Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Hjt Log


  • This topic is locked This topic is locked
15 replies to this topic

#1 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:28 AM

Posted 24 July 2007 - 12:48 AM

The following I had posted in the Window XP Home and Pro which explains my situation.

Hi all, I have a friends computer that I've spent the last three days getting rid infections because there hasn't been any protection for the last year and defragging the hdd which had never been defragged. After three days of playing with this I've run out of energy to pursue this so I'm asking for help, I have everything running smoothly now except for two error messages that are appearing on the desktop when starting, these are:

1) This application has failed to start because MFC71.DLL was not found.
Reinstalling the application may fix this.

2) Error loading C:\WINDOWS\system32\j0221439.dll

The OS used is XP Home, my question is can I use the repair disc to fix these, and do I have to use the specific disc that came with the computer or can I use mine?

Are alternatives for restoring these?

I will appreciate any help that I can get, I'm so close to having this done.


jwinathome responded with the suggestion that I post a HJT log, so here it is. If this doesn't work I may take this computer down to the river and baptize it.

Edit: I forgot to mention I ran scans with AVG, Adaware, Spybot S&D, Asquared, and Ccleaner. All definitions are current, when I ran Adaware there were 901 items found. :thumbsup:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:04 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7401624F-BA60-4B2E-B79B-D81C65859A35} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B8C095B9-7388-4489-B5BA-AE277DD99FA0} - (no file)
O2 - BHO: (no name) - {C6D4A07E-2708-4A04-83B8-BA2913DFDF3c} - (no file)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [j0221439] rundll32 C:\WINDOWS\system32\j0221439.dll sook
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\kaaktibd.dll",realset
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKLM\..\Policies\Explorer\Run: [ofvumn] C:\WINDOWS\System32\ofvumn.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Mfgfngbz] C:\WINDOWS\System32\n?lookup.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Mfgfngbz] C:\WINDOWS\System32\n?lookup.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121995199312
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E1CF344-43D7-486D-9DBA-4565A8564543}: NameServer = 66.81.1.251 66.81.1.252
O20 - Winlogon Notify: acbsvs - C:\WINDOWS\MICROS~1.NET\acbsvs.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\slhtcvfe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12228 bytes

Edited by dc3, 24 July 2007 - 01:38 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 AM

Posted 24 July 2007 - 02:12 AM

Hi -

You can download MFC71.DLL from:
http://www.dll-files.com

You probably will need to register it so, after downloading it and placing it in the C:\Windows\system32 folder:
- Go to Start > Run > type: regsvr32 mfc71.dll
- Exit.

Before you do this, however, we definitely need to clean your system, so do the following in the order stated.

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - (no file)
O2 - BHO: (no name) - {7401624F-BA60-4B2E-B79B-D81C65859A35} - (no file)
O2 - BHO: (no name) - {B8C095B9-7388-4489-B5BA-AE277DD99FA0} - (no file)
O2 - BHO: (no name) - {C6D4A07E-2708-4A04-83B8-BA2913DFDF3c} - (no file)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - (no file)
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O20 - Winlogon Notify: acbsvs - C:\WINDOWS\MICROS~1.NET\acbsvs.dll (file missing)


Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.

Reboot your computer.

Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log in your next reply.
Please download ComboFix from one of the following links:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
- and save it to the Desktop.

1. Double click on combo.exe and follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new HijackThis log.

Note: Do not mouse-click ComboFix's window while it is running. That may cause your system to stall/hang.

Post back with the log from Superantispyware, the C:\ComboFix.txt log and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:28 AM

Posted 24 July 2007 - 05:35 AM

New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:56 AM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [ofvumn] C:\WINDOWS\System32\ofvumn.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Mfgfngbz] C:\WINDOWS\System32\n?lookup.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Mfgfngbz] C:\WINDOWS\System32\n?lookup.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121995199312
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: acbsvs - C:\WINDOWS\MICROS~1.NET\acbsvs.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9631 bytes


Combo fix file

"Owner" - 2007-07-24 3:13:45 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wdpblnpb.dll
C:\WINDOWS\system32\bpnlbpdw.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2006
C:\Documents and Settings\Owner.\err.log
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\Common Files\companion wizard\log.txt
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\WINDOWS\system32\stera.log


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-24 03:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-24 01:46 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-24 01:46 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-07-24 01:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-24 01:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-23 22:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-23 21:29 <DIR> d-------- C:\Program Files\Uniblue
2007-07-23 21:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-07-23 10:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-22 21:45 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-07-22 21:45 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-22 21:44 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-22 21:44 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-22 21:43 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-21 19:43 12,290,511 --------- C:\AVG7QT.DAT
2007-07-21 12:38 <DIR> d-------- C:\Program Files\a-squared Free
2007-07-21 12:34 <DIR> d-------- C:\Program Files\Executive Software


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 10:18:55 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\OpenOffice.org2
2007-07-24 10:18:34 -------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-07-22 09:40:47 -------- d-----w C:\Program Files\Lavasoft
2007-07-22 09:27:03 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-07-22 02:42:13 -------- d-----w C:\Program Files\MSN Messenger
2007-07-19 04:08:15 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-06-27 00:38:33 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-01-03 04:28:16 15,756 ----a-w C:\Program Files\thesims.ttf
2005-12-11 19:59:23 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe
2005-10-03 02:14:15 734,538 ----a-w C:\Program Files\03-piano.mp3
2005-10-02 05:12:13 8,191,242 ----a-w C:\Program Files\tibia75.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 22:32]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" []
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 12:30]
"MCAgentExe"="C:\PROGRA~1\McAfee.com\Agent\McAgent.exe" []
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2003-10-10 03:14]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-07-23 01:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 22:21]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Mfgfngbz"=C:\WINDOWS\System32\n?lookup.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 18:01:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2007-01-05 13:29:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"ofvumn"=C:\WINDOWS\System32\ofvumn.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acbsvs]
C:\WINDOWS\MICROS~1.NET\acbsvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAS Client]
"C:\Program Files\Cas\Client\casclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lo5qRkaET]
dsaservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinToolsSvc"=2 (0x2)
"TBPSSvc"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=2 (0x2)
"McShield"=3 (0x3)

R0 srescan;srescan;C:\WINDOWS\system32\ZoneLabs\srescan.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S2 DP1112;DP1112;\??\C:\WINDOWS\system32\Drivers\DP.sys
S3 ApiMon;ApiMon;\??\C:\WINDOWS\system32\drivers\ApiMon.sys
S3 krdpdre;krdpdre;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys
S3 MOSUMAC;USB-Ethernet Driver;C:\WINDOWS\system32\DRIVERS\MOSUMAC.SYS
S3 wltwo51b;2Wire Wireless USB adapter Driver;C:\WINDOWS\system32\DRIVERS\wltwo51b.sys


Contents of the 'Scheduled Tasks' folder
2007-07-23 14:47:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 03:18:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ADKW]
"DisplayName"="Search Assistant"
"UninstallString"="C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe uninstadkw"
"Publisher"="WinTools"
"URLInfoAbout"="http://www.win-tools.com/"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-24 3:20:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-24 03:20

--- E O F ---

Superantispyware file


http://www.superantispyware.com

Generated 07/24/2007 at 02:45 AM

Application Version : 3.9.1008

Core Rules Database Version : 3273
Trace Rules Database Version: 1284

Scan type : Complete Scan
Total Scan Time : 00:42:50

Memory items scanned : 447
Memory threats detected : 1
Registry items scanned : 5206
Registry threats detected : 76
File items scanned : 35420
File threats detected : 154

