyt -> %SystemRoot%\Instlog.lyt
NY -> internet.exe -> %SystemRoot%\internet.exe
NY -> loader.exe -> %SystemRoot%\loader.exe
NY -> msconfd.dll -> %SystemRoot%\msconfd.dll
NY -> msspi.dll -> %SystemRoot%\msspi.dll
NY -> mssys.exe -> %SystemRoot%\mssys.exe
NY -> msupdate.exe -> %SystemRoot%\msupdate.exe
NY -> mswsc10.dll -> %SystemRoot%\mswsc10.dll
NY -> mswsc20.dll -> %SystemRoot%\mswsc20.dll
NY -> mtwirl32.dll -> %SystemRoot%\mtwirl32.dll
NY -> mywallpaper.bmp -> %SystemRoot%\mywallpaper.bmp
NY -> notepad32.exe -> %SystemRoot%\notepad32.exe
NY -> rundll32.vbe -> %SystemRoot%\rundll32.vbe
NY -> searchword.dll -> %SystemRoot%\searchword.dll
NY -> sistem.exe -> %SystemRoot%\sistem.exe
NY -> svcinit.exe -> %SystemRoot%\svcinit.exe
NY -> syscdupretn.exe -> %SystemRoot%\syscdupretn.exe
NY -> sysgycnafek.exe -> %SystemRoot%\sysgycnafek.exe
NY -> sysnwqdfbta.exe -> %SystemRoot%\sysnwqdfbta.exe
NY -> sysragfchqs.exe -> %SystemRoot%\sysragfchqs.exe
NY -> sysuxvmschr.exe -> %SystemRoot%\sysuxvmschr.exe
NY -> time.exe -> %SystemRoot%\time.exe
NY -> users32.exe -> %SystemRoot%\users32.exe
NY -> win64.exe -> %SystemRoot%\win64.exe
NY -> winajbm.dll -> %SystemRoot%\winajbm.dll
NY -> window.exe -> %SystemRoot%\window.exe
NY -> winmgnt.exe -> %SystemRoot%\winmgnt.exe
NY -> x.exe -> %SystemRoot%\x.exe
NY -> xplugin.dll -> %SystemRoot%\xplugin.dll
NY -> xxxvideo.hta -> %SystemRoot%\xxxvideo.hta
NY -> y.exe -> %SystemRoot%\y.exe
NY -> zysqargtzkf.exe -> %SystemRoot%\zysqargtzkf.exe
NY -> zysrsetdhmz.exe -> %SystemRoot%\zysrsetdhmz.exe
NY -> zystmxcgfqz.exe -> %SystemRoot%\zystmxcgfqz.exe
NY -> Antispyware Scheduled Scan.job -> %SystemRoot%\tasks\Antispyware Scheduled Scan.job
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> Antispyware -> %AppData%\Antispyware
NY -> AntiSpyware.lnk -> %AllUsersProfile%\Desktop\AntiSpyware.lnk
NY -> AntiSpywareApp -> %ProgramFiles%\AntiSpywareApp
[Files/Folders - Modified Within 90 days]
NY -> antispyware.sys -> %SystemRoot%\System32\drivers\antispyware.sys
NY -> hljwugsf.bin -> %SystemRoot%\System32\hljwugsf.bin
NY -> accesss.exe -> %SystemRoot%\accesss.exe
NY -> astctl32.ocx -> %SystemRoot%\astctl32.ocx
NY -> avpcc.dll -> %SystemRoot%\avpcc.dll
NY -> clrssn.exe -> %SystemRoot%\clrssn.exe
NY -> cpan.dll -> %SystemRoot%\cpan.dll
NY -> ctfmon32.exe -> %SystemRoot%\ctfmon32.exe
NY -> ctrlpan.dll -> %SystemRoot%\ctrlpan.dll
NY -> default.htm -> %SystemRoot%\default.htm
NY -> directx32.exe -> %SystemRoot%\directx32.exe
NY -> dnsrelay.dll -> %SystemRoot%\dnsrelay.dll
NY -> editpad.exe -> %SystemRoot%\editpad.exe
NY -> explore.exe -> %SystemRoot%\explore.exe
NY -> funniest.exe -> %SystemRoot%\funniest.exe
NY -> funny.exe -> %SystemRoot%\funny.exe
NY -> gfmnaaa.dll -> %SystemRoot%\gfmnaaa.dll
NY -> helpcvs.exe -> %SystemRoot%\helpcvs.exe
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> inetinf.exe -> %SystemRoot%\inetinf.exe
NY -> Instlog.lyt -> %SystemRoot%\Instlog.lyt
NY -> internet.exe -> %SystemRoot%\internet.exe
NY -> loader.exe -> %SystemRoot%\loader.exe
NY -> msconfd.dll -> %SystemRoot%\msconfd.dll
NY -> msspi.dll -> %SystemRoot%\msspi.dll
NY -> mssys.exe -> %SystemRoot%\mssys.exe
NY -> msupdate.exe -> %SystemRoot%\msupdate.exe
NY -> mswsc10.dll -> %SystemRoot%\mswsc10.dll
NY -> mswsc20.dll -> %SystemRoot%\mswsc20.dll
NY -> mtwirl32.dll -> %SystemRoot%\mtwirl32.dll
NY -> mywallpaper.bmp -> %SystemRoot%\mywallpaper.bmp
NY -> notepad32.exe -> %SystemRoot%\notepad32.exe
NY -> rundll32.vbe -> %SystemRoot%\rundll32.vbe
NY -> searchword.dll -> %SystemRoot%\searchword.dll
NY -> sistem.exe -> %SystemRoot%\sistem.exe
NY -> svcinit.exe -> %SystemRoot%\svcinit.exe
NY -> syscdupretn.exe -> %SystemRoot%\syscdupretn.exe
NY -> sysgycnafek.exe -> %SystemRoot%\sysgycnafek.exe
NY -> sysnwqdfbta.exe -> %SystemRoot%\sysnwqdfbta.exe
NY -> sysragfchqs.exe -> %SystemRoot%\sysragfchqs.exe
NY -> sysuxvmschr.exe -> %SystemRoot%\sysuxvmschr.exe
NY -> time.exe -> %SystemRoot%\time.exe
NY -> users32.exe -> %SystemRoot%\users32.exe
NY -> win64.exe -> %SystemRoot%\win64.exe
NY -> winajbm.dll -> %SystemRoot%\winajbm.dll
NY -> window.exe -> %SystemRoot%\window.exe
NY -> winmgnt.exe -> %SystemRoot%\winmgnt.exe
NY -> x.exe -> %SystemRoot%\x.exe
NY -> xplugin.dll -> %SystemRoot%\xplugin.dll
NY -> xxxvideo.hta -> %SystemRoot%\xxxvideo.hta
NY -> y.exe -> %SystemRoot%\y.exe
NY -> zysqargtzkf.exe -> %SystemRoot%\zysqargtzkf.exe
NY -> zysrsetdhmz.exe -> %SystemRoot%\zysrsetdhmz.exe
NY -> zystmxcgfqz.exe -> %SystemRoot%\zystmxcgfqz.exe
NY -> Antispyware Scheduled Scan.job -> %SystemRoot%\tasks\Antispyware Scheduled Scan.job
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 176 bytes -> %AllUsersProfile%\Application Data\TEMP:1A6AFE3D
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\Application Data\TEMP:27AAAD97
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\Application Data\TEMP:4E1E5A60
NY -> @Alternate Data Stream - 168 bytes -> %AllUsersProfile%\Application Data\TEMP:4EFDF5FB
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\Application Data\TEMP:5EC637CB
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\Application Data\TEMP:861A898F
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\Application Data\TEMP:A73EAFFB
NY -> @Alternate Data Stream - 106 bytes -> %AllUsersProfile%\Application Data\TEMP:CAAA7DD7
NY -> @Alternate Data Stream - 155 bytes -> %AllUsersProfile%\Application Data\TEMP:D09AEE3D
NY -> Antispyware -> %AppData%\Antispyware
NY -> AntiSpyware.lnk -> %AllUsersProfile%\Desktop\AntiSpyware.lnk
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

