Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Control Panel Was Missing - Also Had Windows Spyware Popup


  • This topic is locked This topic is locked
23 replies to this topic

#1 abccrosby

abccrosby

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 29 November 2007 - 10:23 PM

I started out trying to help a friend with her daughter's Dell laptop. Wouldn't go to windows, so I reinstalled/repaired Windows (Home). It wouldn't let me completely reinstall it, so I let it repair it. Then I realized Control panel was missing, and kept getting popups trying to get me to download a windows virus protector. After researching bleepingcomputer.com I ran all of the suggested spyware/malware programs that the computer would let me do. It wouldn't let me do spybot search and destroy. I got the Control panel back, and got rid of the popup after running Combofix.

Problems (visible to me) after running every fix that I knew about are:

Error stating that sistray.exe couldn't start and a problem with sasapp.dll
McAfee Error stating that it must close
Wont let me open and run McAfee
Won't let me update Java

I am sure that there are a lot more problems, I just can't see them.

I LOVE this site and have learned so much!! I am so impressed by the knowledge and skill, and patience shown here!

Thank you in advance for your help.

K

Here is my Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:27 PM, on 11/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: {d9bfad3f-a065-8ec8-cb84-33f627903cc6} - {6cc30972-6f33-48bc-8ce8-560af3dafb9d} - C:\WINDOWS\System32\coafrfen.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [howyr] C:\Program Files\ComPlus Applications\howyr22011.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [fc777020] rundll32.exe "C:\WINDOWS\System32\yaiwdbto.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - Unknown owner - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - Unknown owner - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe (file missing)
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 7090 bytes

BC AdBot (Login to Remove)

 


m

#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 AM

Posted 30 November 2007 - 11:01 AM

Hello abccrosby

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Thank you

#3 abccrosby

abccrosby
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 30 November 2007 - 01:29 PM

I know that the task you gave me seemed relatively simple, but I can't seem to do it. I downloaded it, saved it to my desktop, double clicked on the icon, and then clicked install. It looked as though it was extracting the files but then nothing happened. I clicked on the icon again, expecting it to open and to be able to click on the runthis.bat file, but it went back to the same screen asking me to install it again....

K

#4 abccrosby

abccrosby
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 30 November 2007 - 01:35 PM

I DID reboot in safe mode like you told me to, but when I clicked on the icon it took be back to "install". Also, it didn't suggest a place to install it to. It just said c:\ so I tried that the first time. The second time I tried telling it to install to c:\SDFIX - it said it was extracting files, but then went back to "install".

What am I doing wrong?

K

#5 abccrosby

abccrosby
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 30 November 2007 - 02:09 PM

DUH... I don't know what I was doing wrong, but I finally did it right. Here are the logs you requested.

Thank you so much

K



SDFix: Version 1.116

Run by Pook on Fri 11/30/2007 at 01:45

PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista -

rootkit/stealth malware detector by Gmer,

http://www.gmer.net
Rootkit scan 2007-11-30 13:53:17
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[

HKEY_LOCAL_MACHINE\system\currentcon

trolset\services\sharedaccess\parameters\fi

rewallpolicy\standardprofile\authorizedappl

ications\list]

[

HKEY_LOCAL_MACHINE\system\currentcon

trolset\services\sharedaccess\parameters\fi

rewallpolicy\domainprofile\authorizedappli

cations\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Fri 25 Nov 2005 6,219,320 A..H. --- "C:

\Program Files\Picasa2\setup.exe"
Sat 11 Sep 2004 4,348 ..SH. --- "C:

\Documents and Settings\All

Users\DRM\DRMv1.bak"
Sat 11 Sep 2004 401 ..SH. --- "C:

\Documents and Settings\All

Users\DRM\DRMv11.bak"
Mon 4 Sep 2006 401 ..SH. --- "C:

\Documents and Settings\All

Users\DRM\DRMv13.bak"
Tue 11 Apr 2006 2,461,696 A..H. --- "C:

\Documents and Settings\Pook\Application

Data\U3\temp\Launchpad Removal.exe"
Sat 11 Sep 2004 4,348 ...H. --- "C:

\Documents and Settings\Pook\My

Documents\My Music\License

Backup\drmv1key.bak"
Mon 30 Oct 2006 782 A..H. --- "C:

\Documents and Settings\Pook\My

Documents\My Music\License

Backup\drmv1lic.bak"
Fri 10 Sep 2004 312 A.SH. --- "C:

\Documents and Settings\Pook\My

Documents\My Music\License

Backup\drmv2key.bak"
Wed 10 May 2006 0 A..H. --- "C:

\RECYCLER\S-1-5-21-541998944-

2676829564-3386067161-500\Dc51\S-1-5

-18\31c3012c5f9d1bc646537f42686b56

bc\BIT145.tmp"
Wed 10 May 2006 0 A..H. --- "C:

\RECYCLER\S-1-5-21-541998944-

2676829564-3386067161-500\Dc51\S-1-5

-18\3e360a0702edf9b49aa7cdcb6397da24

\BIT14A.tmp"
Wed 10 May 2006 1,638,232 A..H. --- "C:

\RECYCLER\S-1-5-21-541998944-

2676829564-3386067161-500\Dc51\S-1-5

-18\5a491397b2305744fcc523a9e5f2fe6

e\BIT141.tmp"

Finished!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:23 PM, on 11/30/2007
Platform: Windows XP SP1 (WinNT 5.01.

2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.

2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.

exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield

.exe
C:\PROGRA~1\McAfee\VIRUSS~1

\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.

exe
C:\Program Files\SiteAdvisor\6172

\SAService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media

Experience\PCMService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\MSK\MskAgent.

exe
C:\Program Files\SiteAdvisor\6172

\SiteAdv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Picasa2

\PicasaMediaDetector.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R1 -

HKCU\Software\Microsoft\Windows\Curren

tVersion\Internet Settings,ProxyOverride =

localhost
O2 - BHO: (no name) - {089FD14D-132B-48

FC-8861-0048AE113215} - C:\Program

Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: {d9bfad3f-a065-8ec8-cb84-33f

627903cc6} - {6cc30972-6f33-48bc-8ce8-

560af3dafb9d} - C:\WINDOWS\System32

\coafrfen.dll
O3 - Toolbar: (no name) - {BA52B914-B692-

46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-

3316-41A7-809B-AA305ED9D922} - C:

\Program Files\AOL\AOL Toolbar 5.0\aoltb

.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF

43445-2F28-4351-9252-17FE6E806AA0} - C

:\Program Files\SiteAdvisor\6172\SiteAdv.

dll
O3 - Toolbar: &Radio - {8E718888-423F-11

D2-876E-00A0C9082467} - C:

\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Program Files\Java\j2re1.4.2_03

\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:

\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:

\Program Files\Dell\Media

Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:

\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:

\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [howyr] C:\Program

Files\ComPlus Applications\howyr22011.

exe
O4 - HKLM\..\Run: [AGRSMMSG]

AGRSMMSG.exe
O4 - HKLM\..\Run: [MskAgentexe] C:

\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program

Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program

Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1

\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Apoint] C:\Program

Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:

\WINDOWS\RegisteredPackages\{44BBA

855-CC51-11CF-AAFA-00AA00B6015C}

\dxdllreg.exe
O4 - HKLM\..\Run: [fc777020] rundll32.exe

"C:\WINDOWS\System32\yaiwdbto.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:

\Program Files\Grisoft\AVG Anti-Spyware 7

.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe

Media Manager] C:\PROGRA~1\SIMPLE~1

\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Picasa Media Detector]

C:\Program Files\Picasa2

\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster

2] C:\Program

Files\Uniblue\RegistryBooster 2

\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [ErrorSafeFree]

C:\Program Files\ErrorSafe Free\uers.exe /

scan (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C

:\Program Files\MySpace\IM\MySpaceIM.

exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:

\WINDOWS\System32\WinAvXX.exe (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [

ErrorSafeFree] C:\Program Files\ErrorSafe

Free\uers.exe /scan (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Utility Tray.lnk = C:

\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search

- res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL

Toolbar Search - c:\program files\aol\aol

toolbar 5.0\resources\en-US\local\search.

html
O8 - Extra context menu item: &ieSpell

Options - res://C:\Program

Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check

&Spelling - res://C:\Program

Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to

Microsoft Excel - res://C:\PROGRA~1

\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on

Merriam Webster - file://C:\Program

Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on

Wikipedia - file://C:\Program

Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5

D-4fee-9DF6-CA6EE38B68A8} - C:\Program

Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E

17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} -

C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-

9D3B-4aea-A025-ED5B2FD488E7} - C:

\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options

- {1606D6F9-9D3B-4aea-A025-ED5B2FD

488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {FB5F1910-

F110-11d2-BB9E-00C04F795683} - C:

\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F

795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB

-61F9-4f12-A198-B7D41EF1CB52} - C:

\Program Files\AWS\WeatherBug\Weather.

exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:

\windows\system32\nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1

E41684E07BB} - http://ak.exe.imgfarm.

com/images/nocache/funwebproducts/ei/

PopularScreenSaversFWBInitialSetup1.0.0.

15-3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D

4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/

resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (

aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.

exe
O23 - Service: AVG Anti-Spyware Guard -

GRISOFT s.r.o. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.

exe
O23 - Service: Google Updater Service (

gusvc) - Google - C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple

Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) -

Lexmark International, Inc. - C:

\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Update Manager (

mcmispupdmgr) - McAfee, Inc. - C:

\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) -

McAfee, Inc. - C:\PROGRA~1

\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Scanner (McODS) -

McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager

(mcpromgr) - McAfee, Inc. - C:\PROGRA~1

\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Real-time Scanner (

McShield) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (

McSysmon) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall

Service (MpfService) - McAfee, Inc. - C:

\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS

9) - McAfee, Inc. - C:\PROGRA~1

\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (

MSK80Service) - McAfee Inc. - C:\Program

Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network

Security Service (MWLSvc) - McAfee, Inc. -

C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: SiteAdvisor Service -

Unknown owner - C:\Program

Files\SiteAdvisor\6172\SAService.exe

--
End of file - 8322 bytes

#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 AM

Posted 30 November 2007 - 03:07 PM

Hello abccrosby

These logs are hard to read, to correct this Please Open Notepad, (Start | Run, type Notepad)
Click Format from the Notepad menu and ensure "Word Wrap" is NOT selected.

Once you have done that please re-post both logs

Thank you

#7 abccrosby

abccrosby
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 30 November 2007 - 03:25 PM

Sorry, I knew they were hard to read - and now I know how to fix them!

Lets try again....

SDFix: Version 1.116

Run by Pook on Fri 11/30/2007 at 01:45 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 13:53:17
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Fri 25 Nov 2005 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sat 11 Sep 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 11 Sep 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Mon 4 Sep 2006 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Tue 11 Apr 2006 2,461,696 A..H. --- "C:\Documents and Settings\Pook\Application Data\U3\temp\Launchpad Removal.exe"
Sat 11 Sep 2004 4,348 ...H. --- "C:\Documents and Settings\Pook\My Documents\My Music\License Backup\drmv1key.bak"
Mon 30 Oct 2006 782 A..H. --- "C:\Documents and Settings\Pook\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 10 Sep 2004 312 A.SH. --- "C:\Documents and Settings\Pook\My Documents\My Music\License Backup\drmv2key.bak"
Wed 10 May 2006 0 A..H. --- "C:\RECYCLER\S-1-5-21-541998944-2676829564-3386067161-500\Dc51\S-1-5-18\31c3012c5f9d1bc646537f42686b56bc\BIT145.tmp"
Wed 10 May 2006 0 A..H. --- "C:\RECYCLER\S-1-5-21-541998944-2676829564-3386067161-500\Dc51\S-1-5-18\3e360a0702edf9b49aa7cdcb6397da24\BIT14A.tmp"
Wed 10 May 2006 1,638,232 A..H. --- "C:\RECYCLER\S-1-5-21-541998944-2676829564-3386067161-500\Dc51\S-1-5-18\5a491397b2305744fcc523a9e5f2fe6e\BIT141.tmp"

Finished!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:23 PM, on 11/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: {d9bfad3f-a065-8ec8-cb84-33f627903cc6} - {6cc30972-6f33-48bc-8ce8-560af3dafb9d} - C:\WINDOWS\System32\coafrfen.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [howyr] C:\Program Files\ComPlus Applications\howyr22011.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [fc777020] rundll32.exe "C:\WINDOWS\System32\yaiwdbto.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 8322 bytes

#8 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 AM

Posted 30 November 2007 - 05:01 PM

Hello abccrosby

Thank you for doing that for me, we have a few things to do here so let's start with this

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

1. Go to Start > Control Panel > Add/Remove Programs and Uninstall these (if present):

ErrorSafe
AWS - WeatherBug


Then Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O2 - BHO: {d9bfad3f-a065-8ec8-cb84-33f627903cc6} - {6cc30972-6f33-48bc-8ce8-560af3dafb9d} - C:\WINDOWS\System32\coafrfen.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [fc777020] rundll32.exe "C:\WINDOWS\System32\yaiwdbto.dll",b
O4 - HKUS\S-1-5-18\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab

Close any Explorer windows which may be open and click the "Fix Checked" button.


2. Please download the OTMoveIt from here:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Do not run it yet!

Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\coafrfen.dll
C:\WINDOWS\System32\yaiwdbto.dll
C:\Program Files\ErrorSafe Free
C:\WINDOWS\System32\WinAvXX.exe
C:\Program Files\AWS



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


3. From either of these links download "ComboFix.exe" and place this onto your desktop

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Doubleclick "combofix.exe" to launch the application Follow the prompts that will be displayed on the screen.

Important: Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it will produce a log called "combofix.txt" by default saved into your C folder
navigate to: Start >> My Computer >> Local Disk C and Copy and Paste combofix.txt log back to me.

Thank you

#9 abccrosby

abccrosby
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 30 November 2007 - 05:54 PM