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\KAAKTIBD.DLL
C:\WINDOWS\SYSTEM32\KAAKTIBD.DLL
HKLM\Software\Classes\CLSID\{92A444D2-F945-4dd9-89A1-896A6C2D8D22}
HKLM\Software\Classes\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}
HKLM\Software\Classes\CLSID\{D651AFF4-9590-424d-BD1E-8E33E090DFB3}
HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}
HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}\InprocServer32
HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}\InprocServer32#ThreadingModel
HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}
HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}\InprocServer32
HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}\InprocServer32#ThreadingModel
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32#ThreadingModel
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP557\A0066606.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP558\A0067629.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP560\A0069629.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP561\A0070629.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP562\A0071642.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP562\A0071658.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP562\A0071659.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP562\A0072658.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP568\A0072717.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP568\A0072718.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP568\A0072719.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP568\A0072720.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP568\A0072721.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP568\A0072722.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP568\A0073717.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP568\A0073718.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP568\A0074717.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP568\A0074738.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP569\A0074766.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP569\A0074779.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP569\A0074793.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP573\A0074873.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP573\A0074874.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP573\A0074875.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0074950.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0074951.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0074952.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0075950.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0075951.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0075968.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0075969.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0076968.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0076969.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0076981.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP576\A0076982.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP577\A0077997.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP578\A0078016.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP579\A0078045.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP579\A0078061.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP579\A0079061.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP580\A0080061.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP580\A0080077.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP581\A0081077.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0081723.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082098.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082099.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082100.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082101.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082102.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082103.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082104.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082105.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082106.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082107.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082108.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082109.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082110.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082111.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{3FD6B99C-A275-46ea-8FD1-3D63986E51E4}
HKLM\Software\Classes\CLSID\{4A25D449-2BAA-4426-A992-D18CA70CF5A9}
HKLM\Software\Classes\CLSID\{57E218E6-5A80-4f0c-AB25-83598F25D7E9}
HKLM\Software\Classes\CLSID\{849B9523-785F-4014-9CAF-079FB4A74C61}
HKLM\Software\Classes\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKLM\Software\Classes\CLSID\{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C}
HKLM\Software\Classes\CLSID\{F18F04B0-9CF1-4b93-B004-77A288BEE28B}
HKCR\CLSID\{4A25D449-2BAA-4426-A992-D18CA70CF5A9}
HKCR\CLSID\{4A25D449-2BAA-4426-A992-D18CA70CF5A9}\InprocServer32
HKCR\CLSID\{4A25D449-2BAA-4426-A992-D18CA70CF5A9}\InprocServer32#ThreadingModel
HKCR\CLSID\{3FD6B99C-A275-46EA-8FD1-3D63986E51E4}
HKCR\CLSID\{3FD6B99C-A275-46EA-8FD1-3D63986E51E4}\InprocServer32
HKCR\CLSID\{3FD6B99C-A275-46EA-8FD1-3D63986E51E4}\InprocServer32#ThreadingModel
HKCR\CLSID\{57E218E6-5A80-4F0C-AB25-83598F25D7E9}
HKCR\CLSID\{57E218E6-5A80-4F0C-AB25-83598F25D7E9}\InprocServer32
HKCR\CLSID\{57E218E6-5A80-4F0C-AB25-83598F25D7E9}\InprocServer32#ThreadingModel
HKCR\CLSID\{849B9523-785F-4014-9CAF-079FB4A74C61}
HKCR\CLSID\{849B9523-785F-4014-9CAF-079FB4A74C61}\InprocServer32
HKCR\CLSID\{849B9523-785F-4014-9CAF-079FB4A74C61}\InprocServer32#ThreadingModel
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32#ThreadingModel
HKCR\CLSID\{E03C740E-BB24-4D3C-B92A-6F84DE1DD99C}
HKCR\CLSID\{E03C740E-BB24-4D3C-B92A-6F84DE1DD99C}\InprocServer32
HKCR\CLSID\{E03C740E-BB24-4D3C-B92A-6F84DE1DD99C}\InprocServer32#ThreadingModel
HKCR\CLSID\{F18F04B0-9CF1-4B93-B004-77A288BEE28B}
HKCR\CLSID\{F18F04B0-9CF1-4B93-B004-77A288BEE28B}\InprocServer32
HKCR\CLSID\{F18F04B0-9CF1-4B93-B004-77A288BEE28B}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt
C:\Documents and Settings\Owner\Cookies\owner@1061917247[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@1072556060[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1.primaryads[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@belnk[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@btg.btgrab[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cliks[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@dist.belnk[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@emarketmakers[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@offeroptimizer[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.zanox[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adknowledge[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adopt.specificclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@affiliate.budsinc[2].txt
C:\Documents and Settings\Guest\Cookies\guest@azjmp[2].txt
C:\Documents and Settings\Guest\Cookies\guest@banner[1].txt
C:\Documents and Settings\Guest\Cookies\guest@belnk[1].txt
C:\Documents and Settings\Guest\Cookies\guest@burstnet[2].txt
C:\Documents and Settings\Guest\Cookies\guest@cpacampaigns.directtrack[2].txt
C:\Documents and Settings\Guest\Cookies\guest@cpvfeed[1].txt
C:\Documents and Settings\Guest\Cookies\guest@data2.perf.overture[2].txt
C:\Documents and Settings\Guest\Cookies\guest@data4.perf.overture[2].txt
C:\Documents and Settings\Guest\Cookies\guest@directtrack[1].txt
C:\Documents and Settings\Guest\Cookies\guest@dist.belnk[2].txt
C:\Documents and Settings\Guest\Cookies\guest@i.screensavers[2].txt
C:\Documents and Settings\Guest\Cookies\guest@icc.intellisrv[2].txt
C:\Documents and Settings\Guest\Cookies\guest@kanoodle[1].txt
C:\Documents and Settings\Guest\Cookies\guest@login.tracking101[2].txt
C:\Documents and Settings\Guest\Cookies\guest@neuroticmedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@nextag[2].txt
C:\Documents and Settings\Guest\Cookies\guest@qnsr[1].txt
C:\Documents and Settings\Guest\Cookies\guest@scavenger.contagiousmedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@screensavers.us.intellitxt[1].txt
C:\Documents and Settings\Guest\Cookies\guest@smileycentral[1].txt
C:\Documents and Settings\Guest\Cookies\guest@starware[2].txt
C:\Documents and Settings\Guest\Cookies\guest@web.neuroticmedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@winantispyware[1].txt
C:\Documents and Settings\Guest\Cookies\guest@winfixer[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.medialunchbox[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.precisioncounter[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.screensavers[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.sexbuddies[2].txt
C:\Documents and Settings\Guest\Cookies\guest@www.thespyguard[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.winfixer[1].txt
C:\Documents and Settings\Guest\Cookies\guest@xiti[1].txt