THEN

Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : OTScanit report and Combofix
  • 0

#6
mmscully
Posted 25 May 2008 - 08:00 AM

mmscully

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I now have a solid blue wallpaper. Attached are the logs from OTScanIT, ComboFix and HijackThis.

Explorer killed successfully
[Processes - Non-Microsoft Only]
Process sysragfchqs.exe killed successfully.
C:\WINDOWS\sysragfchqs.exe moved successfully.
Process syscdupretn.exe killed successfully.
C:\WINDOWS\syscdupretn.exe moved successfully.
Process sysgycnafek.exe killed successfully.
C:\WINDOWS\sysgycnafek.exe moved successfully.
Process sysnwqdfbta.exe killed successfully.
C:\WINDOWS\sysnwqdfbta.exe moved successfully.
Process sysuxvmschr.exe killed successfully.
C:\WINDOWS\sysuxvmschr.exe moved successfully.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\~EmptyValue deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{1989CEB5-CC50-4314-9FD6-597E6F7CC50F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1989CEB5-CC50-4314-9FD6-597E6F7CC50F}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{6739EFCB-69CF-41db-ADD7-79047E1BB2C0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6739EFCB-69CF-41db-ADD7-79047E1BB2C0}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{7D5C078D-6337-46a1-852E-D1A97B8EBB8C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D5C078D-6337-46a1-852E-D1A97B8EBB8C}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{B774C456-2718-417d-AC6E-E0049682876F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B774C456-2718-417d-AC6E-E0049682876F}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Antispyware deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QdrModule16 deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Antispyware not found.
Registry value HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QdrModule16 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{150fa160-130d-451f-b863-b655061432ba}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2e9caff6-30c7-4208-8807-e79d4ec6f806}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{799a370d-5993-4887-9df7-0a4756a77d00}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a55581dc-2cdb-4089-8878-71a080b22342}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b847676d-72ac-4393-bfff-43a1eb979352}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bc97b254-b2b9-4d40-971d-78e0978f5f26}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e7afff2a-1b57-49c7-bf6b-e5123394c970}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\ not found.
Registry value HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Registry value HKEY_USERS\S-1-5-21-3069831013-1830182787-2811713311-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{7F9DB11C-E358-4ca6-A83D-ACC663939424}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F9DB11C-E358-4ca6-A83D-ACC663939424}\ not found.
[Files/Folders - Created Within 90 days]
C:\WINDOWS\System32\drivers\antispyware.sys moved successfully.
C:\WINDOWS\System32\hljwugsf.bin moved successfully.
C:\WINDOWS\accesss.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\astctl32.ocx
C:\WINDOWS\astctl32.ocx NOT unregistered.
C:\WINDOWS\astctl32.ocx moved successfully.
LoadLibrary failed for C:\WINDOWS\avpcc.dll
C:\WINDOWS\avpcc.dll NOT unregistered.
C:\WINDOWS\avpcc.dll moved successfully.
C:\WINDOWS\clrssn.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\cpan.dll
C:\WINDOWS\cpan.dll NOT unregistered.
C:\WINDOWS\cpan.dll moved successfully.
C:\WINDOWS\ctfmon32.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\ctrlpan.dll NOT unregistered.
C:\WINDOWS\ctrlpan.dll moved successfully.
C:\WINDOWS\default.htm moved successfully.
C:\WINDOWS\directx32.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\dnsrelay.dll NOT unregistered.
C:\WINDOWS\dnsrelay.dll moved successfully.
C:\WINDOWS\editpad.exe moved successfully.
C:\WINDOWS\explore.exe moved successfully.
C:\WINDOWS\funniest.exe moved successfully.
C:\WINDOWS\funny.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\gfmnaaa.dll NOT unregistered.
C:\WINDOWS\gfmnaaa.dll moved successfully.
C:\WINDOWS\helpcvs.exe moved successfully.
C:\WINDOWS\inetinf.exe moved successfully.
C:\WINDOWS\Instlog.lyt moved successfully.
C:\WINDOWS\internet.exe moved successfully.
C:\WINDOWS\loader.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\msconfd.dll
C:\WINDOWS\msconfd.dll NOT unregistered.
C:\WINDOWS\msconfd.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\msspi.dll
C:\WINDOWS\msspi.dll NOT unregistered.
C:\WINDOWS\msspi.dll moved successfully.
C:\WINDOWS\mssys.exe moved successfully.
C:\WINDOWS\msupdate.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc10.dll NOT unregistered.
C:\WINDOWS\mswsc10.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mswsc20.dll NOT unregistered.
C:\WINDOWS\mswsc20.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\mtwirl32.dll NOT unregistered.
C:\WINDOWS\mtwirl32.dll moved successfully.
C:\WINDOWS\mywallpaper.bmp moved successfully.
C:\WINDOWS\notepad32.exe moved successfully.
C:\WINDOWS\rundll32.vbe moved successfully.
LoadLibrary failed for C:\WINDOWS\searchword.dll
C:\WINDOWS\searchword.dll NOT unregistered.
C:\WINDOWS\searchword.dll moved successfully.
C:\WINDOWS\sistem.exe moved successfully.
C:\WINDOWS\svcinit.exe moved successfully.
File C:\WINDOWS\syscdupretn.exe not found!
File C:\WINDOWS\sysgycnafek.exe not found!
File C:\WINDOWS\sysnwqdfbta.exe not found!
File C:\WINDOWS\sysragfchqs.exe not found!
File C:\WINDOWS\sysuxvmschr.exe not found!
C:\WINDOWS\time.exe moved successfully.
C:\WINDOWS\users32.exe moved successfully.
C:\WINDOWS\win64.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\winajbm.dll
C:\WINDOWS\winajbm.dll NOT unregistered.
C:\WINDOWS\winajbm.dll moved successfully.
C:\WINDOWS\window.exe moved successfully.
C:\WINDOWS\winmgnt.exe moved successfully.
C:\WINDOWS\x.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\xplugin.dll
C:\WINDOWS\xplugin.dll NOT unregistered.
C:\WINDOWS\xplugin.dll moved successfully.
C:\WINDOWS\xxxvideo.hta moved successfully.
C:\WINDOWS\y.exe moved successfully.
C:\WINDOWS\zysqargtzkf.exe moved successfully.
C:\WINDOWS\zysrsetdhmz.exe moved successfully.
C:\WINDOWS\zystmxcgfqz.exe moved successfully.
C:\WINDOWS\tasks\Antispyware Scheduled Scan.job moved successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
C:\Documents and Settings\Margaret\Application Data\Antispyware\Settings folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\20-05-2008-05-56-03 folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-20-42-32 folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-36-18 folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-28-26 folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-17-02-33 folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\900.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\860.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\804.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\791.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\790.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\789.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\787.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\785.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\782.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\780.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\248.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\247.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\246.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\244.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\242.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\240.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\239.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\234.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\225.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\223.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\222.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\192.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\191.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\190.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\189.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\187.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\185.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\184.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\183.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\181.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\175.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\169.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\161.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\150.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\149.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\147.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\143.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\138.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\132.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29\124.qit folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine\19-05-2008-15-00-29 folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware\Quarantine folder moved successfully.
Folder move failed. C:\Documents and Settings\Margaret\Application Data\Antispyware\Log scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Margaret\Application Data\Antispyware scheduled to be moved on reboot.
C:\Documents and Settings\All Users\Desktop\AntiSpyware.lnk moved successfully.
C:\Program Files\AntiSpywareApp\FilterDrv folder moved successfully.
C:\Program Files\AntiSpywareApp folder moved successfully.
[Files/Folders - Modified Within 90 days]
File C:\WINDOWS\System32\drivers\antispyware.sys not found!
File C:\WINDOWS\System32\hljwugsf.bin not found!
File C:\WINDOWS\accesss.exe not found!
File C:\WINDOWS\astctl32.ocx not found!
File C:\WINDOWS\avpcc.dll not found!
File C:\WINDOWS\clrssn.exe not found!
File C:\WINDOWS\cpan.dll not found!
File C:\WINDOWS\ctfmon32.exe not found!
File C:\WINDOWS\ctrlpan.dll not found!
File C:\WINDOWS\default.htm not found!
File C:\WINDOWS\directx32.exe not found!
File C:\WINDOWS\dnsrelay.dll not found!
File C:\WINDOWS\editpad.exe not found!
File C:\WINDOWS\explore.exe not found!
File C:\WINDOWS\funniest.exe not found!
File C:\WINDOWS\funny.exe not found!
File C:\WINDOWS\gfmnaaa.dll not found!
File C:\WINDOWS\helpcvs.exe not found!
C:\WINDOWS\imsins.BAK moved successfully.
File C:\WINDOWS\inetinf.exe not found!
File C:\WINDOWS\Instlog.lyt not found!
File C:\WINDOWS\internet.exe not found!
File C:\WINDOWS\loader.exe not found!
File C:\WINDOWS\msconfd.dll not found!
File C:\WINDOWS\msspi.dll not found!
File C:\WINDOWS\mssys.exe not found!
File C:\WINDOWS\msupdate.exe not found!
File C:\WINDOWS\mswsc10.dll not found!
File C:\WINDOWS\mswsc20.dll not found!
File C:\WINDOWS\mtwirl32.dll not found!
File C:\WINDOWS\mywallpaper.bmp not found!
File C:\WINDOWS\notepad32.exe not found!
File C:\WINDOWS\rundll32.vbe not found!
File C:\WINDOWS\searchword.dll not found!
File C:\WINDOWS\sistem.exe not found!
File C:\WINDOWS\svcinit.exe not found!
File C:\WINDOWS\syscdupretn.exe not found!
File C:\WINDOWS\sysgycnafek.exe not found!
File C:\WINDOWS\sysnwqdfbta.exe not found!
File C:\WINDOWS\sysragfchqs.exe not found!
File C:\WINDOWS\sysuxvmschr.exe not found!
File C:\WINDOWS\time.exe not found!
File C:\WINDOWS\users32.exe not found!
File C:\WINDOWS\win64.exe not found!
File C:\WINDOWS\winajbm.dll not found!
File C:\WINDOWS\window.exe not found!
File C:\WINDOWS\winmgnt.exe not found!
File C:\WINDOWS\x.exe not found!
File C:\WINDOWS\xplugin.dll not found!
File C:\WINDOWS\xxxvideo.hta not found!
File C:\WINDOWS\y.exe not found!
File C:\WINDOWS\zysqargtzkf.exe not found!
File C:\WINDOWS\zysrsetdhmz.exe not found!
File C:\WINDOWS\zystmxcgfqz.exe not found!
File C:\WINDOWS\tasks\Antispyware Scheduled Scan.job not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1A6AFE3D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:27AAAD97 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4E1E5A60 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4EFDF5FB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5EC637CB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:861A898F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A73EAFFB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CAAA7DD7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D09AEE3D deleted successfully.
Folder move failed. C:\Documents and Settings\Margaret\Application Data\Antispyware\Log scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Margaret\Application Data\Antispyware scheduled to be moved on reboot.
File C:\Documents and Settings\All Users\Desktop\AntiSpyware.lnk not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Margaret\Local Settings\Temp\~DF2870.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Margaret\Local Settings\Temp\~DFA1CE.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_9lmN4BYKXb3ONL9 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_0JbmRjKsCNexLDy scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_aPOLIXr43hYzw28 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_Cns2FGLOa1kwhNF scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_EfL4gBx7ZXnldQm scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_UDJddKEZFqLz1ba scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.14.3 fix logfile created on 05252008_084623