ComboFix 07-11-19.4C - Pook 2007-11-30 17:43:30.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.52 [GMT -5:00]
Running from: C:\Documents and Settings\Pook\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FunWebProducts
C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-30 15:07 <DIR> d-------- C:\Documents and Settings\Pook\Application Data\RegistrySmart
2007-11-30 15:06 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-30 14:56 <DIR> d-------- C:\Documents and Settings\Pook\Application Data\LimeWire
2007-11-30 14:48 <DIR> d-------- C:\Program Files\Java
2007-11-30 14:48 <DIR> d-------- C:\Program Files\common files\Java
2007-11-30 13:44 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-30 10:16 <DIR> d-------- C:\Program Files\LimeWire
2007-11-29 22:26 <DIR> d-------- C:\Program Files\ieSpell
2007-11-29 21:14 <DIR> d-------- C:\Program Files\RegistryFix
2007-11-21 19:50 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-21 19:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-21 19:50 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-21 19:50 2,398 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-21 19:10 <DIR> d-------- C:\Program Files\Belarc
2007-11-21 19:10 3,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\BANTExt.sys
2007-11-21 00:24 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2007-11-21 00:24 593,408 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xpsp2res.dll
2007-11-21 00:24 593,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\h323msp.dll
2007-11-21 00:24 548,352 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll
2007-11-21 00:24 548,352 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rtcdll.dll
2007-11-21 00:24 307,200 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\netapi32.dll
2007-11-21 00:24 253,440 --a------ C:\WINDOWS\SYSTEM32\h323.tsp
2007-11-21 00:24 253,440 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\h323.tsp
2007-11-21 00:24 73,728 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\nmcom.dll
2007-11-21 00:24 40,960 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\evtgprov.dll
2007-11-20 23:04 991,232 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2007-11-20 22:38 331,776 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\winhttp.dll
2007-11-20 20:15 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-20 16:14 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll
2007-11-20 16:14 838,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chtbrkr.dll
2007-11-20 16:14 43,242 --a------ C:\WINDOWS\SYSTEM32\phoncode.tbl
2007-11-20 16:14 4,071 --a------ C:\WINDOWS\SYSTEM32\phon.tbl
2007-11-20 16:14 2,714 --a------ C:\WINDOWS\SYSTEM32\phonptr.tbl
2007-11-20 16:14 2,060 --a------ C:\WINDOWS\SYSTEM32\noise.jpn
2007-11-20 16:14 1,486 --a------ C:\WINDOWS\SYSTEM32\noise.kor
2007-11-20 16:14 700 --a------ C:\WINDOWS\SYSTEM32\dayiptr.tbl
2007-11-20 16:14 520 --a------ C:\WINDOWS\SYSTEM32\dayiphr.tbl
2007-11-20 16:13 1,783,864 --a------ C:\WINDOWS\SYSTEM32\WINPY.MB
2007-11-20 16:13 1,564,868 --a------ C:\WINDOWS\SYSTEM32\WINSP.MB
2007-11-20 16:13 1,223,500 --a------ C:\WINDOWS\SYSTEM32\WINZM.MB
2007-11-20 16:13 218,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_g18030.dll
2007-11-20 16:13 218,112 --a------ C:\WINDOWS\SYSTEM32\c_g18030.dll
2007-11-20 16:13 150,016 --a------ C:\WINDOWS\SYSTEM32\WINZM.IME
2007-11-20 16:13 150,016 --a------ C:\WINDOWS\SYSTEM32\WINSP.IME
2007-11-20 16:13 150,016 --a------ C:\WINDOWS\SYSTEM32\WINPY.IME
2007-11-20 16:13 150,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\winzm.ime
2007-11-20 16:13 150,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\winsp.ime
2007-11-20 16:13 150,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\winpy.ime
2007-11-20 16:13 59,904 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\imkrinst.exe
2007-11-20 16:13 36,927 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs411.dll
2007-11-20 16:13 14,336 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs412.dll
2007-11-20 16:13 9,216 --a------ C:\WINDOWS\SYSTEM32\kbdnecAT.dll
2007-11-20 16:13 7,680 --a------ C:\WINDOWS\SYSTEM32\kbdnecNT.dll
2007-11-20 16:13 7,168 --a------ C:\WINDOWS\SYSTEM32\kbdnec95.dll
2007-11-20 16:13 7,168 -ra------ C:\WINDOWS\SYSTEM32\kbdnec.dll
2007-11-20 16:13 7,168 --a------ C:\WINDOWS\SYSTEM32\kbdibm02.dll
2007-11-20 16:13 7,168 --a------ C:\WINDOWS\SYSTEM32\f3ahvoas.dll
2007-11-20 16:13 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdibm02.dll
2007-11-20 16:13 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\f3ahvoas.dll
2007-11-20 16:13 6,656 --a------ C:\WINDOWS\SYSTEM32\kbdlk41a.dll
2007-11-20 16:13 6,656 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdlk41a.dll
2007-11-20 16:13 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdlk41j.dll
2007-11-20 16:13 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdax2.dll
2007-11-20 16:13 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106n.dll
2007-11-20 16:13 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdax2.dll
2007-11-20 16:13 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbd106n.dll
2007-11-20 16:12 827,438 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\imjp81k.dll
2007-11-20 16:12 574,464 --a------ C:\WINDOWS\SYSTEM32\TINTLGNT.IME
2007-11-20 16:12 480,256 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cintsetp.exe
2007-11-20 16:12 340,013 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\imjp81.ime
2007-11-20 16:12 201,216 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cintime.dll
2007-11-20 16:12 173,568 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chtskf.dll
2007-11-20 16:12 97,792 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chtmbx.dll
2007-11-20 16:12 89,088 --a------ C:\WINDOWS\SYSTEM32\imekr61.ime
2007-11-20 16:12 75,264 --a------ C:\WINDOWS\SYSTEM32\phon.ime
2007-11-20 16:12 74,752 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\dayi.ime
2007-11-20 16:12 74,752 --a------ C:\WINDOWS\SYSTEM32\dayi.ime
2007-11-20 16:12 61,952 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\winime.ime
2007-11-20 16:12 57,400 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cplexe.exe
2007-11-20 16:12 56,320 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chtskdic.dll
2007-11-20 16:12 21,504 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cintlgnt.ime
2007-11-20 16:12 15,872 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs404.dll
2007-11-20 16:12 8,704 --a------ C:\WINDOWS\SYSTEM32\kbdjpn.dll
2007-11-20 16:12 8,704 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdjpn.dll
2007-11-20 16:12 8,192 --a------ C:\WINDOWS\SYSTEM32\kbdkor.dll
2007-11-20 16:12 8,192 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdkor.dll
2007-11-20 16:12 6,656 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_is2022.dll
2007-11-20 16:12 6,656 --a------ C:\WINDOWS\SYSTEM32\c_is2022.dll
2007-11-20 16:07 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-19 23:02 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-11-19 22:16 <DIR> d-------- C:\Documents and Settings\blb\Application Data\Grisoft
2007-11-19 20:04 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-19 20:03 <DIR> d-------- C:\Program Files\common files\Wise Installation Wizard
2007-11-19 19:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-19 15:38 <DIR> d-------- C:\Documents and Settings\Pook\Application Data\Grisoft
2007-11-19 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-19 15:38 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-19 13:28 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2007-11-04 15:20 <DIR> d-------- C:\Documents and Settings\Pook\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 21:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-20 04:44 --------- d-----w C:\Program Files\QuickTime
2007-11-20 04:43 --------- d-----w C:\Program Files\Picasa2
2007-11-20 04:42 --------- d-----w C:\Program Files\iTunes
2007-11-20 04:40 --------- d-----w C:\Program Files\Apoint
2007-11-04 19:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-04 17:24 86,080 ----a-w C:\WINDOWS\SYSTEM32\yuvqpdjb.dll
2007-11-04 16:55 --------- d-----w C:\Program Files\McAfee.com
2007-11-04 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-05 14:07 76,352 ----a-w C:\WINDOWS\SYSTEM32\jlhbkbfb.dll
2007-09-06 04:22 289,144 ----a-w C:\WINDOWS\SYSTEM32\VCCLSID.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\UG9vaw\o36SuT.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe" []
"Aim6"="" []
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 16:18]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-12-12 14:22]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-09 21:14]
"howyr"="C:\Program Files\ComPlus Applications\howyr22011.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 15:41 C:\WINDOWS\AGRSMMSG.exe]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 17:30]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGuiSt.exe" [2007-01-19 15:52]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-08 21:39]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-01-19 17:11]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 15:32]
"DXDllRegExe"="C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2004-05-24 18:45:07]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)
"NoWindowsUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 16:11:21 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-11-04 16:11:19 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-11-30 20:40:28 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 17:47:14
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 17:49:04
C:\ComboFix2.txt ... 2007-11-29 20:13
C:\ComboFix3.txt ... 2007-11-19 13:31
.
--- E O F ---

#10 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 AM

Posted 01 December 2007 - 02:05 AM

Hello abccrosby

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

1. Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\yuvqpdjb.dll
C:\WINDOWS\SYSTEM32\jlhbkbfb.dll



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


2. Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



3. Please now use Internet Explorer and run this online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases


Click OK
Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information in your next post along with a new HijackThis log.

Thank you

#11 abccrosby

abccrosby
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 01 December 2007 - 04:36 AM

Here goes...

Saturday, December 01, 2007 4:27:22 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/12/2007
Kaspersky Anti-Virus database records: 469692


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 75415
Number of viruses found 7
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 01:43:09

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Infected: Trojan.Win32.Qhost.qi skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\blb\Local Settings\Temp\hsperfdata_blb\2160 Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Pook\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Pook\Desktop\Spyware, virus doctors - do not delete\SmitfraudFix\Process.exe Object is locked skipped

C:\Documents and Settings\Pook\Desktop\Spyware, virus doctors - do not delete\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Pook\Desktop\Spyware, virus doctors - do not delete\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Pook\Desktop\Spyware, virus doctors - do not delete\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Pook\Desktop\Spyware, virus doctors - do not delete\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Pook\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Pook\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Pook\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Pook\Local Settings\Temp\~DF3021.tmp Object is locked skipped

C:\Documents and Settings\Pook\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Pook\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Pook\ntuser.dat Object is locked skipped

C:\Documents and Settings\Pook\ntuser.dat.LOG Object is locked skipped

C:\RECYCLER\S-1-5-21-541998944-2676829564-3386067161-500\Dc22\prokykobyz.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped

C:\SDFix\apps\Process.exe Object is locked skipped

C:\SDFix\SDFix\apps\Process.exe Object is locked skipped

C:\SDFix\SDFix\SDFix\apps\Process.exe Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051111-134456-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051111-134656-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051111-134725-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051111-134755-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051125-215337-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051125-215521-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051125-215550-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051125-215620-00.hdmp Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{85857FCC-9EC8-462B-80CF-C823A560A21A}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\dlls99\oncdll3.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\pmymoakm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped

C:\WINDOWS\SYSTEM32\Process.exe Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WS2Fix.exe Object is locked skipped

C:\WINDOWS\TEMP\mcafee_dei5bdnyBbY7hbe Object is locked skipped

C:\WINDOWS\TEMP\mcafee_M7Yu4Lyacf4msFg Object is locked skipped

C:\WINDOWS\TEMP\mcafee_rsdLGK8XE8l3YVQ Object is locked skipped

C:\WINDOWS\TEMP\sqlite_FcJiFff07UlOMDq Object is locked skipped

C:\WINDOWS\TEMP\sqlite_OjwUL3lGaobla4U Object is locked skipped

C:\WINDOWS\UG9vaw\o36SuT.vbs Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\_OTMoveIt\MovedFiles\WINDOWS\System32\yaiwdbto.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\_OTMoveIt\MovedFiles\WINDOWS\System32\yuvqpdjb.dll Infected: Trojan.Win32.BHO.rf skipped

Scan process completed.




Saturday, December 01, 2007 4:27:22 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/12/2007
Kaspersky Anti-Virus database records: 469692


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 75415
Number of viruses found 7
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 01:43:09

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Infected: Trojan.Win32.Qhost.qi skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\blb\Local Settings\Temp\hsperfdata_blb\2160 Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Pook\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Pook\Desktop\Spyware, virus doctors - do not delete\SmitfraudFix\Process.exe Object is locked skipped

C:\Documents and Settings\Pook\Desktop\Spyware, virus doctors - do not delete\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Pook\Desktop\Spyware, virus doctors - do not delete\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Pook\Desktop\Spyware, virus doctors - do not delete\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Pook\Desktop\Spyware, virus doctors - do not delete\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Pook\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Pook\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Pook\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Pook\Local Settings\Temp\~DF3021.tmp Object is locked skipped

C:\Documents and Settings\Pook\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Pook\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Pook\ntuser.dat Object is locked skipped

C:\Documents and Settings\Pook\ntuser.dat.LOG Object is locked skipped

C:\RECYCLER\S-1-5-21-541998944-2676829564-3386067161-500\Dc22\prokykobyz.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped

C:\SDFix\apps\Process.exe Object is locked skipped

C:\SDFix\SDFix\apps\Process.exe Object is locked skipped

C:\SDFix\SDFix\SDFix\apps\Process.exe Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051111-134456-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051111-134656-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051111-134725-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051111-134755-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051125-215337-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051125-215521-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051125-215550-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\mcpromgr.exe.20051125-215620-00.hdmp Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{85857FCC-9EC8-462B-80CF-C823A560A21A}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\dlls99\oncdll3.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\pmymoakm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped

C:\WINDOWS\SYSTEM32\Process.exe Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WS2Fix.exe Object is locked skipped

C:\WINDOWS\TEMP\mcafee_dei5bdnyBbY7hbe Object is locked skipped

C:\WINDOWS\TEMP\mcafee_M7Yu4Lyacf4msFg Object is locked skipped

C:\WINDOWS\TEMP\mcafee_rsdLGK8XE8l3YVQ Object is locked skipped

C:\WINDOWS\TEMP\sqlite_FcJiFff07UlOMDq Object is locked skipped

C:\WINDOWS\TEMP\sqlite_OjwUL3lGaobla4U Object is locked skipped

C:\WINDOWS\UG9vaw\o36SuT.vbs Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\_OTMoveIt\MovedFiles\WINDOWS\System32\yaiwdbto.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\_OTMoveIt\MovedFiles\WINDOWS\System32\yuvqpdjb.dll Infected: Trojan.Win32.BHO.rf skipped

Scan process completed.


THANK YOU!!!

#12 abccrosby

abccrosby
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 01 December 2007 - 04:43 AM

Sorry, I sent the same scan report twice - I've been up all night....

Here it the Hijack log:

Thank you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:31 AM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Pook\Desktop\OTMoveIt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [howyr] C:\Program Files\ComPlus Applications\howyr22011.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196476429031
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 9141 bytes

#13 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 AM

Posted 01 December 2007 - 09:06 AM

Hello abccrosby

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Can you delete "SmitfraudFix" from your system


1. Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\dlls99\oncdll3.exe
C:\WINDOWS\SYSTEM32\pmymoakm.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


2. Check for the latest updates for AVG Anti-Spyware

Then Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key or Alt + Spacebar to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Do not automatically generate reports".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the :Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you performed, select "Save report as" and save to your desktop. The default file name will be in date/time format: Report-Scan-200706-1606. A copy of each report will be saved in C:\Documents and Settings\<user profile>\Application Data\Grisoft\AVG Antispyware 7.5\Reports.
    • If you installed AVG AS over a previous version, reports are saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    • If you are a Vista user, reports are saved in C:\Users\<username>\AppData\Roaming\Grisoft\AVG Antispyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version.


3. Please post a new HijackThis log and the AVG Anti-Spyware log

Thank you.

#14 abccrosby

abccrosby
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 01 December 2007 - 01:52 PM

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:23:42 PM 12/1/2007

+ Scan result:



C:\Documents and Settings\Pook\Cookies\pook@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Pook\Cookies\pook@ehg-kasperskylab.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Pook\Cookies\pook@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Pook\Cookies\pook@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\WINDOWS\UG9vaw\o36SuT.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end



n saved at 1:33:17 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [howyr] C:\Program Files\ComPlus Applications\howyr22011.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196476429031
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 9072 bytes


Thank you!!!

#15 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 AM

Posted 01 December 2007 - 02:53 PM

Hello abccrosby

Ok thats good AVG cleaned one of those remaining items, I would like you to do this next

Copy and Paste this post into a new text document or print it for reference

1. Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O4 - HKLM\..\Run: [howyr] C:\Program Files\ComPlus Applications\howyr22011.exe

Close any Explorer windows which may be open and click the "Fix Checked" button.


2. Please go to: http://virusscan.jotti.org/
At the top select the Browse button then navigate to this File and Submit it to be scanned.
C:\Program Files\ComPlus Applications\howyr22011.exe

any results please Copy & Paste them in your next reply along with a new HijackThis log and can you let me know how your system is running

Thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users