Adware.Apropos Media
HKU\S-1-5-21-1343024091-1303643608-839522115-1003\Software\Aprps

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#URLInfoAbout

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Capabilities
C:\WINDOWS\system32\drivers\uwasfsd.sys

Adware.IEPlugin
HKCR\Remove

Adware.ClickSpring
C:\RECYCLER\S-1-5-18\DC90.EXE
C:\RECYCLER\S-1-5-18\DC95.EXE

Trojan.Unknown Origin
C:\RECYCLER\S-1-5-21-1993962763-1390067357-839522115-1000\DF2.EXE

Trojan.Downloader-VSAddIn
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP583\A0081132.EXE

Trojan.Downloader-Crew
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP583\A0081133.DLL
C:\WINDOWS\SYSTEM32\CNUNCCCB.DLL
C:\WINDOWS\SYSTEM32\DJTPLFTI.DLL
C:\WINDOWS\SYSTEM32\EGKJPAAB.DLL
C:\WINDOWS\SYSTEM32\FJDSHGNO.DLL
C:\WINDOWS\SYSTEM32\INEXIITB.DLL
C:\WINDOWS\SYSTEM32\MVNIPYDS.DLL
C:\WINDOWS\SYSTEM32\NDMCVHTK.DLL
C:\WINDOWS\SYSTEM32\PDAVSSKH.DLL
C:\WINDOWS\SYSTEM32\QHPWSHUV.DLL

Trojan.Downloader-Gen/Shocker
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP583\A0081134.EXE

Adware.VSToolbar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0081955.DLL

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0081956.EXE

Trojan.Downloader-VSToolbar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082078.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082079.EXE

Trojan.Downloader-Gen/LIB
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082081.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082082.DLL

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6FC5C6C7-A2FD-49AF-8D69-80AB8EF23C09}\RP594\A0082097.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8500IS1A\winav_pro[1].css
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L6SVVTM1\ico4[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L6SVVTM1\bt2[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8R6Q90DV\box4[1].png
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8R6Q90DV\logo[2].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\63J1WBB6\yes[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8500IS1A\t_p4[1].png
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8R6Q90DV\t_p2[1].png
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8R6Q90DV\corner[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\63J1WBB6\price39[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8R6Q90DV\ico1[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8R6Q90DV\bkg3[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L6SVVTM1\getnow2[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8R6Q90DV\new-edition-label[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8500IS1A\lo[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\63J1WBB6\bg_menu[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8500IS1A\box3[1].png
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L6SVVTM1\ico2[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L6SVVTM1\bg_header[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L6SVVTM1\t_p1[1].png
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8500IS1A\div[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8500IS1A\winav_pro[1].htm
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8500IS1A\product[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8500IS1A\ico3[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\63J1WBB6\box2[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\8R6Q90DV\win-c[1].gif

I hope this is what you requested.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#4 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 AM

Posted 25 July 2007 - 02:42 AM

Hi -

You certainly had a lot of malware on your system. Unfortunately, your system is not clean yet, so please follow these directions.

Go to Start > Control Panel > Add/Remove Programs
- Select Cas > click Remove
- Exit.

Reboot your computer.

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
O4 - HKUS\S-1-5-18\..\Run: [Mfgfngbz] C:\WINDOWS\System32\n?lookup.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Mfgfngbz] C:\WINDOWS\System32\n?lookup.exe (User 'Default user')
O20 - Winlogon Notify: acbsvs - C:\WINDOWS\MICROS~1.NET\acbsvs.dll (file missing)


If you did NOT set IE's start page to "about:blank" - then check this as well:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'.

Open Notepad and copy/paste the text inside the codebox below into it exactly as shown:

Folder::
C:\Program Files\Cas

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Mfgfngbz"=-

Save this as CFScript.txt
Posted Image
As in the above picture, drag CFScript.txt into ComboFix.exe
This will cause ComboFix to produce another log.
Post the log in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please upload this file to Jotti's Online Virus Scan
C:\WINDOWS\system32\ofvumn.exe
- Click the link above
- Click "Browse" at the top of the page
- Navigate to C:\WINDOWS\system32\ofvumn.exe
- Click "Open" and let the scan finish
- Copy/paste the results in your next reply.

Lastly, open Notepad and copy and paste the following bold part in it exactly as shown:
dir C:\WINDOWS\system32\n?lookup.exe /a h > look.txt
start notepad look.txt

- Save this as look.bat, choose to save as "all files" and save it on your Desktop
- Double-click look.bat and Notepad will open with the contents.
- Copy and paste the contents in your next reply.

Post back with the requested info and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#5 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:28 AM

Posted 25 July 2007 - 02:54 AM

Hi waterfalls, I don't see anything in the add/remove titled Cas, would this be listed as anything else?

I also can't find ofvumm.exe in system 32.

Edited by dc3, 25 July 2007 - 04:47 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 AM

Posted 25 July 2007 - 04:20 AM

Hi -

It may not be listed in Add/Remove Programs since it's adware. It appears that you had stopped it from running via MSConfig. The folder will be removed anyway in a later step, so just skip the Add/Remove Programs step and keep going.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#7 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:28 AM

Posted 25 July 2007 - 04:53 AM

I edited my last post and hadn't seen your last post, so I'm placing it here to make sure you see it.

I also can't find ofvumm.exe in system 32.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#8 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 AM

Posted 25 July 2007 - 11:28 AM

Hi -

It's an O4 entry in your last HijackThis log and ComboFix's log. It's probably a hidden file so enable showing hidden files:
- Go to Start > open My Computer
- Select the Tools menu and click Folder Options.
- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Uncheck Hide file extensions for known file types
- Uncheck Hide protected operating system files (Recommended)
- Click Apply, then OK

It looks like malware, but I want to check it at Jotti's first.

What also would help is when you find the file, right-click onto it and select Properties > click the Version tab and see if it lists a company under Other version information. Then you can scan it at Jotti's.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:28 AM

Posted 25 July 2007 - 11:47 PM

I followed your instructions to show the hidden files but the ofvumm.exe still isn't there.



"Owner" - 2007-07-24 3:13:45 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wdpblnpb.dll
C:\WINDOWS\system32\bpnlbpdw.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2006
C:\Documents and Settings\Owner.\err.log
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\Common Files\companion wizard\log.txt
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\WINDOWS\system32\stera.log


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-24 03:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-24 01:46 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-24 01:46 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-07-24 01:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-24 01:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-23 22:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-23 21:29 <DIR> d-------- C:\Program Files\Uniblue
2007-07-23 21:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-07-23 10:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-22 21:45 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-07-22 21:45 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-22 21:44 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-22 21:44 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-22 21:43 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-21 19:43 12,290,511 --------- C:\AVG7QT.DAT
2007-07-21 12:38 <DIR> d-------- C:\Program Files\a-squared Free
2007-07-21 12:34 <DIR> d-------- C:\Program Files\Executive Software


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 10:18:55 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\OpenOffice.org2
2007-07-24 10:18:34 -------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-07-22 09:40:47 -------- d-----w C:\Program Files\Lavasoft
2007-07-22 09:27:03 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-07-22 02:42:13 -------- d-----w C:\Program Files\MSN Messenger
2007-07-19 04:08:15 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-06-27 00:38:33 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-01-03 04:28:16 15,756 ----a-w C:\Program Files\thesims.ttf
2005-12-11 19:59:23 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe
2005-10-03 02:14:15 734,538 ----a-w C:\Program Files\03-piano.mp3
2005-10-02 05:12:13 8,191,242 ----a-w C:\Program Files\tibia75.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 22:32]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" []
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 12:30]
"MCAgentExe"="C:\PROGRA~1\McAfee.com\Agent\McAgent.exe" []
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2003-10-10 03:14]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-07-23 01:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 22:21]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Mfgfngbz"=C:\WINDOWS\System32\n?lookup.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 18:01:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2007-01-05 13:29:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"ofvumn"=C:\WINDOWS\System32\ofvumn.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acbsvs]
C:\WINDOWS\MICROS~1.NET\acbsvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAS Client]
"C:\Program Files\Cas\Client\casclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lo5qRkaET]
dsaservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinToolsSvc"=2 (0x2)
"TBPSSvc"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=2 (0x2)
"McShield"=3 (0x3)

R0 srescan;srescan;C:\WINDOWS\system32\ZoneLabs\srescan.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S2 DP1112;DP1112;\??\C:\WINDOWS\system32\Drivers\DP.sys
S3 ApiMon;ApiMon;\??\C:\WINDOWS\system32\drivers\ApiMon.sys
S3 krdpdre;krdpdre;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys
S3 MOSUMAC;USB-Ethernet Driver;C:\WINDOWS\system32\DRIVERS\MOSUMAC.SYS
S3 wltwo51b;2Wire Wireless USB adapter Driver;C:\WINDOWS\system32\DRIVERS\wltwo51b.sys


Contents of the 'Scheduled Tasks' folder
2007-07-23 14:47:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 03:18:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ADKW]
"DisplayName"="Search Assistant"
"UninstallString"="C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe uninstadkw"
"Publisher"="WinTools"
"URLInfoAbout"="http://www.win-tools.com/"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-24 3:20:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-24 03:20

--- E O F ---

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#10 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 AM

Posted 26 July 2007 - 11:38 AM

Hi -

I will be online off and on for most of the day today, so we should be finished today.

There are two steps that you forgot:
1. To post the look.txt - look at my earlier post for directions
2. To post a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:28 AM

Posted 26 July 2007 - 12:58 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:01 AM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [ofvumn] C:\WINDOWS\System32\ofvumn.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121995199312
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E1CF344-43D7-486D-9DBA-4565A8564543}: NameServer = 66.81.1.251 66.81.1.252
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9701 bytes


Volume in drive C has no label.
Volume Serial Number is E8DA-A095

Directory of C:\WINDOWS\system32

08/04/2004 05:00 AM 76,800 nslookup.exe

Directory of C:\WINDOWS\system32

1 File(s) 76,800 bytes
0 Dir(s) 20,112,474,112 bytes free

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#12 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 AM

Posted 26 July 2007 - 03:17 PM

Hi -

Good job - looking much better! We're almost there.

Start HijackThis, click System Scan Only and place a checkmark next to the following item:
O4 - HKLM\..\Policies\Explorer\Run: [ofvumn] C:\WINDOWS\System32\ofvumn.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab


Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'.

You have an outdated version of Java which, because of security reasons, needs to be updated. Java releases updates because of discovered exploits. To update Java:
- Download the latest version of Java Runtime Environment (JRE) 6u2 from HERE
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel > Add/Remove Programs and remove ALL older versions of Java by checking any item, one at a time, with Java Runtime Environment (JRE or J2SE) in the name. It should have this icon Posted Image next to it.
- For each item that you check, click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove ALL of the Java versions.
- REBOOT your computer once ALL Java components are removed.
- Then from your Desktop, double-click on the newly-downloaded Java file to install the newest version.

Download and scan with CCleaner.
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
3. Then select the items you wish to clean up.

In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all entries in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
3. Click the "Run Cleaner" button.
4. A pop-up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

Perform an onlinescan with Panda Online. ActiveScan does not remove adware/spyware but will autoclean for viruses and worms.
You have to use Internet Explorer for this scan.
- Once you are on the Panda site click the Scan your PC button
- A new window will open
- Fill in your registration and click the Check Now button
- If it wants to install an ActiveX component, allow it
- A new window will appear asking "Do you want to install this software?"" Name: asinst.cab
- Click Install
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the "See Report" button, then "Save Report" and save it to a convenient location.

Post back with Panda's log and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#13 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:28 AM

Posted 27 July 2007 - 12:51 AM

Panda didn't turn up anything, if you need the log I'll send it. I wound up having to work today so I couldn't get to this till this evening, and to compound this I'm on a dialup connection so those downloads you want took time. I will never do this for a friend again without broadband.

Once again, thanks for your help waterfalls.

dc3, Dan


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:47 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121995199312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E1CF344-43D7-486D-9DBA-4565A8564543}: NameServer = 66.81.1.251 66.81.1.252
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9602 bytes

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#14 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 AM

Posted 27 July 2007 - 02:40 AM

You're quite welcome - glad I could help. :thumbsup:

These files probably were already deleted since Panda didn't show anything. However, let's double-check to be on the safe side, so navigate to and delete the following files if present:
C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\qassbvur.exe
C:\WINDOWS\system32\vurikwtn.dll
C:\WINDOWS\system32\pcapynuj.dll

Your log looks clean. You can delete the ComboFix.exe file; the C:\ComboFix folder; the C:\QooBox folder; the C:\ComboFix-quarantined-files.txt and the C:\combofix.txt log that were created.

Please set your system to hide system files.
- Go to Start and open My Computer
- Select the Tools menu and click Folder Options.
- Select the View Tab and, under Hidden files and folders, check Do not show hidden files and folders
- Check Hide file extensions for known file types
- Check Hide protected operating system files (Recommended)
- Click Apply, then OK.

If you have not done so, please empty your Recycle Bin.

Create a new Restore Point:
- Go to Start > All Programs > Accessories > System Tools > System Restore.
- When the utility opens, select "Create a new restore point" and click Next
- Name the restore point - something like "After infection cleaned" or "After cleaning"
- Click Create.

Delete the old Restore Points:
- Go to Start > All Programs > Accessories > System Tools > Disk Cleanup. Click Ok.
- Click the "More Options" tab.
- Where it states "System Restore" - click Clean up.
- All of the old Restore Points will be deleted EXCEPT for the one you just created.

Reboot your computer.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster.
SpywareBlaster doesn't scan and clean for so-called spyware but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls and also prevents the installation of any of them via a webpage. Update it periodically.

Install IE-SPYAD puts over 20,000 sites in your restricted zone, so you will be protected when you visit innocent-looking sites that are not actually innocent at all.

* Avoid illegal sites because that's where most malware is present.
* Don't click on links inside pop-ups. If you should get them, use ALT + F4 to close them.
* Don't click on links in spam messages claiming to offer anti-spyware software because most of these so-called removers ARE spyware.
* Download free software only from sites you know and trust because a lot of free software can bundle other software, including spyware.

Let your anti-virus and anti-spyware scanners scan frequently and don't forget to update before scanning.

I suggest you perform an online virus-scan once in a while (Housecall and/or Bitdefender) because what one virus-scanner can't find, another one maybe can.

Make sure your Windows has the latest updates by going here.

More information on how to prevent malware can be found at So how did I get infected in the first place? (by Tony Klein) and Malware Prevention: Prevent Re-infection.

Happy surfing again! :flowers:

Edited by waterfalls, 27 July 2007 - 02:56 AM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#15 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:28 AM

Posted 27 July 2007 - 02:50 AM

Out standing! Thank you so much for your time and patience!

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users