Files moved on Reboot...
C:\Documents and Settings\Margaret\Application Data\Antispyware\Log folder moved successfully.
C:\Documents and Settings\Margaret\Application Data\Antispyware folder moved successfully.
C:\Documents and Settings\Margaret\Local Settings\Temp\~DF2870.tmp moved successfully.
File C:\Documents and Settings\Margaret\Local Settings\Temp\~DFA1CE.tmp not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\mcafee_9lmN4BYKXb3ONL9 not found!
File C:\WINDOWS\temp\mcmsc_0JbmRjKsCNexLDy not found!
File C:\WINDOWS\temp\mcmsc_aPOLIXr43hYzw28 not found!
File C:\WINDOWS\temp\mcmsc_Cns2FGLOa1kwhNF not found!
File C:\WINDOWS\temp\mcmsc_EfL4gBx7ZXnldQm not found!
C:\WINDOWS\temp\mcmsc_UDJddKEZFqLz1ba moved successfully.


ComboFix 08-05-24.1 - Margaret 2008-05-25 9:19:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.56 [GMT -4:00]
Running from: C:\Documents and Settings\Margaret\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Margaret\err.log
C:\WINDOWS\config.ini
C:\WINDOWS\hosts
C:\WINDOWS\system32\bsnzafqa.bin
C:\WINDOWS\system32\cfg.dat

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_NPF
-------\Service_clbdriver


((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-23 10:08 . 2008-05-23 10:08 3,072 --a------ C:\WINDOWS\zyscfutkqew.exe
2008-05-21 06:50 . 2008-05-21 06:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 20:55 . 2008-05-20 20:56 <DIR> d-------- C:\Program Files\Panda Security
2008-05-20 17:59 . 2008-05-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-20 17:58 . 2008-05-24 17:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 17:58 . 2008-05-20 17:58 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\SUPERAntiSpyware.com
2008-05-20 17:56 . 2008-05-20 17:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 05:59 . 2008-05-20 05:59 30,208 --a------ C:\WINDOWS\qttasks.exe
2008-05-20 05:59 . 2008-05-20 05:59 21,504 --a------ C:\WINDOWS\quicken.exe
2008-05-19 21:18 . 2008-05-19 21:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 21:18 . 2008-05-19 21:18 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\Malwarebytes
2008-05-19 21:18 . 2008-05-19 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 21:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-19 21:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-19 20:44 . 2008-05-20 05:57 22,784 --a------ C:\WINDOWS\waol.exe
2008-05-19 17:48 . 2008-05-19 18:04 4,458 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-05-19 17:47 . 2008-05-19 17:45 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-05-19 17:47 . 2008-05-19 17:45 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-05-19 17:47 . 2008-05-19 17:45 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-05-19 17:47 . 2008-05-19 17:44 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-05-19 17:47 . 2008-05-19 17:44 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-05-19 17:47 . 2008-05-19 17:44 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-05-19 17:47 . 2008-05-19 17:44 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-05-19 17:47 . 2008-05-19 17:45 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-05-18 23:38 . 2008-05-20 17:10 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\uTorrent
2008-05-18 21:00 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-18 09:52 . 2008-05-18 09:52 <DIR> d-------- C:\Program Files\uTorrent
2008-05-18 09:52 . 2002-08-29 07:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-05-16 06:37 . 2008-05-16 06:37 197 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-04-29 20:43 . 2008-04-29 20:43 <DIR> d-------- C:\Program Files\ItsDeductible2006
2008-04-29 20:12 . 2008-04-29 20:23 <DIR> d-------- C:\TurboTax2006Premier
2008-04-25 21:34 . 2008-04-25 21:34 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 13:16 --------- d-----w C:\Documents and Settings\Margaret\Application Data\SiteAdvisor
2008-05-19 04:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-19 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-19 03:29 --------- d-----w C:\Documents and Settings\Margaret\Application Data\Neopets Toolbar
2008-05-18 22:08 --------- d-----w C:\Program Files\RegistryFix
2008-05-15 01:01 1,882,621 ----a-w C:\WINDOWS\JAVA\Packages\CRPF7HRB.ZIP
2008-05-13 00:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 00:30 --------- d-----w C:\Program Files\QUICKENW
2008-05-08 01:06 2,046,320 ----a-w C:\WINDOWS\JAVA\Packages\LRHJHV9B.ZIP
2008-05-08 00:24 1,968,111 ----a-w C:\WINDOWS\JAVA\Packages\JDBL3RDB.ZIP
2008-05-07 02:39 5,483 ----a-w C:\WINDOWS\JAVA\Packages\HNJJ7HFD.ZIP
2008-05-07 02:39 3,502,787 ----a-w C:\WINDOWS\JAVA\Packages\W4EAL357.ZIP
2008-05-06 02:54 --------- d-----w C:\Program Files\Oberon Media
2008-05-06 02:43 --------- d-----w C:\Documents and Settings\Margaret\Application Data\Pogo Games
2008-05-02 21:31 2,202,158 ----a-w C:\WINDOWS\JAVA\Packages\D3T7NDV3.ZIP
2008-04-30 00:36 --------- d-----w C:\Program Files\TurboTax
2008-04-27 15:24 1,946,947 ----a-w C:\WINDOWS\JAVA\Packages\XJ1ZZ1B1.ZIP
2008-04-26 12:21 2,077,832 ----a-w C:\WINDOWS\JAVA\Packages\7TRXBLVB.ZIP
2008-04-26 01:30 --------- d-----w C:\Program Files\Common Files\Real
2008-04-25 00:21 2,489,158 ----a-w C:\WINDOWS\JAVA\Packages\XN1BTFB7.ZIP
2008-04-12 21:19 5,483 ----a-w C:\WINDOWS\JAVA\Packages\BNVFDJLZ.ZIP
2008-04-11 01:21 5,483 ----a-w C:\WINDOWS\JAVA\Packages\DZ77XJV3.ZIP
2008-04-11 01:21 2,998,092 ----a-w C:\WINDOWS\JAVA\Packages\VLFDBRZR.ZIP
2008-04-10 22:32 --------- d-----w C:\Program Files\Java
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-26 21:26 2,685,378 ----a-w C:\WINDOWS\JAVA\Packages\SYC3J3HV.ZIP
2008-03-26 00:29 1,853,181 ----a-w C:\WINDOWS\JAVA\Packages\T7RLB1NX.ZIP
2008-03-19 22:53 2,776,859 ----a-w C:\WINDOWS\JAVA\Packages\2PBLN3T7.ZIP
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-12 21:06 2,366,477 ----a-w C:\WINDOWS\JAVA\Packages\83BNBR9N.ZIP
2008-03-05 22:12 2,066,500 ----a-w C:\WINDOWS\JAVA\Packages\3DVBXVV9.ZIP
2008-03-04 23:36 1,947,138 ----a-w C:\WINDOWS\JAVA\Packages\DBDBBNPJ.ZIP
2008-03-04 22:42 2,871,058 ----a-w C:\WINDOWS\JAVA\Packages\6IHZF9RX.ZIP
2008-03-03 03:39 1,982,909 ----a-w C:\WINDOWS\JAVA\Packages\22TF3FPR.ZIP
2008-02-27 00:48 1,116,297 ----a-w C:\WINDOWS\JAVA\Packages\W9RHNN7N.ZIP
2007-01-16 02:17 6,056 -c--a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2003-02-10 20:06 207,759 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM95\aim.exe" [2005-06-02 01:34 67160]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 18:43 4670704]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 18:44 679936]
"QAGENT"="C:\Program Files\QUICKENW\QAGENT.EXE" [ ]
"hpfsched"="C:\WINDOWS\hpfsched.exe" [1998-07-22 03:50 35328]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-27 20:34 77824]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-08-21 19:10 380928]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43 407032]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-02-08 22:39 36904]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33 582992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 21:20 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\Margaret\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [2005-01-21 10:03:00 372224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-07-05 22:24:31 217088]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-02-10 15:59:51 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24 237568]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2008-02-05 14:29:20 54512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\YOP\\yop.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 12:42]
S0 antispyware;antispyware;C:\WINDOWS\system32\DRIVERS\antispyware.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 14:45:49 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-04-15 05:24:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-01 05:02:34 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-25 13:39:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 09:36:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
.
**************************************************************************
.
Completion time: 2008-05-25 9:52:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 13:52:32

Pre-Run: 41,337,372,672 bytes free
Post-Run: 41,238,421,504 bytes free

210 --- E O F --- 2008-05-23 10:38:30

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:58 AM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Addiction by pogo - http://game3.pogo.co...ction-en_US.cab
O16 - DPF: Bingo Luau by pogo - http://game3.pogo.co...bingo-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...kjack-en_US.cab
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.co...jack2-en_US.cab
O16 - DPF: Bowling by pogo -
  • 0

#7
Essexboy
Posted 25 May 2008 - 08:25 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi again - you keep cutting of the end of your Hijackthis log. Could you please post it in its entirety :)

To reset your wallpaper just right click anywhere on your desktop and then select a new wallpaper or

Open the Control Panel.
Open Display Properties.
Click the Desktop tab.
Click the Customize Desktop button.
Click the Web tab in the Desktop Items window.
Make sure all checkboxes in this window are un-checked including My Current Homepage.
Restart your computer.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\zyscfutkqew.exe
C:\WINDOWS\JAVA\Packages\CRPF7HRB.ZIP
C:\WINDOWS\JAVA\Packages\LRHJHV9B.ZIP
C:\WINDOWS\JAVA\Packages\JDBL3RDB.ZIP
C:\WINDOWS\JAVA\Packages\HNJJ7HFD.ZIP
C:\WINDOWS\JAVA\Packages\W4EAL357.ZIP
C:\WINDOWS\JAVA\Packages\D3T7NDV3.ZIP
C:\WINDOWS\JAVA\Packages\XJ1ZZ1B1.ZIP
C:\WINDOWS\JAVA\Packages\7TRXBLVB.ZIP
C:\WINDOWS\JAVA\Packages\XN1BTFB7.ZIP
C:\WINDOWS\JAVA\Packages\BNVFDJLZ.ZIP
C:\WINDOWS\JAVA\Packages\DZ77XJV3.ZIP
C:\WINDOWS\JAVA\Packages\VLFDBRZR.ZIP
C:\WINDOWS\JAVA\Packages\SYC3J3HV.ZIP
C:\WINDOWS\JAVA\Packages\T7RLB1NX.ZIP
C:\WINDOWS\JAVA\Packages\2PBLN3T7.ZIP
C:\WINDOWS\JAVA\Packages\83BNBR9N.ZIP
C:\WINDOWS\JAVA\Packages\3DVBXVV9.ZIP
C:\WINDOWS\JAVA\Packages\DBDBBNPJ.ZIP
C:\WINDOWS\JAVA\Packages\6IHZF9RX.ZIP
C:\WINDOWS\JAVA\Packages\22TF3FPR.ZIP
C:\WINDOWS\JAVA\Packages\W9RHNN7N.ZIP

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

How is your computer running now ?
  • 0

#8
mmscully
Posted 25 May 2008 - 11:03 AM

mmscully

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi,
Thanks so much for your help. Sorry about the HiJjackThis log, I'll try to get it all in this time. I know how to change the wallpaper, was just letting you know what was happening. I haven't tried to really use the computer as I didn't know if it was safe to do so. Here are the most recent Combofix and HijackThis logs. :)

ComboFix 08-05-24.1 - Margaret 2008-05-25 12:29:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -4:00]
Running from: C:\Documents and Settings\Margaret\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Margaret\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\JAVA\Packages\22TF3FPR.ZIP
C:\WINDOWS\JAVA\Packages\2PBLN3T7.ZIP
C:\WINDOWS\JAVA\Packages\3DVBXVV9.ZIP
C:\WINDOWS\JAVA\Packages\6IHZF9RX.ZIP
C:\WINDOWS\JAVA\Packages\7TRXBLVB.ZIP
C:\WINDOWS\JAVA\Packages\83BNBR9N.ZIP
C:\WINDOWS\JAVA\Packages\BNVFDJLZ.ZIP
C:\WINDOWS\JAVA\Packages\CRPF7HRB.ZIP
C:\WINDOWS\JAVA\Packages\D3T7NDV3.ZIP
C:\WINDOWS\JAVA\Packages\DBDBBNPJ.ZIP
C:\WINDOWS\JAVA\Packages\DZ77XJV3.ZIP
C:\WINDOWS\JAVA\Packages\HNJJ7HFD.ZIP
C:\WINDOWS\JAVA\Packages\JDBL3RDB.ZIP
C:\WINDOWS\JAVA\Packages\LRHJHV9B.ZIP
C:\WINDOWS\JAVA\Packages\SYC3J3HV.ZIP
C:\WINDOWS\JAVA\Packages\T7RLB1NX.ZIP
C:\WINDOWS\JAVA\Packages\VLFDBRZR.ZIP
C:\WINDOWS\JAVA\Packages\W4EAL357.ZIP
C:\WINDOWS\JAVA\Packages\W9RHNN7N.ZIP
C:\WINDOWS\JAVA\Packages\XJ1ZZ1B1.ZIP
C:\WINDOWS\JAVA\Packages\XN1BTFB7.ZIP
C:\WINDOWS\zyscfutkqew.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\JAVA\Packages\22TF3FPR.ZIP
C:\WINDOWS\JAVA\Packages\2PBLN3T7.ZIP
C:\WINDOWS\JAVA\Packages\3DVBXVV9.ZIP
C:\WINDOWS\JAVA\Packages\6IHZF9RX.ZIP
C:\WINDOWS\JAVA\Packages\7TRXBLVB.ZIP
C:\WINDOWS\JAVA\Packages\83BNBR9N.ZIP
C:\WINDOWS\JAVA\Packages\BNVFDJLZ.ZIP
C:\WINDOWS\JAVA\Packages\CRPF7HRB.ZIP
C:\WINDOWS\JAVA\Packages\D3T7NDV3.ZIP
C:\WINDOWS\JAVA\Packages\DBDBBNPJ.ZIP
C:\WINDOWS\JAVA\Packages\DZ77XJV3.ZIP
C:\WINDOWS\JAVA\Packages\HNJJ7HFD.ZIP
C:\WINDOWS\JAVA\Packages\JDBL3RDB.ZIP
C:\WINDOWS\JAVA\Packages\LRHJHV9B.ZIP
C:\WINDOWS\JAVA\Packages\SYC3J3HV.ZIP
C:\WINDOWS\JAVA\Packages\T7RLB1NX.ZIP
C:\WINDOWS\JAVA\Packages\VLFDBRZR.ZIP
C:\WINDOWS\JAVA\Packages\W4EAL357.ZIP
C:\WINDOWS\JAVA\Packages\W9RHNN7N.ZIP
C:\WINDOWS\JAVA\Packages\XJ1ZZ1B1.ZIP
C:\WINDOWS\JAVA\Packages\XN1BTFB7.ZIP
C:\WINDOWS\zyscfutkqew.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-21 06:50 . 2008-05-21 06:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 20:55 . 2008-05-20 20:56 <DIR> d-------- C:\Program Files\Panda Security
2008-05-20 17:59 . 2008-05-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-20 17:58 . 2008-05-24 17:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 17:58 . 2008-05-20 17:58 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\SUPERAntiSpyware.com
2008-05-20 17:56 . 2008-05-20 17:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 05:59 . 2008-05-20 05:59 30,208 --a------ C:\WINDOWS\qttasks.exe
2008-05-20 05:59 . 2008-05-20 05:59 21,504 --a------ C:\WINDOWS\quicken.exe
2008-05-19 21:18 . 2008-05-19 21:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 21:18 . 2008-05-19 21:18 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\Malwarebytes
2008-05-19 21:18 . 2008-05-19 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 21:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-19 21:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-19 20:44 . 2008-05-20 05:57 22,784 --a------ C:\WINDOWS\waol.exe
2008-05-19 17:48 . 2008-05-19 18:04 4,458 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-05-19 17:47 . 2008-05-19 17:45 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-05-19 17:47 . 2008-05-19 17:45 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-05-19 17:47 . 2008-05-19 17:45 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-05-19 17:47 . 2008-05-19 17:44 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-05-19 17:47 . 2008-05-19 17:44 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-05-19 17:47 . 2008-05-19 17:44 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-05-19 17:47 . 2008-05-19 17:44 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-05-19 17:47 . 2008-05-19 17:45 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-05-18 23:38 . 2008-05-20 17:10 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\uTorrent
2008-05-18 21:00 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-18 09:52 . 2008-05-18 09:52 <DIR> d-------- C:\Program Files\uTorrent
2008-05-18 09:52 . 2002-08-29 07:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-05-16 06:37 . 2008-05-16 06:37 197 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-04-29 20:43 . 2008-04-29 20:43 <DIR> d-------- C:\Program Files\ItsDeductible2006
2008-04-29 20:12 . 2008-04-29 20:23 <DIR> d-------- C:\TurboTax2006Premier
2008-04-25 21:34 . 2008-04-25 21:34 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 16:22 --------- d-----w C:\Documents and Settings\Margaret\Application Data\SiteAdvisor
2008-05-19 04:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-19 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-19 03:29 --------- d-----w C:\Documents and Settings\Margaret\Application Data\Neopets Toolbar
2008-05-18 22:08 --------- d-----w C:\Program Files\RegistryFix
2008-05-13 00:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 00:30 --------- d-----w C:\Program Files\QUICKENW
2008-05-06 02:54 --------- d-----w C:\Program Files\Oberon Media
2008-05-06 02:43 --------- d-----w C:\Documents and Settings\Margaret\Application Data\Pogo Games
2008-04-30 00:36 --------- d-----w C:\Program Files\TurboTax
2008-04-26 01:30 --------- d-----w C:\Program Files\Common Files\Real
2008-04-10 22:32 --------- d-----w C:\Program Files\Java
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2007-01-16 02:17 6,056 -c--a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2003-02-10 20:06 207,759 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_ 9.51.37.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 13:34:12 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-25 16:38:15 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM95\aim.exe" [2005-06-02 01:34 67160]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 18:43 4670704]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 18:44 679936]
"QAGENT"="C:\Program Files\QUICKENW\QAGENT.EXE" [ ]
"hpfsched"="C:\WINDOWS\hpfsched.exe" [1998-07-22 03:50 35328]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-27 20:34 77824]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-08-21 19:10 380928]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43 407032]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-02-08 22:39 36904]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33 582992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 21:20 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\Margaret\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [2005-01-21 10:03:00 372224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-07-05 22:24:31 217088]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-02-10 15:59:51 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24 237568]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2008-02-05 14:29:20 54512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\YOP\\yop.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 12:42]
S0 antispyware;antispyware;C:\WINDOWS\system32\DRIVERS\antispyware.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 14:45:49 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-04-15 05:24:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-01 05:02:34 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-25 16:42:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 12:39:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\SAMLIB.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
.
**************************************************************************
.
Completion time: 2008-05-25 12:56:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 16:56:18
ComboFix2.txt 2008-05-25 13:52:47

