Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

virtumonde & virtumonde.dll

Started by idkidd , Jun 01 2008 07:55 PM

  • Please log in to reply

#1
idkidd
Posted 01 June 2008 - 07:55 PM

idkidd

    Member

  • Member
  • PipPip
  • 17 posts
I've tried removing with Spybot and Adaware to no avail. My internet access is crippled to where I cannot contact most sites (this one and Google for example are unreachable) and I have nuisance tabs being launched in both Explorer and Firefox. I don't know if this is is related to the malware but my icon in the system tray keeps telling me auto updates are turned off and my system is at risk but, when I go to the area to turn it back on, auto updates already are turned on. Changing the selection doesn't seem to make any difference. Thanks in advance for your help!


Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:32:40 PM, on 6/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Program Files\Network Associates\VirusScan\Webscanx.exe

C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\AOL\1140537316\ee\AOLSoftware.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Webshots\webshots.scr

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

O2 - BHO: (no name) - {012D7D23-E615-4809-98A4-89159CC9C34C} - (no file)

O2 - BHO: (no name) - {05397560-6209-469B-B96C-28DDC4BAB347} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {12A2904F-6D26-40B7-A9FB-46BFA051F9EF} - C:\WINDOWS\system32\qoMcASlm.dll (file missing)

O2 - BHO: (no name) - {34B1FDE9-1133-4655-BD39-F0E95B43DF78} - (no file)

O2 - BHO: (no name) - {398412DA-371C-47C7-A7E2-B7B65874CBE7} - (no file)

O2 - BHO: (no name) - {3C709D9F-CDDE-4552-92D1-F12DF5B1DF04} - C:\WINDOWS\system32\ssqrq.dll (file missing)

O2 - BHO: (no name) - {42FA6415-837D-4D16-AF48-D15DCCFE83F4} - (no file)

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C3C74D6-CAD3-4FEC-8579-4CE6E4BBDC63} - (no file)

O2 - BHO: (no name) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - (no file)

O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)

O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - C:\WINDOWS\system32\awtstrp.dll (file missing)

O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll

O2 - BHO: (no name) - {9AA5A5E5-6D2B-44F2-AA0F-5546ABED8D09} - (no file)

O2 - BHO: (no name) - {a785f416-ac29-44a2-be67-3cd8944d4047} - (no file)

O2 - BHO: (no name) - {AFFCA731-8265-4930-9DD9-954DBADF8108} - (no file)

O2 - BHO: (no name) - {B60FF9A7-3ECF-4B99-B48C-A4B22A4A8507} - C:\WINDOWS\system32\jkhhh.dll (file missing)

O2 - BHO: (no name) - {B613E05F-EC2C-4C86-B60E-7BAF07B3F5F2} - C:\WINDOWS\system32\efcYrrSi.dll (file missing)

O2 - BHO: (no name) - {B95EA413-C3E1-4ABD-B40B-571CACE9D0C1} - (no file)

O2 - BHO: (no name) - {BC4BCF9A-090F-4865-8DFE-A9F627B1FF02} - (no file)

O2 - BHO: (no name) - {EDC8CFF3-ADDF-4DE5-AD87-02B81775A88A} - C:\WINDOWS\system32\khfDspMC.dll (file missing)

O2 - BHO: (no name) - {EF68646F-6C16-49BE-9D29-0D20096C56A9} - C:\WINDOWS\system32\ljJYPjif.dll (file missing)

O2 - BHO: (no name) - {F013C96C-CF2A-4FBE-BE27-3FBE3D7A5DBC} - (no file)

O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\system32\cbXNDvst.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140537316\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\ocntqkdm.exe

O4 - HKLM\..\Run: [00d6281d] rundll32.exe "C:\WINDOWS\system32\pjasslaw.dll",b

O4 - HKLM\..\Run: [BM03e51b81] Rundll32.exe "C:\WINDOWS\system32\clmsgikn.dll",s

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')

O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.amaena.com

O15 - Trusted Zone: *.avsystemcare.com

O15 - Trusted Zone: *.onerateld.com

O15 - Trusted Zone: http://*.rapmls.com

O15 - Trusted Zone: *.safetydownload.com

O15 - Trusted Zone: *.trustedantivirus.com

O15 - Trusted Zone: *.virusschlacht.com

O15 - Trusted Zone: https://*.webconference.com

O15 - Trusted Zone: *.amaena.com (HKLM)

O15 - Trusted Zone: *.avsystemcare.com (HKLM)

O15 - Trusted Zone: *.onerateld.com (HKLM)

O15 - Trusted Zone: *.safetydownload.com (HKLM)

O15 - Trusted Zone: *.trustedantivirus.com (HKLM)

O15 - Trusted Zone: *.virusschlacht.com (HKLM)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...e/w4sgeen10.exe

O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab

O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\LYNNZE~1\LOCALS~1\Temp\IXP000.TMP\setup.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://66.192.131.66/msrdp.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cbu.webex.co...ing/ieatgpc.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll

O20 - Winlogon Notify: awtstrp - awtstrp.dll (file missing)

O20 - Winlogon Notify: cbXNDvst - C:\WINDOWS\SYSTEM32\cbXNDvst.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



--

End of file - 12985 bytes
  • 0

Advertisements

#2
Tal
Posted 02 June 2008 - 09:49 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello , welcome to GeeksToGo! :)

My name is Tal, and I will be helping you in the process of removing malware from your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! :) No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask! :)

You may also want to Track This Topic. This feature of the forum will send out an email to the email address you've signed up with as soon as I reply, so you can be notified of my reply. To do this, please locate the Options menu, located just under the New Topic and New Reply icons. Once you've found it, click it, and choose Track This Topic from the dropdown menu (the first option). In the page that appears after you have clicked Track This Topic, select Immediate Email Notification, then click Proceed.

Your computer is pretty infected, with what looks like the latest variant of Vundo and several advertisement programs. Let's see what we can do :)

Step1 : Disabling SpyBot's TeaTimer

# Run Spybot-S&D in Advanced Mode.
# If it is not already set to do this Go to the Mode menu select "Advanced Mode"
# On the left hand side, Click on Tools
# Then click on the Resident Icon in the List
# Uncheck "Resident TeaTimer" and OK any prompts.
# Restart your computer.

Please re-enable TeaTimer when we're done with the fix.

Step2 : Fixing entries with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)

O2 - BHO: (no name) - {012D7D23-E615-4809-98A4-89159CC9C34C} - (no file)
O2 - BHO: (no name) - {05397560-6209-469B-B96C-28DDC4BAB347} - (no file)
O2 - BHO: (no name) - {12A2904F-6D26-40B7-A9FB-46BFA051F9EF} - C:\WINDOWS\system32\qoMcASlm.dll (file missing)
O2 - BHO: (no name) - {34B1FDE9-1133-4655-BD39-F0E95B43DF78} - (no file)
O2 - BHO: (no name) - {398412DA-371C-47C7-A7E2-B7B65874CBE7} - (no file)
O2 - BHO: (no name) - {3C709D9F-CDDE-4552-92D1-F12DF5B1DF04} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {42FA6415-837D-4D16-AF48-D15DCCFE83F4} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {9AA5A5E5-6D2B-44F2-AA0F-5546ABED8D09} - (no file)
O2 - BHO: (no name) - {a785f416-ac29-44a2-be67-3cd8944d4047} - (no file)
O2 - BHO: (no name) - {AFFCA731-8265-4930-9DD9-954DBADF8108} - (no file)
O2 - BHO: (no name) - {B60FF9A7-3ECF-4B99-B48C-A4B22A4A8507} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: (no name) - {B613E05F-EC2C-4C86-B60E-7BAF07B3F5F2} - C:\WINDOWS\system32\efcYrrSi.dll (file missing)
O2 - BHO: (no name) - {B95EA413-C3E1-4ABD-B40B-571CACE9D0C1} - (no file)
O2 - BHO: (no name) - {BC4BCF9A-090F-4865-8DFE-A9F627B1FF02} - (no file)
O2 - BHO: (no name) - {EDC8CFF3-ADDF-4DE5-AD87-02B81775A88A} - C:\WINDOWS\system32\khfDspMC.dll (file missing)
O2 - BHO: (no name) - {EF68646F-6C16-49BE-9D29-0D20096C56A9} - C:\WINDOWS\system32\ljJYPjif.dll (file missing)
O2 - BHO: (no name) - {F013C96C-CF2A-4FBE-BE27-3FBE3D7A5DBC} - (no file)
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\system32\cbXNDvst.dll
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\ocntqkdm.exe
O4 - HKLM\..\Run: [00d6281d] rundll32.exe "C:\WINDOWS\system32\pjasslaw.dll",b
O4 - HKLM\..\Run: [BM03e51b81] Rundll32.exe "C:\WINDOWS\system32\clmsgikn.dll",s
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...e/w4sgeen10.exe
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: awtstrp - awtstrp.dll (file missing)
O20 - Winlogon Notify: cbXNDvst - C:\WINDOWS\SYSTEM32\cbXNDvst.dll

Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

Step3 : The Avenger

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\WINDOWS\system32\cbXNDvst.dll
C:\Program Files\RcvSystem
C:\Program Files\Router
C:\WINDOWS\SYSTEM32\ocntqkdm.exe 
C:\WINDOWS\system32\pjasslaw.dll
C:\WINDOWS\system32\clmsgikn.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Step4 : Running DelDomains

Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

Step5 : Updating Java

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Step6 : Scanning with DSS

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

Summary

In your next reply, please include the following:
  • DSS logs.

Regards,

Tal :)

Edited by Tal, 02 June 2008 - 09:50 AM.

  • 0

#3
idkidd
Posted 02 June 2008 - 10:41 PM

idkidd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Tal,

First, thanks so much for taking your time to help me and encouraging questions. I've not been through this type of thing before. I encountered a problem during STEP 2 in that, when I ran the new scan, a large number of the items you told me to check now no longer appear. I did not know if I should just deal with those that are still showing up or not so I wanted to ask. All I've done on this PC since posting my initial scan is surf the net on the sites I can still access and make some Skype calls so I am not sure if those things could have made changes on the new scan. Also, Spybot wants to run a new scan every time the computer starts so maybe one of those beginning scans could have caused this? Anyway, here is my new scan:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:20:12 AM, on 6/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Program Files\Network Associates\VirusScan\Webscanx.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\AOL\1140537316\ee\AOLSoftware.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Ares\Ares.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Webshots\webshots.scr

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140537316\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\ocntqkdm.exe

O4 - HKLM\..\Run: [00d6281d] rundll32.exe "C:\WINDOWS\system32\pjasslaw.dll",b

O4 - HKLM\..\Run: [BM03e51b81] Rundll32.exe "C:\WINDOWS\system32\cacljjxv.dll",s

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')

O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.amaena.com

O15 - Trusted Zone: *.avsystemcare.com

O15 - Trusted Zone: *.onerateld.com

O15 - Trusted Zone: http://*.rapmls.com

O15 - Trusted Zone: *.safetydownload.com

O15 - Trusted Zone: *.trustedantivirus.com

O15 - Trusted Zone: *.virusschlacht.com

O15 - Trusted Zone: https://*.webconference.com

O15 - Trusted Zone: *.amaena.com (HKLM)

O15 - Trusted Zone: *.avsystemcare.com (HKLM)

O15 - Trusted Zone: *.onerateld.com (HKLM)

O15 - Trusted Zone: *.safetydownload.com (HKLM)

O15 - Trusted Zone: *.trustedantivirus.com (HKLM)

O15 - Trusted Zone: *.virusschlacht.com (HKLM)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...e/w4sgeen10.exe

O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab

O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\LYNNZE~1\LOCALS~1\Temp\IXP000.TMP\setup.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://66.192.131.66/msrdp.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cbu.webex.co...ing/ieatgpc.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



--

End of file - 10224 bytes
  • 0

#4
Tal
Posted 03 June 2008 - 02:09 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
idkidd,

You're welcome :) As for your question: yes, it's possible that Spybot removed these entries. You can safely proceed with the fix when you can't find a certain entry - sometimes they are fixed by anti spyware products, like now.

Please re-do the steps above and ignore the missing O2 lines.

Tal
  • 0

#5
idkidd
Posted 03 June 2008 - 05:14 PM

idkidd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Tal,

I was able to get up to STEP 6; however, when I Ran DSS, the message "dss.exe has encountered a problem and needs to close" popped up and the scan aborts. This occurs each time shortly after "Cleaning Temporary Files" appears in the DSS display. I downloaded dss again and tried with that file but it did the same thing. I don't believe any other programs are running as I see no others in the task manager.

The other thing I wanted to mention is that, when I ran DelDomains it appeared to act on my install command in that my cursor turned into the hour glass but I did not see anything beyond that -- an install process I mean. I just wanted to make sure that is correct behavior.

Below is my Avenger scan from step 3:



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\mysidesearch_sidebar.dll" deleted successfully.
File "C:\WINDOWS\system32\cbXNDvst.dll" deleted successfully.

Error: "C:\Program Files\RcvSystem" is a folder, not a file!
Deletion of file "C:\Program Files\RcvSystem" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: file "C:\Program Files\Router" not found!
Deletion of file "C:\Program Files\Router" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\SYSTEM32\ocntqkdm.exe" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\ocntqkdm.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\pjasslaw.dll" not found!
Deletion of file "C:\WINDOWS\system32\pjasslaw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\clmsgikn.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0

#6
Tal
Posted 06 June 2008 - 01:00 PM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi there - sorry for the delay. Had an important test.

Try running DSS now - after a few days have passed and the PC restarted a few times. I do need the log to see what's happening. If you can't run it, please include a fresh HijackThis log.

Regards,

Tal.
  • 0

#7
idkidd
Posted 06 June 2008 - 04:35 PM

idkidd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Tal,

It's still a no go. It crashes right after it begins "cleaning temporary files". Is there another Utility I can try? This thread recommends OTscanit when dss had this problem.

http://www.cybertech...d.php?p=1003126

What do you think?
  • 0

#8
Tal
Posted 07 June 2008 - 05:04 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Yup, we will use OTScanIt - it's just a bit long to read :)

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it. Save that file on your desktop for easy access.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to attach the log.. Click the Browse button, then click the UPLOAD button. The upload should take a couple of seconds to a minute, depending on your connection speed.

Please don't post your log in the reply. It is very long and won't fit into one reply.
  • 0

#9
idkidd
Posted 07 June 2008 - 04:32 PM

idkidd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here ya go!

Attached Files


  • 0

#10
Tal
Posted 11 June 2008 - 10:48 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi,

Very sorry about the delay.

Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.


[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> 00d6281d -> %SystemRoot%\SYSTEM32\ctrltkfc.dll [rundll32.exe "C:\WINDOWS\system32\ctrltkfc.dll",b]
YY -> BM03e51b81 -> %SystemRoot%\SYSTEM32\avvpnmce.dll [Rundll32.exe "C:\WINDOWS\system32\avvpnmce.dll",s]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {91223DE9-F8E6-4FFD-8889-BE6784C18696} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\awtstrp.dll []
YN -> {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\cbXNDvst.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> awtstrp -> 
YN -> cbXNDvst -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {12A2904F-6D26-40B7-A9FB-46BFA051F9EF} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\qoMcASlm.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {3B343E32-D0CC-42F7-9CFF-6F236B911C94} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\yayvWoMg.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {4D25F921-B9FE-4682-BF72-8AB8210D6D75} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll []
YN -> {53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection]
YN -> {B60FF9A7-3ECF-4B99-B48C-A4B22A4A8507} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\jkhhh.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {B613E05F-EC2C-4C86-B60E-7BAF07B3F5F2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\efcYrrSi.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {e87b7871-21fb-473f-b545-0a09584f1d3b} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\puajvtdl.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {EDC8CFF3-ADDF-4DE5-AD87-02B81775A88A} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\khfDspMC.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {EF68646F-6C16-49BE-9D29-0D20096C56A9} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ljJYPjif.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {1BAC9A2A-4755-43c3-A430-D3512C5B8A4E} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\QdrDrive\QdrDrive8.dll [Internet Speed Monitor]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {FABA076A-478A-4c32-A0A5-C774607901C2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\mysidesearch_sidebar.dll [ADPanel]
< Protocol Filters [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\
YY -> text/html:{07851C6A-1C43-41d9-8319-BC89154A8C00}[HKEY_LOCAL_MACHINE] -> %ProgramFiles%\RcvSystem\httpdchk.dll[Reg Error: Value  does not exist or could not be read.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
NY -> C:\WINDOWS\system32\yayvWoMg -> %SystemRoot%\SYSTEM32\yayvWoMg.dll
< BotCheck > -> 
[Files/Folders - Created Within 30 days]
NY -> afdpucfp.dll -> %SystemRoot%\System32\afdpucfp.dll
NY -> avvpnmce.dll -> %SystemRoot%\System32\avvpnmce.dll
NY -> bjrhntqg.dll -> %SystemRoot%\System32\bjrhntqg.dll
NY -> bmcursqf.dll -> %SystemRoot%\System32\bmcursqf.dll
NY -> bpxjxikl.dll -> %SystemRoot%\System32\bpxjxikl.dll
NY -> bpybjcei.dll -> %SystemRoot%\System32\bpybjcei.dll
NY -> cacljjxv.dll -> %SystemRoot%\System32\cacljjxv.dll
NY -> cfktlrtc.ini -> %SystemRoot%\System32\cfktlrtc.ini
NY -> CMpsDfhk.ini -> %SystemRoot%\System32\CMpsDfhk.ini
NY -> CMpsDfhk.ini2 -> %SystemRoot%\System32\CMpsDfhk.ini2
NY -> ctrltkfc.dll -> %SystemRoot%\System32\ctrltkfc.dll
NY -> ejydprvo.ini -> %SystemRoot%\System32\ejydprvo.ini
NY -> enntfwss.ini -> %SystemRoot%\System32\enntfwss.ini
NY -> eqxloytl.dll -> %SystemRoot%\System32\eqxloytl.dll
NY -> ezsidmv.dat -> %SystemRoot%\System32\ezsidmv.dat
NY -> fgxvqnay.ini -> %SystemRoot%\System32\fgxvqnay.ini
NY -> fijPYJjl.ini -> %SystemRoot%\System32\fijPYJjl.ini
NY -> fijPYJjl.ini2 -> %SystemRoot%\System32\fijPYJjl.ini2
NY -> frhwvfhq.dll -> %SystemRoot%\System32\frhwvfhq.dll
NY -> g22.exe -> %SystemRoot%\System32\g22.exe
NY -> gMoWvyay.ini -> %SystemRoot%\System32\gMoWvyay.ini
NY -> iSrrYcfe.ini -> %SystemRoot%\System32\iSrrYcfe.ini
NY -> iSrrYcfe.ini2 -> %SystemRoot%\System32\iSrrYcfe.ini2
NY -> lhassqpp.dll -> %SystemRoot%\System32\lhassqpp.dll
NY -> ltyolxqe.ini -> %SystemRoot%\System32\ltyolxqe.ini
NY -> mfwwlgop.ini -> %SystemRoot%\System32\mfwwlgop.ini
NY -> mgjgmjyq.ini -> %SystemRoot%\System32\mgjgmjyq.ini
NY -> mlSAcMoq.ini -> %SystemRoot%\System32\mlSAcMoq.ini
NY -> mlSAcMoq.ini2 -> %SystemRoot%\System32\mlSAcMoq.ini2
NY -> mysidesearch_sidebar_uninstall.exe -> %SystemRoot%\System32\mysidesearch_sidebar_uninstall.exe
NY -> paxnrnbv.dll -> %SystemRoot%\System32\paxnrnbv.dll
NY -> pcefpsqj.dll -> %SystemRoot%\System32\pcefpsqj.dll
NY -> poglwwfm.dll -> %SystemRoot%\System32\poglwwfm.dll
NY -> puajvtdl.dll -> %SystemRoot%\System32\puajvtdl.dll
NY -> qqsmwgod.dll -> %SystemRoot%\System32\qqsmwgod.dll
NY -> qvfddkef.dll -> %SystemRoot%\System32\qvfddkef.dll
NY -> qyjmgjgm.dll -> %SystemRoot%\System32\qyjmgjgm.dll
NY -> rltrwydy.dll -> %SystemRoot%\System32\rltrwydy.dll
NY -> roaiffly.dll -> %SystemRoot%\System32\roaiffly.dll
NY -> rucdegcg.dll -> %SystemRoot%\System32\rucdegcg.dll
NY -> rwsbbuwi.dll -> %SystemRoot%\System32\rwsbbuwi.dll
NY -> rwwnw64d.exe -> %SystemRoot%\System32\rwwnw64d.exe
NY -> sswftnne.dll -> %SystemRoot%\System32\sswftnne.dll
NY -> sxbhlwhe.dll -> %SystemRoot%\System32\sxbhlwhe.dll
NY -> tvghkjjo.exe -> %SystemRoot%\System32\tvghkjjo.exe
NY -> vbnrnxap.ini -> %SystemRoot%\System32\vbnrnxap.ini
NY -> volfhxur.dll -> %SystemRoot%\System32\volfhxur.dll
NY -> walssajp.ini -> %SystemRoot%\System32\walssajp.ini
NY -> wnxxloki.dll -> %SystemRoot%\System32\wnxxloki.dll
NY -> wumnernm.dll -> %SystemRoot%\System32\wumnernm.dll
NY -> yayvWoMg.dll -> %SystemRoot%\System32\yayvWoMg.dll
NY -> yklhlvnh.dll -> %SystemRoot%\System32\yklhlvnh.dll
NY -> ytlwxkmj.ini -> %SystemRoot%\System32\ytlwxkmj.ini
NY -> {f153b7f0-0af0-579c-fd80-e3a1f2eabf28}.dll-uninst.exe -> %SystemRoot%\System32\{f153b7f0-0af0-579c-fd80-e3a1f2eabf28}.dll-uninst.exe
[Files Created - Additional Folder Scans - Non-Microsoft Only]
[Files/Folders - Modified Within 30 days]
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~aunptzs.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~aunptzs.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~ervpolr.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~ervpolr.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~fdcmktt.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~fdcmktt.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~kwjclrl.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~kwjclrl.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~mjhykdw.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~mjhykdw.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~muewdls.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~muewdls.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~piwgkvy.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~piwgkvy.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~qsbvsmt.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~qsbvsmt.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~rjtvuzm.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~rjtvuzm.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~utylqej.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~utylqej.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~wwbedzo.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~wwbedzo.tmp\
NY -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~xafepjh.tmp\ -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~xafepjh.tmp\
NY -> dss.dll -> C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~xkudfng.tmp\dss.dll


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

Advertisements

#11
idkidd
Posted 11 June 2008 - 04:46 PM

idkidd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
My problem with not being able to turn on auto updates has been fixed but I am still unable to access many websites (examples: google.com, thehungersite.com)

I've attached the other sc[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\00d6281d deleted successfully.
File C:\WINDOWS\SYSTEM32\ctrltkfc.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM03e51b81 deleted successfully.
C:\WINDOWS\SYSTEM32\avvpnmce.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{91223DE9-F8E6-4FFD-8889-BE6784C18696} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91223DE9-F8E6-4FFD-8889-BE6784C18696}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtstrp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbXNDvst\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12A2904F-6D26-40B7-A9FB-46BFA051F9EF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12A2904F-6D26-40B7-A9FB-46BFA051F9EF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3B343E32-D0CC-42F7-9CFF-6F236B911C94}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B343E32-D0CC-42F7-9CFF-6F236B911C94}\ not found.
C:\WINDOWS\SYSTEM32\yayvWoMg.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B60FF9A7-3ECF-4B99-B48C-A4B22A4A8507}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B60FF9A7-3ECF-4B99-B48C-A4B22A4A8507}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B613E05F-EC2C-4C86-B60E-7BAF07B3F5F2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B613E05F-EC2C-4C86-B60E-7BAF07B3F5F2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e87b7871-21fb-473f-b545-0a09584f1d3b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e87b7871-21fb-473f-b545-0a09584f1d3b}\ not found.
C:\WINDOWS\SYSTEM32\puajvtdl.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EDC8CFF3-ADDF-4DE5-AD87-02B81775A88A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDC8CFF3-ADDF-4DE5-AD87-02B81775A88A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF68646F-6C16-49BE-9D29-0D20096C56A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF68646F-6C16-49BE-9D29-0D20096C56A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1BAC9A2A-4755-43c3-A430-D3512C5B8A4E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BAC9A2A-4755-43c3-A430-D3512C5B8A4E}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FABA076A-478A-4c32-A0A5-C774607901C2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FABA076A-478A-4c32-A0A5-C774607901C2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07851C6A-1C43-41d9-8319-BC89154A8C00}\ deleted successfully.
C:\Program Files\RcvSystem\httpdchk.dll moved successfully.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\yayvWoMg deleted successfully.
File C:\WINDOWS\SYSTEM32\yayvWoMg.dll not found.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\afdpucfp.dll moved successfully.
File C:\WINDOWS\System32\avvpnmce.dll not found!
C:\WINDOWS\System32\bjrhntqg.dll moved successfully.
C:\WINDOWS\System32\bmcursqf.dll moved successfully.
C:\WINDOWS\System32\bpxjxikl.dll moved successfully.
C:\WINDOWS\System32\bpybjcei.dll moved successfully.
C:\WINDOWS\System32\cacljjxv.dll moved successfully.
C:\WINDOWS\System32\cfktlrtc.ini moved successfully.
C:\WINDOWS\System32\CMpsDfhk.ini moved successfully.
C:\WINDOWS\System32\CMpsDfhk.ini2 moved successfully.
File C:\WINDOWS\System32\ctrltkfc.dll not found!
C:\WINDOWS\System32\ejydprvo.ini moved successfully.
C:\WINDOWS\System32\enntfwss.ini moved successfully.
C:\WINDOWS\System32\eqxloytl.dll moved successfully.
C:\WINDOWS\System32\ezsidmv.dat moved successfully.
C:\WINDOWS\System32\fgxvqnay.ini moved successfully.
C:\WINDOWS\System32\fijPYJjl.ini moved successfully.
C:\WINDOWS\System32\fijPYJjl.ini2 moved successfully.
C:\WINDOWS\System32\frhwvfhq.dll moved successfully.
C:\WINDOWS\System32\g22.exe moved successfully.
C:\WINDOWS\System32\gMoWvyay.ini moved successfully.
C:\WINDOWS\System32\iSrrYcfe.ini moved successfully.
C:\WINDOWS\System32\iSrrYcfe.ini2 moved successfully.
C:\WINDOWS\System32\lhassqpp.dll moved successfully.
C:\WINDOWS\System32\ltyolxqe.ini moved successfully.
C:\WINDOWS\System32\mfwwlgop.ini moved successfully.
C:\WINDOWS\System32\mgjgmjyq.ini moved successfully.
C:\WINDOWS\System32\mlSAcMoq.ini moved successfully.
C:\WINDOWS\System32\mlSAcMoq.ini2 moved successfully.
C:\WINDOWS\System32\mysidesearch_sidebar_uninstall.exe moved successfully.
C:\WINDOWS\System32\paxnrnbv.dll moved successfully.
C:\WINDOWS\System32\pcefpsqj.dll moved successfully.
C:\WINDOWS\System32\poglwwfm.dll moved successfully.
File C:\WINDOWS\System32\puajvtdl.dll not found!
C:\WINDOWS\System32\qqsmwgod.dll moved successfully.
C:\WINDOWS\System32\qvfddkef.dll moved successfully.
C:\WINDOWS\System32\qyjmgjgm.dll moved successfully.
C:\WINDOWS\System32\rltrwydy.dll moved successfully.
C:\WINDOWS\System32\roaiffly.dll moved successfully.
C:\WINDOWS\System32\rucdegcg.dll moved successfully.
C:\WINDOWS\System32\rwsbbuwi.dll moved successfully.
C:\WINDOWS\System32\rwwnw64d.exe moved successfully.
C:\WINDOWS\System32\sswftnne.dll moved successfully.
C:\WINDOWS\System32\sxbhlwhe.dll moved successfully.
C:\WINDOWS\System32\tvghkjjo.exe moved successfully.
C:\WINDOWS\System32\vbnrnxap.ini moved successfully.
C:\WINDOWS\System32\volfhxur.dll moved successfully.
C:\WINDOWS\System32\walssajp.ini moved successfully.
C:\WINDOWS\System32\wnxxloki.dll moved successfully.
C:\WINDOWS\System32\wumnernm.dll moved successfully.
File C:\WINDOWS\System32\yayvWoMg.dll not found!
C:\WINDOWS\System32\yklhlvnh.dll moved successfully.
C:\WINDOWS\System32\ytlwxkmj.ini moved successfully.
C:\WINDOWS\System32\{f153b7f0-0af0-579c-fd80-e3a1f2eabf28}.dll-uninst.exe moved successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
[Files/Folders - Modified Within 30 days]
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~aunptzs.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~ervpolr.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~fdcmktt.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~kwjclrl.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~mjhykdw.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~muewdls.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~piwgkvy.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~qsbvsmt.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~rjtvuzm.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~utylqej.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~wwbedzo.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~xafepjh.tmp\ scheduled to be moved on reboot.
C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~xkudfng.tmp\dss.dll moved successfully.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.12 fix logfile created on 06112008_180032

Files moved on Reboot...
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~aunptzs.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~ervpolr.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~fdcmktt.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~kwjclrl.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~mjhykdw.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~muewdls.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~piwgkvy.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~qsbvsmt.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~rjtvuzm.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~utylqej.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~wwbedzo.tmp\ scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Lynn Zerbe\Local Settings\Temp\~xafepjh.tmp\ scheduled to be moved on reboot.
an.

Attached Files


  • 0

#12
Tal
Posted 13 June 2008 - 08:10 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#13
idkidd
Posted 14 June 2008 - 01:03 PM

idkidd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Tal,

Success? It may be so! I am now able to access the problem websites and am not seeing any other problems. But you are the expert so let me know if you see anything in these logs that suggest otherwise. If not, thank you so so much for your help. We appreciate it so much!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:25:12 PM, on 6/14/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\AOL\1140537316\ee\AOLSoftware.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Program Files\Network Associates\VirusScan\Webscanx.exe

C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

C:\Program Files\Ares\Ares.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Webshots\webshots.scr

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3C709D9F-CDDE-4552-92D1-F12DF5B1DF04} - C:\WINDOWS\system32\ssqrq.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)

O2 - BHO: (no name) - {A6E20895-8EFF-4259-B183-56E18428A44F} - C:\WINDOWS\system32\yayvWoMg.dll (file missing)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140537316\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')

O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab

O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab

O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\LYNNZE~1\LOCALS~1\Temp\IXP000.TMP\setup.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://66.192.131.66/msrdp.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cbu.webex.co...ing/ieatgpc.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



--

End of file - 9286 bytes



ComboFix 08-06-12.2 - Lynn Zerbe 2008-06-14 13:51:00.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.204 [GMT -4:00]

Running from: C:\Documents and Settings\Lynn Zerbe\Desktop\ComboFix.exe

* Created a new restore point



WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



C:\Program Files\RcvSystem

C:\Temp\1cb

C:\Temp\1cb\syscheck.log

C:\Temp\vtmp2

C:\Temp\vtmp2\ktnv33.log

C:\WINDOWS\cookies.ini

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\megavid.cdt

C:\WINDOWS\muotr.so

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\akwnmhjl.dll

C:\WINDOWS\SYSTEM32\bmkcxkwr.ini2

C:\WINDOWS\SYSTEM32\bmkcxkwr.tmp

C:\WINDOWS\system32\cjgvxdiy.dll

C:\WINDOWS\system32\eigfqxgq.dll

C:\WINDOWS\system32\fqlhswss.dll

C:\WINDOWS\SYSTEM32\gMoWvyay.ini

C:\WINDOWS\SYSTEM32\gMoWvyay.ini2

C:\WINDOWS\system32\gside.exe

C:\WINDOWS\SYSTEM32\hhhkj.ini

C:\WINDOWS\SYSTEM32\hhhkj.ini2

C:\WINDOWS\system32\ikjjpbba.ini

C:\WINDOWS\system32\isankysm.exe

C:\WINDOWS\system32\jedlnkea.dll

C:\WINDOWS\system32\jiixvimr.exe

C:\WINDOWS\system32\lmrsnhqo.ini

C:\WINDOWS\system32\locydaps.dll

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\MSINET.oca

C:\WINDOWS\system32\pac.txt

C:\WINDOWS\system32\qrqss.ini

C:\WINDOWS\SYSTEM32\qrqss.ini2

C:\WINDOWS\system32\rkgbypkk.dll

C:\WINDOWS\system32\spadycol.ini

C:\WINDOWS\system32\sxdefckw.dll

C:\WINDOWS\winself.exe



.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.



-------\Legacy_CMDSERVICE

-------\Legacy_NETWORK_MONITOR

-------\Service_TnIDriver





((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))

.



2008-06-13 17:09 . 2008-06-13 17:09 48 --ah----- C:\WINDOWS\SYSTEM32\ezsidmv.dat

2008-06-11 18:23 . 2008-04-23 00:16 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll

2008-06-11 18:23 . 2008-04-23 00:16 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll

2008-06-11 18:23 . 2008-04-23 00:16 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll

2008-06-11 18:22 . 2008-04-23 00:16 6,066,176 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll

2008-06-11 18:22 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat

2008-06-11 18:22 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui

2008-06-11 18:22 . 2008-04-23 00:16 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll

2008-06-11 18:22 . 2008-04-23 00:16 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll

2008-06-11 18:22 . 2008-04-22 03:39 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe

2008-06-11 18:19 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys

2008-06-11 18:19 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

2008-06-03 18:32 . 2008-06-03 18:32 <DIR> d-------- C:\Deckard

2008-06-03 18:20 . 2008-06-03 18:20 <DIR> d-------- C:\Documents and Settings\Lynn Zerbe\.netbeans-registration

2008-06-03 18:19 . 2008-06-03 18:20 <DIR> d-------- C:\Program Files\NetBeans 6.1

2008-06-03 18:19 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl

2008-06-03 18:15 . 2008-06-03 18:15 <DIR> d-------- C:\Program Files\Common Files\Java

2008-06-03 18:11 . 2008-06-03 18:12 <DIR> d-------- C:\Documents and Settings\Lynn Zerbe\.nbi

2008-06-01 17:32 . 2008-06-01 17:32 <DIR> d-------- C:\Program Files\Trend Micro

2008-05-28 21:19 . 2008-05-28 21:20 <DIR> d-------- C:\eeaf814812c52ae4c35779999b6685

2008-05-27 00:07 . 2008-05-27 00:07 49,170 --a------ C:\WINDOWS\SYSTEM32\jpwnw64q.exe

2008-05-26 23:39 . 2008-05-26 23:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\vd2

2008-05-26 23:39 . 2008-05-28 17:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\rev3

2008-05-26 23:39 . 2008-05-28 17:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\acom1

2008-05-26 23:39 . 2008-05-28 17:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\1026c

2008-05-26 23:38 . 2008-05-26 23:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\vntiho01

2008-05-26 23:38 . 2008-06-14 13:51 <DIR> d-------- C:\Temp

2008-05-20 17:02 . 2008-05-20 17:02 32,768 --a------ C:\WINDOWS\SYSTEM32\vntiho01\vntiho011065.exe

2008-05-18 21:39 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\USBAUDIO.sys

2008-05-18 21:39 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbaudio.sys

2008-05-16 15:09 . 2008-06-13 17:09 <DIR> d-------- C:\Documents and Settings\Lynn Zerbe\Application Data\skypePM

2008-05-16 14:33 . 2008-06-13 21:05 <DIR> d-------- C:\Documents and Settings\Lynn Zerbe\Application Data\Skype

2008-05-16 14:21 . 2008-05-16 14:22 <DIR> d-------- C:\Program Files\Skype

2008-05-16 14:21 . 2008-05-16 14:21 <DIR> d-------- C:\Program Files\Common Files\Skype

2008-05-16 14:18 . 2008-05-16 14:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-14 04:06 --------- d-----w C:\Documents and Settings\Lynn Zerbe\Application Data\U3

2008-06-03 22:19 --------- d-----w C:\Program Files\Java

2008-05-27 03:57 --------- d-----w C:\Documents and Settings\Lynn Zerbe\Application Data\Azureus

2008-05-15 20:31 --------- d-----w C:\Program Files\Common Files\Adobe

2008-05-15 20:27 --------- d-----w C:\Documents and Settings\Lynn Zerbe\Application Data\AdobeUM

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys

2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll

2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll

2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll

2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe

2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe

2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll

2008-04-17 22:23 --------- d-----w C:\Program Files\Azureus

2008-04-14 01:34 --------- d-----w C:\Program Files\iTunes

2008-04-14 01:33 --------- d-----w C:\Program Files\iPod

2008-04-14 01:27 --------- d-----w C:\Program Files\QuickTime

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll

2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys

2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys

2008-03-17 01:36 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe

2008-03-16 03:57 691,545 ----a-w C:\WINDOWS\unins000.exe

2005-12-19 18:39 3,167,744 ----a-w C:\Documents and Settings\Lynn Zerbe\gosetup.exe

2004-04-23 05:00 13,824 ----a-w C:\Documents and Settings\LocalService\cnmss Canon PIXMA iP4000 (Local).exe

.



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C709D9F-CDDE-4552-92D1-F12DF5B1DF04}]

C:\WINDOWS\system32\ssqrq.dll



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]

C:\Program Files\QdrDrive\QdrDrive8.dll



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E20895-8EFF-4259-B183-56E18428A44F}]

C:\WINDOWS\system32\yayvWoMg.dll



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ares"="C:\Program Files\Ares\Ares.exe" [2007-11-23 12:18 962560]

"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [ ]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42 1404928]

"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]

"HostManager"="C:\Program Files\Common Files\AOL\1140537316\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]

"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]

"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 17:33 99480]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 101136 C:\WINDOWS\KHALMNPR.Exe]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]



C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\

Camio Viewer.lnk - C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe [2005-07-26 14:35:29 103424]



C:\Documents and Settings\Lynn Zerbe\Start Menu\Programs\Startup\

Camio Viewer.lnk - C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe [2005-07-26 14:35:29 103424]

Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-08-17 16:46:06 45056]



C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-03-09 10:49:37 688128]



[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"C:\\Program Files\\America Online 9.0\\waol.exe"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"C:\\Program Files\\Common Files\\AOL\\1140537316\\EE\\AOLServiceHost.exe"=

"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

"C:\\Program Files\\America Online 9.0a\\waol.exe"=

"C:\\Program Files\\Common Files\\AOL\\1140537316\\EE\\aolsoftware.exe"=

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"C:\\Program Files\\Azureus\\Azureus.exe"=

"C:\\Program Files\\Ares\\Ares.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=

"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=



R0 NaiFsRec;NaiFsRec;C:\WINDOWS\system32\drivers\NaiFsRec.sys [2001-04-30 04:51]

R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\avsynmgr.exe" [2001-04-30 04:51]



.

**************************************************************************



catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-14 13:57:09

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\SYSTEM32\LEXBCES.EXE

C:\WINDOWS\SYSTEM32\LEXPPS.EXE

C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

C:\WINDOWS\SYSTEM32\FXSSVC.EXE

C:\Program Files\Network Associates\VirusScan\vsstat.exe

C:\Program Files\Network Associates\VirusScan\vshwin32.exe

C:\Program Files\Network Associates\VirusScan\avconsol.exe

C:\Program Files\Network Associates\VirusScan\webscanx.exe

C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Webshots\webshots.scr

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2008-06-14 14:06:20 - machine was rebooted

ComboFix-quarantined-files.txt 2008-06-14 18:06:15



Pre-Run: 7,150,985,216 bytes free

Post-Run: 7,175,364,608 bytes free



219 --- E O F --- 2008-06-11 22:30:05
  • 0

#14
Tal
Posted 16 June 2008 - 08:51 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi and sorry for the delay - tests again :)

Looks much much better.

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)

O2 - BHO: (no name) - {3C709D9F-CDDE-4552-92D1-F12DF5B1DF04} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: (no name) - {A6E20895-8EFF-4259-B183-56E18428A44F} - C:\WINDOWS\system32\yayvWoMg.dll (file missing)


Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

In your next reply, please include a new DSS log.

BTW, there's no need to double-space these logs - makes it harder on the eye.
  • 0

#15
idkidd
Posted 18 June 2008 - 05:17 PM

idkidd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
DSS works now too! :)

Deckard's System Scanner v20071014.68
Run by Lynn Zerbe on 2008-06-18 19:10:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
58: 2008-06-18 23:11:38 UTC - RP796 - Deckard's System Scanner Restore Point
57: 2008-06-18 21:00:43 UTC - RP795 - System Checkpoint
56: 2008-06-17 20:00:42 UTC - RP794 - System Checkpoint
55: 2008-06-16 19:00:40 UTC - RP793 - System Checkpoint
54: 2008-06-15 18:00:41 UTC - RP792 - System Checkpoint


-- First Restore Point --
1: 2008-04-29 14:36:23 UTC - RP739 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Lynn Zerbe.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:04 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\AOL\1140537316\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Lynn Zerbe\Desktop\dss.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Lynn Zerbe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.c...mp;ltmplcache=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140537316\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\LYNNZE~1\LOCALS~1\Temp\IXP000.TMP\setup.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://66.192.131.66/msrdp.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cbu.webex.co...ing/ieatgpc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 9200 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080603-165555-585 O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\ocntqkdm.exe
backup-20080603-165556-484 O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
backup-20080603-165556-704 O4 - HKLM\..\Run: [00d6281d] rundll32.exe "C:\WINDOWS\system32\pjasslaw.dll",b
backup-20080603-165556-879 O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...e/w4sgeen10.exe
backup-20080603-165556-940 O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
backup-20080618-190655-303 O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
backup-20080618-190655-478 O2 - BHO: (no name) - {A6E20895-8EFF-4259-B183-56E18428A44F} - C:\WINDOWS\system32\yayvWoMg.dll (file missing)
backup-20080618-190655-980 O2 - BHO: (no name) - {3C709D9F-CDDE-4552-92D1-F12DF5B1DF04} - C:\WINDOWS\system32\ssqrq.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NaiFsRec - c:\windows\system32\drivers\naifsrec.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 NaiFiltr - c:\program files\common files\network associates\mcshield\naifiltr.sys

S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 RT73 (Linksys Home Wireless-G USB Adapter Driver) - c:\windows\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 AvSynMgr (AVSync Manager) - "c:\program files\network associates\virusscan\avsynmgr.exe"

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-18 and 2008-06-18 -----------------------------

2008-06-14 13:50:10 68096 --a------ C:\WINDOWS\zip.exe
2008-06-14 13:50:10 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-14 13:50:10 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-14 13:50:10 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-14 13:50:10 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-14 13:50:10 98816 --a------ C:\WINDOWS\sed.exe
2008-06-14 13:50:10 80412 --a------ C:\WINDOWS\grep.exe
2008-06-14 13:50:10 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-13 17:09:23 48 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-03 18:20:45 0 d-------- C:\Documents and Settings\Lynn Zerbe\.netbeans-registration
2008-06-03 18:19:44 0 d-------- C:\Program Files\NetBeans 6.1
2008-06-03 18:15:12 0 d-------- C:\Program Files\Common Files\Java
2008-06-03 18:11:58 0 d-------- C:\Documents and Settings\Lynn Zerbe\.nbi
2008-06-01 17:32:14 0 d-------- C:\Program Files\Trend Micro
2008-05-28 21:19:18 0 d-------- C:\eeaf814812c52ae4c35779999b6685
2008-05-27 00:07:17 49170 --a------ C:\WINDOWS\system32\jpwnw64q.exe <Not Verified; ; Browser Driver>
2008-05-26 23:39:17 0 d-------- C:\WINDOWS\system32\vd2
2008-05-26 23:39:17 0 d-------- C:\WINDOWS\system32\rev3
2008-05-26 23:39:17 0 d-------- C:\WINDOWS\system32\1026c
2008-05-26 23:39:15 0 d-------- C:\WINDOWS\system32\acom1
2008-05-26 23:38:31 0 d-------- C:\WINDOWS\system32\vntiho01
2008-05-26 23:38:29 0 d-------- C:\Temp


-- Find3M Report ---------------------------------------------------------------

2008-06-18 00:13:07 0 d-------- C:\Documents and Settings\Lynn Zerbe\Application Data\Skype
2008-06-18 00:09:56 0 d-------- C:\Documents and Settings\Lynn Zerbe\Application Data\skypePM
2008-06-14 00:06:46 0 d-------- C:\Documents and Settings\Lynn Zerbe\Application Data\U3
2008-06-03 18:19:32 0 d-------- C:\Program Files\Java
2008-06-03 18:15:12 0 d-------- C:\Program Files\Common Files
2008-05-26 23:57:51 0 d-------- C:\Documents and Settings\Lynn Zerbe\Application Data\Azureus
2008-05-16 14:22:53 0 d-------- C:\Program Files\Skype
2008-05-16 14:21:50 0 d-------- C:\Program Files\Common Files\Skype
2008-05-15 16:31:08 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-15 16:27:35 0 d-------- C:\Documents and Settings\Lynn Zerbe\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 03:42 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 09:12 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 10:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 10:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 10:36 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1140537316\ee\AOLSoftware.exe" [09/25/2006 08:52 PM]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [10/23/2006 08:50 AM]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [04/05/2004 05:33 PM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [01/23/2007 04:44 PM C:\WINDOWS\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [11/23/2007 12:18 PM]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]

C:\Documents and Settings\Lynn Zerbe\Start Menu\Programs\Startup\
Camio Viewer.lnk - C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe [7/26/2005 2:35:29 PM]
DESKTOP.INI [8/10/2004 2:04:12 PM]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [8/17/2005 4:46:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
DESKTOP.INI [8/10/2004 2:04:12 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [3/9/2007 10:49:37 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"




-- End of Deckard's System Scanner: finished at 2008-06-18 19:14:20 ------------
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP