Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Re Occurring Vundo


  • This topic is locked This topic is locked
14 replies to this topic

#1 aotke1110

aotke1110

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 19 July 2007 - 12:02 PM

It started with the icons and task bar disappearing on me. I googled some stuff and found vundo fix which seemed to get rid of the problem for about two weeks. Now trend micro detects the vundo and can't do anything about it and then the task bar and icons diappear again. Everything goes back to normal once i run vundo fix but only for maybe 10 minutes or 2 hours is the longest it's made it so far. I've run Ad aware, spybot, bit defender, mcafee stinger and they all got rid of some stuff but this vundo keeps coming back. What usually happens is there is one .bak1 file, one .ini file and one .dll file. Vundo fix takes care of the first two then has to reboot to get rid of the .dll then once it's rebooted a 2nd time the process starts all over again either within 10 minutes or sometimes a little longer just depends. Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:59 AM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\COMMON~1\AOL\113807~1\EE\AOLHOS~1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\113807~1\EE\AOLServiceHost.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\YMANTE~1\msconfig.exe
C:\WINDOWS\??pPatch\??anregw.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\GameSpot\GDM_TrayApp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shrink Pic\shrink_pic.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14AAEC5F-58F0-44ED-802A-D291824A7E6C} - C:\WINDOWS\system32\mljgd.dll (file missing)
O2 - BHO: (no name) - {14f5e9db-3341-49a0-88b7-29a40f79faeb} - C:\WINDOWS\system32\oydxbta.dll (file missing)
O2 - BHO: (no name) - {22B6ED64-84BE-467D-923F-75A239270780} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: (no name) - {26E38EE7-4231-4A8B-98F9-2A87D792E8C9} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {3BA66C82-749D-43CC-BE0C-E424768B7E69} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {4E03EEB2-7B1B-4FBE-B6CE-B9E07E28288C} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {4EB07752-7630-4242-BE8D-F38D3B88FCF6} - C:\WINDOWS\system32\gebca.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {627D725B-8D33-4D82-93E6-667838BC08F0} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: (no name) - {641FBB11-B1CE-4AE3-B0EE-716F7251897D} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {67BD3273-1D51-46A9-ABEB-A9541125C57E} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: (no name) - {67D93307-E41A-4E00-8BDF-BB1E9F4D48C8} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: (no name) - {6C191CFB-F56B-AB94-1E12-FE8DBD5687EE} - C:\WINDOWS\system32\dnc.dll
O2 - BHO: (no name) - {7192917A-7229-4A48-99B2-97ECFD624510} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: (no name) - {AA775E92-0B22-49CA-AE26-289C5DEED05C} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {B188D0C4-3554-41E3-B189-3840DD10E2AF} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: (no name) - {C0B51CFB-BDD1-4197-B7AE-87197F6B03D6} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {D6278BB5-F7DD-4318-800E-41687C7A52EA} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\fccdbca.dll
O2 - BHO: (no name) - {E36205B6-B4D8-4FA9-B317-20FEC0A4F252} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: (no name) - {EF57B8CF-8455-4C70-B962-141682C646A9} - C:\WINDOWS\system32\pmnll.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1138075908\EE\AOLHostManager.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [{D0B92B8E-0BB5-1033-0906-050823200001}] "C:\Program Files\Common Files\{D0B92B8E-0BB5-1033-0906-050823200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Scbu] "C:\WINDOWS\system32\YMANTE~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [Dxvg] C:\WINDOWS\??pPatch\??anregw.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WebBuying] "C:\Program Files\Web Buying\v1.7.4\webbuying.exe"
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184815151765
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: fccdbca - C:\WINDOWS\SYSTEM32\fccdbca.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

--
End of file - 13482 bytes

BC AdBot (Login to Remove)

 


#2 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 19 July 2007 - 12:38 PM

Hello aotke1110, I'm just looking over your log and will get back to you soon.

#3 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 19 July 2007 - 02:32 PM

Hi aotke1110, my name is Rorschach and I'll be helping you with your problems.

* I notice that you have no firewall on your PC, this is extremely dangerous and leaves your PC open to vulnerabilities, so please download and install one of the following programs : ZoneAlarm, Comodo, or
Outpost
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.


So in your next reply please post the following : the ComboFix log, the HijackThis Uninstall List, a new HijackThis log. Also tell me how your PC is running now.

#4 aotke1110

aotke1110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 20 July 2007 - 02:19 AM

thank you so much for helping me. here is what you requested.

First the combo fix log:

"HP_Administrator" - 2007-07-20 0:58:00 - ComboFix 07-07-17.8 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fccdbca.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\fccdbca.dll
C:\WINDOWS\system32\jlnmp.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))


2007-07-20 00:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 14:41 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-19 14:41 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-19 14:41 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-19 14:41 428,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-19 14:41 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-07-19 14:41 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-07-19 14:41 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-19 14:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-07-19 14:40 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-19 14:40 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-19 14:40 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-19 05:55 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-19 00:33 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-07-18 23:36 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-07-18 19:56 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-18 16:11 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-18 16:10 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\.housecall6.6
2007-07-17 23:13 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2007-07-17 23:12 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2007-07-17 22:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-17 22:52 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-17 15:21 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-17 15:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-17 15:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-07 12:01 <DIR> d-------- C:\spoolerlogs
2007-07-07 09:30 1,156 --a------ C:\WINDOWS\mozver.dat
2007-07-07 08:59 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Talkback
2007-07-07 08:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-29 10:18 <DIR> d-------- C:\VundoFix Backups
2007-06-25 23:10 <DIR> d-------- C:\Temp
2007-06-20 09:35 <DIR> d-------- C:\Program Files\Ares
2007-06-20 09:05 <DIR> d-------- C:\Program Files\Soulseek
2007-06-20 08:46 <DIR> d-------- C:\Program Files\MorpheusBar


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 05:37:29 6,092 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-18 21:22:21 -------- d--h--w C:\Program Files\WindowsUpdate
2007-07-18 20:15:37 -------- d-----w C:\Program Files\Trend Micro
2007-07-18 05:19:18 -------- d-----w C:\Program Files\Shrink Pic
2007-07-18 05:19:17 -------- d-----w C:\Program Files\QuickTime
2007-07-18 05:19:16 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-07-18 05:19:16 -------- d-----w C:\Program Files\Messenger
2007-07-18 05:19:16 -------- d-----w C:\Program Files\GameSpot
2007-07-18 05:19:15 -------- d---a-w C:\Program Files\Common Files\LightScribe
2007-07-17 21:17:44 -------- d-----w C:\Program Files\Morpheus
2007-06-29 16:26:19 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-06-29 16:26:19 203,024 ----a-w C:\WINDOWS\system32\drivers\TmXPFlt.sys
2007-06-29 16:26:19 1,126,328 ----a-w C:\WINDOWS\system32\drivers\VSAPINT.SYS
2007-06-15 14:44:36 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-09 20:54:30 -------- d--h--w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Move Networks
2007-06-04 21:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 21:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 21:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-30 20:17:57 -------- d-----w C:\Program Files\EA Games
2007-05-29 19:48:58 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Command & Conquer 3 Tiberium Wars Demo
2007-05-29 19:45:06 -------- d-----w C:\Program Files\Electronic Arts
2007-03-14 05:20:50 90 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2005-11-21 16:54 399424 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FA70FD7-6B06-44DD-B58C-6FA34686617C}]
C:\WINDOWS\system32\gebyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14AAEC5F-58F0-44ED-802A-D291824A7E6C}]
C:\WINDOWS\system32\mljgd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14f5e9db-3341-49a0-88b7-29a40f79faeb}]
C:\WINDOWS\system32\oydxbta.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22B57FA2-BA09-443E-9EEE-07EDB4138319}]
C:\WINDOWS\system32\jkhfd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22B6ED64-84BE-467D-923F-75A239270780}]
C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26E38EE7-4231-4A8B-98F9-2A87D792E8C9}]
C:\WINDOWS\system32\vturs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CCC6448-CA17-4B1F-ACF1-85C8E6E4F3D7}]
C:\WINDOWS\system32\ddcyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37411524-1DA8-4D3D-AD8E-D16253DB7D8D}]
C:\WINDOWS\system32\pmnll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BA66C82-749D-43CC-BE0C-E424768B7E69}]
C:\WINDOWS\system32\mljge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E03EEB2-7B1B-4FBE-B6CE-B9E07E28288C}]
C:\WINDOWS\system32\pmnlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EB07752-7630-4242-BE8D-F38D3B88FCF6}]
C:\WINDOWS\system32\gebca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{627D725B-8D33-4D82-93E6-667838BC08F0}]
C:\WINDOWS\system32\mllmn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{641FBB11-B1CE-4AE3-B0EE-716F7251897D}]
C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67D93307-E41A-4E00-8BDF-BB1E9F4D48C8}]
C:\WINDOWS\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C191CFB-F56B-AB94-1E12-FE8DBD5687EE}]
C:\WINDOWS\system32\dnc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7192917A-7229-4A48-99B2-97ECFD624510}]
C:\WINDOWS\system32\awtsq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{772D37F3-BD64-4549-9A00-6B2E2E2CE1C0}]
C:\WINDOWS\system32\jkhhf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA775E92-0B22-49CA-AE26-289C5DEED05C}]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B188D0C4-3554-41E3-B189-3840DD10E2AF}]
C:\WINDOWS\system32\mljji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0B51CFB-BDD1-4197-B7AE-87197F6B03D6}]
C:\WINDOWS\system32\gebyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C686B3E2-4673-43AC-B11C-B3020589BCE2}]
C:\WINDOWS\system32\ddabx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6278BB5-F7DD-4318-800E-41687C7A52EA}]
C:\WINDOWS\system32\ssttt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36205B6-B4D8-4FA9-B317-20FEC0A4F252}]
C:\WINDOWS\system32\geebb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 16:51]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 16:50]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 16:51]
"HostManager"="C:\Program Files\Common Files\AOL\1138075908\EE\AOLHostManager.exe" [2004-11-03 15:03]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 08:40]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 18:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-28 00:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-27 23:51]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 13:03]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 13:03]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-04-22 20:19]
"Scbu"="C:\WINDOWS\system32\YMANTE~1\msconfig.exe" []
"Dxvg"="C:\WINDOWS\??pPatch\??anregw.exe" []
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 16:37]

C:\DOCUME~1\HP_ADM~1\STARTM~1\Programs\Startup
GameSpot Download Manager.lnk - C:\Program Files\GameSpot\GDM_TrayApp.exe [2007-05-09 10:48:26]
Shrink Pic.lnk - C:\Program Files\Shrink Pic\shrink_pic.exe [2006-08-18 09:37:32]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-09-28 00:13:15]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlj]
C:\WINDOWS\system32\pmnlj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
"C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" -r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Windows Visual V2.1
C:\WINDOWS\msiutil.exe

Contents of the 'Scheduled Tasks' folder
2007-07-20 06:00:00 C:\WINDOWS\tasks\At1.job
2007-07-19 15:00:00 C:\WINDOWS\tasks\At10.job
2007-07-19 16:00:00 C:\WINDOWS\tasks\At11.job
2007-07-19 17:00:00 C:\WINDOWS\tasks\At12.job
2007-07-19 18:00:00 C:\WINDOWS\tasks\At13.job
2007-07-19 19:00:00 C:\WINDOWS\tasks\At14.job
2007-07-19 20:00:00 C:\WINDOWS\tasks\At15.job
2007-07-19 21:00:00 C:\WINDOWS\tasks\At16.job
2007-07-19 22:00:00 C:\WINDOWS\tasks\At17.job
2007-07-19 23:00:00 C:\WINDOWS\tasks\At18.job
2007-07-20 00:00:00 C:\WINDOWS\tasks\At19.job
2007-07-20 07:00:00 C:\WINDOWS\tasks\At2.job
2007-07-20 01:00:00 C:\WINDOWS\tasks\At20.job
2007-07-20 02:00:00 C:\WINDOWS\tasks\At21.job
2007-07-20 03:00:00 C:\WINDOWS\tasks\At22.job
2007-07-20 04:00:00 C:\WINDOWS\tasks\At23.job
2007-07-20 05:00:00 C:\WINDOWS\tasks\At24.job
2007-07-20 06:00:00 C:\WINDOWS\tasks\At25.job
2007-07-20 07:00:00 C:\WINDOWS\tasks\At26.job
2007-07-19 08:00:00 C:\WINDOWS\tasks\At27.job
2007-07-19 09:00:00 C:\WINDOWS\tasks\At28.job
2007-07-19 10:00:00 C:\WINDOWS\tasks\At29.job
2007-07-19 08:00:00 C:\WINDOWS\tasks\At3.job
2007-07-19 11:00:00 C:\WINDOWS\tasks\At30.job
2007-07-19 12:00:00 C:\WINDOWS\tasks\At31.job
2007-07-19 13:00:00 C:\WINDOWS\tasks\At32.job
2007-07-19 14:00:00 C:\WINDOWS\tasks\At33.job
2007-07-19 15:00:00 C:\WINDOWS\tasks\At34.job
2007-07-19 16:00:00 C:\WINDOWS\tasks\At35.job
2007-07-19 17:00:00 C:\WINDOWS\tasks\At36.job
2007-07-19 18:00:00 C:\WINDOWS\tasks\At37.job
2007-07-19 19:00:00 C:\WINDOWS\tasks\At38.job
2007-07-19 20:00:00 C:\WINDOWS\tasks\At39.job
2007-07-19 09:00:00 C:\WINDOWS\tasks\At4.job
2007-07-19 21:00:00 C:\WINDOWS\tasks\At40.job
2007-07-19 22:00:00 C:\WINDOWS\tasks\At41.job
2007-07-19 23:00:00 C:\WINDOWS\tasks\At42.job
2007-07-20 00:00:00 C:\WINDOWS\tasks\At43.job
2007-07-20 01:00:00 C:\WINDOWS\tasks\At44.job
2007-07-20 02:00:00 C:\WINDOWS\tasks\At45.job
2007-07-20 03:00:00 C:\WINDOWS\tasks\At46.job
2007-07-20 04:00:00 C:\WINDOWS\tasks\At47.job
2007-07-20 05:00:00 C:\WINDOWS\tasks\At48.job
2007-07-19 10:00:00 C:\WINDOWS\tasks\At5.job
2007-07-19 11:00:00 C:\WINDOWS\tasks\At6.job
2007-07-19 12:00:00 C:\WINDOWS\tasks\At7.job
2007-07-19 13:00:00 C:\WINDOWS\tasks\At8.job
2007-07-19 14:00:00 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-20 01:07:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000001ee

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-20 1:10:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-20 01:09

--- E O F ---


now the uninstall log for hijackthis:

Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Spyware Protection
AOL You've Got Pictures Screensaver
Ares 2.0.9
Barnyard Invasion from HP Media Center (remove only)
Bejeweled 2 Deluxe from HP Media Center (remove only)
Big Kahuna Reef from HP Media Center (remove only)
Blackhawk Striker 2 from HP Media Center (remove only)
Blasterball 2 from HP Media Center (remove only)
Blasterball 2 Holidays from HP Media Center (remove only)
Boggle Supreme from HP Media Center (remove only)
Bookworm Deluxe from HP Media Center (remove only)
Bounce Symphony from HP Media Center (remove only)
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
Centra Client
ComcastSUPPORT
Command & Conquer The First Decade
CoreVorbis Audio Decoder (remove only)
Crystal Maze from HP Media Center (remove only)
Digby's Donuts from HP Media Center (remove only)
Easy Internet Sign-up
EZ Thumbnail Builder 1.8
EZ-Pix
FATE Demo from HP Media Center (remove only)
Flip Words from HP Media Center (remove only)
GameSpot Download Manager
GemMaster Mystic
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB890927)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Game Console and games
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Imaging Device Functions 5.3
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP Tunes
Image Resizer Powertoy for Windows XP
Insaniquarium Deluxe from HP Media Center (remove only)
Intel® Graphics Media Accelerator Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iPAQ WebReg
iTunes
J2SE Runtime Environment 5.0
Java 2 Runtime Environment, SE v1.4.1_01
Jewel Quest from HP Media Center (remove only)
Mah Jong Quest from HP Media Center (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft ActiveSync 4.0
Microsoft Money 2005
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
Morpheus Toolbar
Motorola SM56 Speakerphone Modem
Move Networks Player for Internet Explorer
Mozilla Firefox (2.0.0.5)
Musicmatch® Jukebox
muvee autoProducer 4.0
muvee autoProducer unPlugged 1.1 - HPD
Office 2003 Tour
Otto
Panda ActiveScan
Panda ActiveScan Pro
Panda NanoScan
Panda TotalScan
PC-Doctor 5 for Windows
Polar Bowler from HP Media Center (remove only)
Polar Golfer from HP Media Center (remove only)
PS2
Pure Networks Port Magic
Puzzle Express from HP Media Center (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2005
QuickTime
RealPlayer
Ricochet Lost Worlds from HP Media Center (remove only)
SCRABBLE Blast from HP Media Center (remove only)
SCRABBLE from HP Media Center (remove only)
SCRABBLE Rack Attack from HP Media Center (remove only)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Shrek 2 Ogre Bowler from HP Media Center (remove only)
Shrink Pic (remove)
Slingo Deluxe from HP Media Center (remove only)
Slyder from HP Media Center (remove only)
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SoulSeek Client 156c
Spybot - Search & Destroy 1.4
Super Granny from HP Media Center (remove only)
Swarm from HP Media Center (remove only)
Tradewinds from HP Media Center (remove only)
Trend Micro Antivirus
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Updates from HP (remove only)
Viewpoint Media Player
Windows Media Format Runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix [See KB889858 for more information]
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885354
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891220
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB895678
Yahoo! Toolbar
ZoneAlarm

now the new hijjack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:18 AM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\GameSpot\GDM_TrayApp.exe
C:\Program Files\Shrink Pic\shrink_pic.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\COMMON~1\AOL\113807~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\COMMON~1\AOL\113807~1\EE\AOLServiceHost.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FA70FD7-6B06-44DD-B58C-6FA34686617C} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: (no name) - {14AAEC5F-58F0-44ED-802A-D291824A7E6C} - C:\WINDOWS\system32\mljgd.dll (file missing)
O2 - BHO: (no name) - {14f5e9db-3341-49a0-88b7-29a40f79faeb} - C:\WINDOWS\system32\oydxbta.dll (file missing)
O2 - BHO: (no name) - {22B57FA2-BA09-443E-9EEE-07EDB4138319} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O2 - BHO: (no name) - {22B6ED64-84BE-467D-923F-75A239270780} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: (no name) - {26E38EE7-4231-4A8B-98F9-2A87D792E8C9} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {2CCC6448-CA17-4B1F-ACF1-85C8E6E4F3D7} - C:\WINDOWS\system32\ddcyv.dll (file missing)
O2 - BHO: (no name) - {37411524-1DA8-4D3D-AD8E-D16253DB7D8D} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {3BA66C82-749D-43CC-BE0C-E424768B7E69} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {4E03EEB2-7B1B-4FBE-B6CE-B9E07E28288C} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {4EB07752-7630-4242-BE8D-F38D3B88FCF6} - C:\WINDOWS\system32\gebca.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {627D725B-8D33-4D82-93E6-667838BC08F0} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: (no name) - {641FBB11-B1CE-4AE3-B0EE-716F7251897D} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {67D93307-E41A-4E00-8BDF-BB1E9F4D48C8} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: (no name) - {6C191CFB-F56B-AB94-1E12-FE8DBD5687EE} - C:\WINDOWS\system32\dnc.dll (file missing)
O2 - BHO: (no name) - {7192917A-7229-4A48-99B2-97ECFD624510} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: (no name) - {772D37F3-BD64-4549-9A00-6B2E2E2CE1C0} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {AA775E92-0B22-49CA-AE26-289C5DEED05C} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {B188D0C4-3554-41E3-B189-3840DD10E2AF} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: (no name) - {C0B51CFB-BDD1-4197-B7AE-87197F6B03D6} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {C686B3E2-4673-43AC-B11C-B3020589BCE2} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {D6278BB5-F7DD-4318-800E-41687C7A52EA} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: (no name) - {E36205B6-B4D8-4FA9-B317-20FEC0A4F252} - C:\WINDOWS\system32\geebb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1138075908\EE\AOLHostManager.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Scbu] "C:\WINDOWS\system32\YMANTE~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [Dxvg] C:\WINDOWS\??pPatch\??anregw.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184815151765
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12911 bytes


thanks again

#5 aotke1110

aotke1110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 20 July 2007 - 02:21 AM

also i have zone alarm running now and so far since running combo fix my computer seems to be ok time will tell if vundo hits again i will reply if it does thanks again .

#6 aotke1110

aotke1110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 20 July 2007 - 09:21 AM

made it all night without the taskbar disappearing things are looking good.

#7 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 20 July 2007 - 03:19 PM

Hi aotke1110


Open notepad (Start > Run and type notepad) and copy/paste the text in the quote box below into it:

File::
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

Folder::
C:\Program Files\MorpheusBar
C:\Program Files\WindowsUpdate
C:\WINDOWS\system32\YMANTE~1
C:\WINDOWS\??pPatch



Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

Run ComboFix again and post the resultant log file please with a fresh HJT log.



Please run HijackThis, click "Do a system scan only" and check these entries if present

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O2 - BHO: (no name) - {0FA70FD7-6B06-44DD-B58C-6FA34686617C} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: (no name) - {14AAEC5F-58F0-44ED-802A-D291824A7E6C} - C:\WINDOWS\system32\mljgd.dll (file missing)
O2 - BHO: (no name) - {14f5e9db-3341-49a0-88b7-29a40f79faeb} - C:\WINDOWS\system32\oydxbta.dll (file missing)
O2 - BHO: (no name) - {22B57FA2-BA09-443E-9EEE-07EDB4138319} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O2 - BHO: (no name) - {22B6ED64-84BE-467D-923F-75A239270780} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: (no name) - {26E38EE7-4231-4A8B-98F9-2A87D792E8C9} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {2CCC6448-CA17-4B1F-ACF1-85C8E6E4F3D7} - C:\WINDOWS\system32\ddcyv.dll (file missing)
O2 - BHO: (no name) - {37411524-1DA8-4D3D-AD8E-D16253DB7D8D} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {3BA66C82-749D-43CC-BE0C-E424768B7E69} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {4E03EEB2-7B1B-4FBE-B6CE-B9E07E28288C} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {4EB07752-7630-4242-BE8D-F38D3B88FCF6} - C:\WINDOWS\system32\gebca.dll (file missing)
O2 - BHO: (no name) - {627D725B-8D33-4D82-93E6-667838BC08F0} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: (no name) - {641FBB11-B1CE-4AE3-B0EE-716F7251897D} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {67D93307-E41A-4E00-8BDF-BB1E9F4D48C8} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: (no name) - {6C191CFB-F56B-AB94-1E12-FE8DBD5687EE} - C:\WINDOWS\system32\dnc.dll (file missing)
O2 - BHO: (no name) - {7192917A-7229-4A48-99B2-97ECFD624510} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: (no name) - {772D37F3-BD64-4549-9A00-6B2E2E2CE1C0} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {AA775E92-0B22-49CA-AE26-289C5DEED05C} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {B188D0C4-3554-41E3-B189-3840DD10E2AF} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: (no name) - {C0B51CFB-BDD1-4197-B7AE-87197F6B03D6} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {C686B3E2-4673-43AC-B11C-B3020589BCE2} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {D6278BB5-F7DD-4318-800E-41687C7A52EA} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: (no name) - {E36205B6-B4D8-4FA9-B317-20FEC0A4F252} - C:\WINDOWS\system32\geebb.dll (file missing)
O4 - HKCU\..\Run: [Scbu] "C:\WINDOWS\system32\YMANTE~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [Dxvg] C:\WINDOWS\??pPatch\??anregw.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll (file missing)


Close all windows except for HijackThis and click "Fix checked".



I see you have Viewpoint Manager installed on your PC

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.


Please go to Start > Control Panel > Add or Remove Programs > Remove Morpheus Toolbar


So in your next reply please post back with the following : the new ComboFix log, a new HijackThis log, and tell me if you encountered any problems.

#8 aotke1110

aotke1110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 20 July 2007 - 05:18 PM

here are the logs you asked for:

New COMBOFIX log:

"HP_Administrator" - 2007-07-20 16:06:45 - ComboFix 07-07-17.8 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\MorpheusBar
C:\Program Files\WindowsUpdate
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job


((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))


2007-07-20 00:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 14:41 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-19 14:41 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-19 14:41 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-19 14:41 428,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-19 14:41 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-07-19 14:41 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-07-19 14:41 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-19 14:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-07-19 14:40 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-19 14:40 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-19 14:40 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-19 05:55 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-19 00:33 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-07-18 23:36 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-07-18 19:56 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-18 16:11 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-18 16:10 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\.housecall6.6
2007-07-17 23:13 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2007-07-17 23:12 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2007-07-17 22:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-17 22:52 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-17 15:21 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-17 15:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-17 15:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-07 12:01 <DIR> d-------- C:\spoolerlogs
2007-07-07 09:30 1,156 --a------ C:\WINDOWS\mozver.dat
2007-07-07 08:59 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Talkback
2007-07-07 08:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-29 10:18 <DIR> d-------- C:\VundoFix Backups
2007-06-25 23:10 <DIR> d-------- C:\Temp
2007-06-20 09:35 <DIR> d-------- C:\Program Files\Ares
2007-06-20 09:05 <DIR> d-------- C:\Program Files\Soulseek


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 05:37:29 6,092 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-18 20:15:37 -------- d-----w C:\Program Files\Trend Micro
2007-07-18 05:19:18 -------- d-----w C:\Program Files\Shrink Pic
2007-07-18 05:19:17 -------- d-----w C:\Program Files\QuickTime
2007-07-18 05:19:16 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-07-18 05:19:16 -------- d-----w C:\Program Files\Messenger
2007-07-18 05:19:16 -------- d-----w C:\Program Files\GameSpot
2007-07-18 05:19:15 -------- d---a-w C:\Program Files\Common Files\LightScribe
2007-07-17 21:17:44 -------- d-----w C:\Program Files\Morpheus
2007-06-29 16:26:19 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-06-29 16:26:19 203,024 ----a-w C:\WINDOWS\system32\drivers\TmXPFlt.sys
2007-06-29 16:26:19 1,126,328 ----a-w C:\WINDOWS\system32\drivers\VSAPINT.SYS
2007-06-15 14:44:36 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-09 20:54:30 -------- d--h--w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Move Networks
2007-06-04 21:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 21:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 21:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-30 20:17:57 -------- d-----w C:\Program Files\EA Games
2007-05-29 19:48:58 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Command & Conquer 3 Tiberium Wars Demo
2007-05-29 19:45:06 -------- d-----w C:\Program Files\Electronic Arts
2007-03-14 05:20:50 90 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2005-11-21 16:54 399424 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FA70FD7-6B06-44DD-B58C-6FA34686617C}]
C:\WINDOWS\system32\gebyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14AAEC5F-58F0-44ED-802A-D291824A7E6C}]
C:\WINDOWS\system32\mljgd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14f5e9db-3341-49a0-88b7-29a40f79faeb}]
C:\WINDOWS\system32\oydxbta.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22B57FA2-BA09-443E-9EEE-07EDB4138319}]
C:\WINDOWS\system32\jkhfd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22B6ED64-84BE-467D-923F-75A239270780}]
C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26E38EE7-4231-4A8B-98F9-2A87D792E8C9}]
C:\WINDOWS\system32\vturs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CCC6448-CA17-4B1F-ACF1-85C8E6E4F3D7}]
C:\WINDOWS\system32\ddcyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37411524-1DA8-4D3D-AD8E-D16253DB7D8D}]
C:\WINDOWS\system32\pmnll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BA66C82-749D-43CC-BE0C-E424768B7E69}]
C:\WINDOWS\system32\mljge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E03EEB2-7B1B-4FBE-B6CE-B9E07E28288C}]
C:\WINDOWS\system32\pmnlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EB07752-7630-4242-BE8D-F38D3B88FCF6}]
C:\WINDOWS\system32\gebca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{627D725B-8D33-4D82-93E6-667838BC08F0}]
C:\WINDOWS\system32\mllmn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{641FBB11-B1CE-4AE3-B0EE-716F7251897D}]
C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67D93307-E41A-4E00-8BDF-BB1E9F4D48C8}]
C:\WINDOWS\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C191CFB-F56B-AB94-1E12-FE8DBD5687EE}]
C:\WINDOWS\system32\dnc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7192917A-7229-4A48-99B2-97ECFD624510}]
C:\WINDOWS\system32\awtsq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{772D37F3-BD64-4549-9A00-6B2E2E2CE1C0}]
C:\WINDOWS\system32\jkhhf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA775E92-0B22-49CA-AE26-289C5DEED05C}]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B188D0C4-3554-41E3-B189-3840DD10E2AF}]
C:\WINDOWS\system32\mljji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0B51CFB-BDD1-4197-B7AE-87197F6B03D6}]
C:\WINDOWS\system32\gebyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C686B3E2-4673-43AC-B11C-B3020589BCE2}]
C:\WINDOWS\system32\ddabx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6278BB5-F7DD-4318-800E-41687C7A52EA}]
C:\WINDOWS\system32\ssttt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36205B6-B4D8-4FA9-B317-20FEC0A4F252}]
C:\WINDOWS\system32\geebb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 16:51]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 16:50]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 16:51]
"HostManager"="C:\Program Files\Common Files\AOL\1138075908\EE\AOLHostManager.exe" [2004-11-03 15:03]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 08:40]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 18:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-28 00:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-27 23:51]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 13:03]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 13:03]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-04-22 20:19]
"Scbu"="C:\WINDOWS\system32\YMANTE~1\msconfig.exe" []
"Dxvg"="C:\WINDOWS\??pPatch\??anregw.exe" []
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 16:37]

C:\DOCUME~1\HP_ADM~1\STARTM~1\Programs\Startup
GameSpot Download Manager.lnk - C:\Program Files\GameSpot\GDM_TrayApp.exe [2007-05-09 10:48:26]
Shrink Pic.lnk - C:\Program Files\Shrink Pic\shrink_pic.exe [2006-08-18 09:37:32]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-09-28 00:13:15]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlj]
C:\WINDOWS\system32\pmnlj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
"C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" -r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Windows Visual V2.1
C:\WINDOWS\msiutil.exe

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-20 16:10:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-20 16:12:08
C:\ComboFix-quarantined-files.txt ... 2007-07-20 16:11
C:\ComboFix2.txt ... 2007-07-20 01:10

--- E O F ---


New HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:19 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\GameSpot\GDM_TrayApp.exe
C:\PROGRA~1\COMMON~1\AOL\113807~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\COMMON~1\AOL\113807~1\EE\AOLServiceHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FA70FD7-6B06-44DD-B58C-6FA34686617C} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: (no name) - {14AAEC5F-58F0-44ED-802A-D291824A7E6C} - C:\WINDOWS\system32\mljgd.dll (file missing)
O2 - BHO: (no name) - {14f5e9db-3341-49a0-88b7-29a40f79faeb} - C:\WINDOWS\system32\oydxbta.dll (file missing)
O2 - BHO: (no name) - {22B57FA2-BA09-443E-9EEE-07EDB4138319} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O2 - BHO: (no name) - {22B6ED64-84BE-467D-923F-75A239270780} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: (no name) - {26E38EE7-4231-4A8B-98F9-2A87D792E8C9} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {2CCC6448-CA17-4B1F-ACF1-85C8E6E4F3D7} - C:\WINDOWS\system32\ddcyv.dll (file missing)
O2 - BHO: (no name) - {37411524-1DA8-4D3D-AD8E-D16253DB7D8D} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {3BA66C82-749D-43CC-BE0C-E424768B7E69} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {4E03EEB2-7B1B-4FBE-B6CE-B9E07E28288C} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {4EB07752-7630-4242-BE8D-F38D3B88FCF6} - C:\WINDOWS\system32\gebca.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {627D725B-8D33-4D82-93E6-667838BC08F0} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: (no name) - {641FBB11-B1CE-4AE3-B0EE-716F7251897D} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {67D93307-E41A-4E00-8BDF-BB1E9F4D48C8} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: (no name) - {6C191CFB-F56B-AB94-1E12-FE8DBD5687EE} - C:\WINDOWS\system32\dnc.dll (file missing)
O2 - BHO: (no name) - {7192917A-7229-4A48-99B2-97ECFD624510} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: (no name) - {772D37F3-BD64-4549-9A00-6B2E2E2CE1C0} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {AA775E92-0B22-49CA-AE26-289C5DEED05C} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {B188D0C4-3554-41E3-B189-3840DD10E2AF} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: (no name) - {C0B51CFB-BDD1-4197-B7AE-87197F6B03D6} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {C686B3E2-4673-43AC-B11C-B3020589BCE2} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {D6278BB5-F7DD-4318-800E-41687C7A52EA} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: (no name) - {E36205B6-B4D8-4FA9-B317-20FEC0A4F252} - C:\WINDOWS\system32\geebb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1138075908\EE\AOLHostManager.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Scbu] "C:\WINDOWS\system32\YMANTE~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [Dxvg] C:\WINDOWS\??pPatch\??anregw.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184815151765
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12795 bytes



thank you so much again the help is much appreciated

#9 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 22 July 2007 - 06:59 AM

Hello aotke1110

I just have a question before we start, have you been clicking on "Fix checked" for the bad entries I've listed in HijackThis? They don't seem to be getting fixed which is strange.

Lets see if this works though :thumbsup:

Open notepad (Start > Run and type notepad > click Ok) and copy/paste the text in the quote box below into it:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FA70FD7-6B06-44DD-B58C-6FA34686617C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14AAEC5F-58F0-44ED-802A-D291824A7E6C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14f5e9db-3341-49a0-88b7-29a40f79faeb}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22B57FA2-BA09-443E-9EEE-07EDB4138319}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22B6ED64-84BE-467D-923F-75A239270780}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26E38EE7-4231-4A8B-98F9-2A87D792E8C9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CCC6448-CA17-4B1F-ACF1-85C8E6E4F3D7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37411524-1DA8-4D3D-AD8E-D16253DB7D8D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BA66C82-749D-43CC-BE0C-E424768B7E69}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E03EEB2-7B1B-4FBE-B6CE-B9E07E28288C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EB07752-7630-4242-BE8D-F38D3B88FCF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{627D725B-8D33-4D82-93E6-667838BC08F0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{641FBB11-B1CE-4AE3-B0EE-716F7251897D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67D93307-E41A-4E00-8BDF-BB1E9F4D48C8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C191CFB-F56B-AB94-1E12-FE8DBD5687EE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7192917A-7229-4A48-99B2-97ECFD624510}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{772D37F3-BD64-4549-9A00-6B2E2E2CE1C0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA775E92-0B22-49CA-AE26-289C5DEED05C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B188D0C4-3554-41E3-B189-3840DD10E2AF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0B51CFB-BDD1-4197-B7AE-87197F6B03D6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C686B3E2-4673-43AC-B11C-B3020589BCE2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6278BB5-F7DD-4318-800E-41687C7A52EA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36205B6-B4D8-4FA9-B317-20FEC0A4F252}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Scbu"=-
"Dxvg"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlj]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-



Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

Run ComboFix again and post the resultant log file please with a fresh HJT log. Please let me know if you had any problems.

#10 aotke1110

aotke1110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 22 July 2007 - 02:13 PM

i did do fix checked on the ones you told me, however i think i may have may a stupid mistake and posted the hijack this log before i fixed those things with hijack this so here's a current HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:11 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\GameSpot\GDM_TrayApp.exe
C:\PROGRA~1\COMMON~1\AOL\113807~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\COMMON~1\AOL\113807~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1138075908\EE\AOLHostManager.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184815151765
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9888 bytes

Edited by aotke1110, 22 July 2007 - 02:14 PM.


#11 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 22 July 2007 - 03:17 PM

Hello aotke1110


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#12 aotke1110

aotke1110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 23 July 2007 - 01:18 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 23, 2007 12:13:29 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 23/07/2007
Kaspersky Anti-Virus database records: 366692
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 96564
Number of viruses found: 15
Number of infected objects: 84
Number of suspicious objects: 0
Duration of the scan process: 01:33:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jthq866g.default\cert8.db Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jthq866g.default\history.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jthq866g.default\key3.db Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jthq866g.default\parent.lock Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jthq866g.default\search.sqlite Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jthq866g.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\jthq866g.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\jthq866g.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\jthq866g.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\jthq866g.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012007072220070723\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\GameSpot\logs\GameSpot_Download_Service.log Object is locked skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Antivirus\LastScan.ini Object is locked skipped
C:\Program Files\Trend Micro\Antivirus\VSSEVAJF.04L Infected: not-a-virus:Downloader.Win32.Agent.h skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\L0000012.FCS Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.idx Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\{30B92~1\Bar888.dll.vir Infected: not-a-virus:AdWare.Win32.Mostofate.ac skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\horefo43855.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\PPATCH~1\ѕсanregw.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awvtr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\B1\wbb22.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.dh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dnc.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fccdbca.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\geeda.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\geedc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkli.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnlj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winword.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP417\A0036749.exe/stream/data0009 Infected: not-a-virus:AdWare.Win32.Softomate.t skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP417\A0036749.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.t skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP417\A0036749.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP423\A0041001.exe/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP423\A0041001.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP445\A0047230.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP445\A0047273.exe/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP445\A0047273.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP445\A0048269.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP445\A0048326.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP445\A0048349.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP446\A0048612.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP446\A0048629.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP446\A0048648.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP446\A0048688.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP446\A0048743.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP446\A0048773.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP446\A0048831.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0048967.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0048996.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0049021.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0049065.exe Infected: Backdoor.Win32.VB.kb skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0049066.exe Infected: Backdoor.Win32.VB.kb skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0049075.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0049102.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0049130.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0049151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0049158.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0049192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP447\A0049228.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049272.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049300.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049326.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049327.dll Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049329.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049329.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049332.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049333.dll Infected: not-a-virus:AdWare.Win32.Mostofate.ac skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049335.exe Infected: not-a-virus:AdWare.Win32.Agent.dh skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049337.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049340.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049341.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049342.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049343.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP448\A0049348.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP449\A0049593.dll Infected: not-a-virus:AdWare.Win32.Softomate.t skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP451\change.log Object is locked skipped
C:\VundoFix Backups\awtsq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\ddabx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\ddaya.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\ddcya.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\ddcyv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\gebca.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\gebyv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\gebyw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\geebb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\geebc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\jkhfd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\jkhhf.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\mljgd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\mljge.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\mljji.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\mllmn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\pmnlk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\pmnll.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\sstqr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\ssttt.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\vturs.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\YOUR-B27FB1C401.ldb Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F64E227E-906C-42D5-9AF5-20051A39589F}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT020d6.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT020d9.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP451\change.log Object is locked skipped

Scan process completed.

#13 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 23 July 2007 - 06:20 AM

Hi aotke1110. Your log looks good! Just a few small steps left to do.

Please delete these folders in bold

C:\VundoFix Backups
C:\QooBox

Please delete this file in bold

C:\Program Files\Morpheus\morpheustoolbar.exe


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#14 aotke1110

aotke1110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 23 July 2007 - 10:59 AM

i have complete all your instructions, and i actually use firefox most of the time unless i need IE for the trend housecall or other such things. Thank you so much again for all your help it was greatly appreciated.

#15 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:04:23 AM

Posted 23 July 2007 - 03:48 PM

as the problem here seems to be resolved this topic is now closed
to get it reopened PM a staff member with the address of this thread.
this applies to the topic starter only, everyone else with similar problems start a new topic.

glad we could help :thumbsup:

thank you Rorschach :flowers:
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users