Pre-Run: 41,212,039,168 bytes free
Post-Run: 41,206,808,576 bytes free

230 --- E O F --- 2008-05-23 10:38:30


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:11 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Addiction by pogo - http://game3.pogo.co...ction-en_US.cab
O16 - DPF: Bingo Luau by pogo - http://game3.pogo.co...bingo-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...kjack-en_US.cab
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.co...jack2-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.co...wling-en_US.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.co...nasta-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game3.pogo.co...z/ytz-en_US.cab
O16 - DPF: Dominoes v2 by pogo - http://game3.pogo.co...mino2-en_US.cab
O16 - DPF: Euchre by pogo - http://game3.pogo.co...uchre-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game3.pogo.co...bingo-en_US.cab
O16 - DPF: Golf Solitaire by pogo - http://game3.pogo.co...taire-en_US.cab
O16 - DPF: High Stakes Pool by pogo - http://game3.pogo.co.../pool-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...ottso-en_US.cab
O16 - DPF: Mahjong Safari by Pogo - http://game3.pogo.co...afari-en_US.cab
O16 - DPF: Makeover Madness by pogo - http://game1.pogo.co...shoes-en_US.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.co...ochle-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...popfu-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...ppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.co...treak-en_US.cab
O16 - DPF: Spades 2 by pogo - http://game3.pogo.co...ades2-en_US.cab
O16 - DPF: Squelchies by pogo - http://game3.pogo.co...chies-en_US.cab
O16 - DPF: Super Dominoes by pogo - http://game1.pogo.co...omino-en_US.cab
O16 - DPF: Sweet Tooth 2 by Pogo - http://game1.pogo.co...ooth2-en_US.cab
O16 - DPF: Thousand Island Solitaire by pogo - http://game1.pogo.co...lbrae-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game3.pogo.co...peaks-en_US.cab
O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.co...rbo22-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.co...ories-en_US.cab
O16 - DPF: Word Search Daily by pogo - http://game3.pogo.co...earch-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182203961828
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://71.254.156.21...sCamControl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...338/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 13194 bytes
  • 0

#9
Essexboy
Posted 25 May 2008 - 11:11 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Nicely done :)

Sorry about the HiJjackThis log, I'll try to get it all in this time. I know how to change the wallpaper, was just letting you know what was happening. I haven't tried to really use the computer as I didn't know if it was safe to do so. Here are the most recent Combofix and HijackThis logs.

No problem there, as we have people coming here with varying degrees of knowledge and we generally run it at the lowest common denominator until we can see better :)

What I will do now is run a sweep to clear the orphan registry entries and to ensure that nothing has slipped by me

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : MBAM and how is your computer running now ?
  • 0

#10
mmscully
Posted 25 May 2008 - 11:41 AM

mmscully

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thank you again for your help. :) The computer seems to be running okay and even seems a little faster loading pages on the internet. What should I be running on my computer to avoid having a recurrence of this problem? I run McAfee and keep my subscription current and use automatic downloads. Should I keep any of these programs that I downloaded for this process? I am so glad that I found this website. Your help has been invaluable. Here is the Malwarebytes' Log. :)

Malwarebytes' Anti-Malware 1.12
Database version: 786

Scan type: Quick Scan
Objects scanned: 39640
Time elapsed: 10 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements

#11
Essexboy
Posted 25 May 2008 - 11:51 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
In the words of the immoral bard ....

Now the best part of the day ----- Your log now appears clean :)

Double click OTScanit once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTScanit wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself. Malwarebytes can be removed via control panel

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#12
mmscully
Posted 25 May 2008 - 07:23 PM

mmscully

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks again for your help. The computer seems to be working faster however I am not sure if everything is gone. When we were on earlier today there were some pop-ups that came up. I ran the Malaware program and it showed some items. I quarantined them and I will add the log for you to see. I have updated windows and it downloaded Service pack 3. Is this okay? Sorry to be such a pest but I want to make sure I do this correctly. Thanks again.

Malwarebytes' Anti-Malware 1.12
Database version: 786

Scan type: Quick Scan
Objects scanned: 41253
Time elapsed: 23 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
  • 0

#13
Essexboy
Posted 26 May 2008 - 04:18 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Where did they come from ? as they were not there on the last run

Lets re-run Combofix and see what that shows

Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#14
mmscully
Posted 26 May 2008 - 10:34 AM

mmscully

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here we go again. Hopefully I'm just being neurotic.

ComboFix 08-05-25.4 - Margaret 2008-05-26 9:32:26.3 - NTFSx86
Running from: C:\Documents and Settings\Margaret\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiSpywareApp
C:\Program Files\AntiSpywareApp\AntiSpyware.exe
C:\Program Files\AntiSpywareApp\AntiSpyware.url
C:\Program Files\AntiSpywareApp\DataBase.ref
C:\Program Files\AntiSpywareApp\Difxapi.dll
C:\Program Files\AntiSpywareApp\FilterDrv\AntiSpyware.amd64.sys
C:\Program Files\AntiSpywareApp\FilterDrv\AntiSpyware.cat
C:\Program Files\AntiSpywareApp\FilterDrv\AntiSpyware.inf
C:\Program Files\AntiSpywareApp\FilterDrv\AntiSpyware.x86.sys
C:\Program Files\AntiSpywareApp\SpyCleaner.dll
C:\Program Files\AntiSpywareApp\TCL.dll
C:\Program Files\AntiSpywareApp\vistaCPtasks.xml
C:\Program Files\AntiSpywareApp\zlib.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-25 20:57 . 2008-05-25 23:01 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\Antispyware
2008-05-25 20:11 . 2008-05-25 20:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-25 20:11 . 2008-05-25 20:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-25 20:11 . 2008-05-25 20:11 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-25 19:33 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-05-25 19:33 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-05-25 19:33 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-05-25 19:33 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-05-25 19:33 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-05-25 19:33 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-05-25 19:31 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-05-25 19:30 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-05-25 18:10 . 2008-05-25 18:17 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-21 06:50 . 2008-05-21 06:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 20:55 . 2008-05-20 20:56 <DIR> d-------- C:\Program Files\Panda Security
2008-05-20 17:59 . 2008-05-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-20 17:58 . 2008-05-25 20:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 17:58 . 2008-05-20 17:58 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\SUPERAntiSpyware.com
2008-05-20 17:56 . 2008-05-20 17:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-19 21:18 . 2008-05-19 21:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 21:18 . 2008-05-19 21:18 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\Malwarebytes
2008-05-19 21:18 . 2008-05-19 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 21:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-19 21:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-19 17:47 . 2008-05-19 17:45 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-05-19 17:47 . 2008-05-19 17:44 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-05-18 23:38 . 2008-05-20 17:10 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\uTorrent
2008-05-18 21:00 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-18 09:52 . 2008-05-18 09:52 <DIR> d-------- C:\Program Files\uTorrent
2008-05-18 09:52 . 2002-08-29 07:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-05-16 06:37 . 2008-05-16 06:37 197 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-04-29 20:43 . 2008-04-29 20:43 <DIR> d-------- C:\Program Files\ItsDeductible2006
2008-04-29 20:12 . 2008-04-29 20:23 <DIR> d-------- C:\TurboTax2006Premier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 22:44 --------- d-----w C:\Documents and Settings\Margaret\Application Data\SiteAdvisor
2008-05-19 04:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-19 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-19 03:29 --------- d-----w C:\Documents and Settings\Margaret\Application Data\Neopets Toolbar
2008-05-18 22:08 --------- d-----w C:\Program Files\RegistryFix
2008-05-13 00:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 00:30 --------- d-----w C:\Program Files\QUICKENW
2008-05-06 02:54 --------- d-----w C:\Program Files\Oberon Media
2008-05-06 02:43 --------- d-----w C:\Documents and Settings\Margaret\Application Data\Pogo Games
2008-04-30 00:36 --------- d-----w C:\Program Files\TurboTax
2008-04-26 01:34 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-26 01:30 --------- d-----w C:\Program Files\Common Files\Real
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ------w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:41 18,560 ----a-w C:\WINDOWS\system32\drivers\i2omp.sys
.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29, on 2008-05-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Antispyware] C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Addiction by pogo - http://game3.pogo.co...ction-en_US.cab
O16 - DPF: Bingo Luau by pogo - http://game3.pogo.co...bingo-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...kjack-en_US.cab
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.co...jack2-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.co...wling-en_US.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.co...nasta-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game3.pogo.co...z/ytz-en_US.cab
O16 - DPF: Dominoes v2 by pogo - http://game3.pogo.co...mino2-en_US.cab
O16 - DPF: Euchre by pogo - http://game3.pogo.co...uchre-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game3.pogo.co...bingo-en_US.cab
O16 - DPF: Golf Solitaire by pogo - http://game3.pogo.co...taire-en_US.cab
O16 - DPF: High Stakes Pool by pogo - http://game3.pogo.co.../pool-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...ottso-en_US.cab
O16 - DPF: Mahjong Safari by Pogo - http://game3.pogo.co...afari-en_US.cab
O16 - DPF: Makeover Madness by pogo - http://game1.pogo.co...shoes-en_US.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.co...ochle-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...popfu-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...ppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.co...treak-en_US.cab
O16 - DPF: Spades 2 by pogo - http://game3.pogo.co...ades2-en_US.cab
O16 - DPF: Squelchies by pogo - http://game3.pogo.co...chies-en_US.cab
O16 - DPF: Super Dominoes by pogo - http://game1.pogo.co...omino-en_US.cab
O16 - DPF: Sweet Tooth 2 by Pogo - http://game1.pogo.co...ooth2-en_US.cab
O16 - DPF: Thousand Island Solitaire by pogo - http://game1.pogo.co...lbrae-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game3.pogo.co...peaks-en_US.cab
O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.co...rbo22-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.co...ories-en_US.cab
O16 - DPF: Word Search Daily by pogo - http://game3.pogo.co...earch-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182203961828
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://71.254.156.21...sCamControl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...338/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 13366 bytes
  • 0

#15
Essexboy
Posted 26 May 2008 - 11:37 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi again, looking at the logs a rogue antispy programme was downloaded at 2008-05-25 23:01 which was a few hours prior to you posting your last problem, but after downloading SP3. Was this intentional or did someone else download it ?


Anyways lets finish clearing it


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [Antispyware] C:\Program Files\AntiSpywareApp\Antispyware.exe -boot

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Margaret\Application Data\Antispyware
C:\Program Files\AntiSpywareApp
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

I will need to do another deep search to ensure that it is all rooted out

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • Reg - Desktop Components
    • Reg - Disabled MS Config Items
    • File - Additional Folder Scans
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP