Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Have Vundo But Cant Open Combofix,vundofix Exes.....


  • Please log in to reply
14 replies to this topic

#1 melesamalover

melesamalover

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 February 2008 - 12:23 AM

I have a red X over the C: drive picture. I also have a red circle in the lower right corner that wont go away. I tried to open combofix,vundofix, and comboscan but none of those exe's work. I dont know what else to do.......after a while my computer freezes up and I cant open any folders or click my start menu....plz help sorry if this is the wrong place to post...

BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,723 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:09 PM

Posted 26 February 2008 - 01:49 AM

Hello melesamalover and welcome to BC :trumpet:

You posted in the right place. :flowers: There are a few things I need to ask so we can provide you with the proper cleaning instructions.

What is your operating system: Windows XP, Vista, Ubuntu, etc.?

What security programs do you have installed?

Did you try scanning with them in Safe Mode?

I tried to open combofix,vundofix, and comboscan


Please note that Combofix is a specialized, advanced tool and should not be run without the direction of an malware removal expert. You can seriously damage your computer even preventing it from starting if you don't know what you are doing. Please read Combofix's Disclaimer.

Are you experiencing any other issues with your computer besides the red X over the C drive picture and the freezing problem? e.g. popups, browser redirects. If so, please describe these issues with as much detail as possible.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 melesamalover

melesamalover
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 February 2008 - 02:05 AM

Im runnig windows xp,i dont think i have any security programs on my computer.my computer is acting fine now its just the red x on the C drive

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,723 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:09 PM

Posted 26 February 2008 - 02:12 AM

Hello melesamalover,

Let's see what SUPERAntiSpyware will discover. I would like you to do a scan in Safe Mode. You will, of course, install it in Normal mode. You may wish to print these directions out or copy and paste them into Notepad so you have them available while you are in Safe Mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 melesamalover

melesamalover
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 February 2008 - 02:19 AM

I cant open the exe

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,723 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:09 PM

Posted 26 February 2008 - 02:31 AM

Okay melesamalover. I'm going to turn this thread over to someone with more experience than I. He isn't on-line right now, so please be patient.

I do have an additional question: Are you unable to open ANY .exe files?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 melesamalover

melesamalover
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 February 2008 - 02:34 AM

I can open some like mp3 doctor stuff and divx. butsome like vundofix and that superantispyware doesnt open.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:09 PM

Posted 26 February 2008 - 12:26 PM

I need to ask if you have applied all critical security patches and updated XP to at least Service Pack 1a? Without doing this first, you are wide open to re-infection and other high security risks which are prone to an unpatched system and we are just wasting our time.

Since you have no security protection, I'm not surprised that you have been infected. Installing an anti-virus should be done immediately but I understand your having problems with .exe applications. That means you may not be able to install an anti-virus. Please try using a non-security program with an .exe extension and confirm if that words.

If not, please note that some malware infections target .exe files and without repairing that file association ALL .exe files will lose functionality. If you are unable to run any .exe applications, please see:
"Unable to Start a Program with an .exe File Extension"
"Broken EXE Association Fix"
"Fix or Restore Broken .EXE .LNK .COM Association Caused by Virus"
Note: Some of these steps involve making changes in the registry. Always back up your registry before making any changes. Improper changes to the registry could adversely affect your computer and render it inoperable.

Also, some types of malware will disable Vundofix and other security tools. If Vundofix will not run, try renaming it to myfix.exe or something else. If needed, change the .exe to .bat, .com, .pif, or .scr. I doubt running Vundofix will help in your case because you have a newer variant of the infection that is not always detected. However, I would like to know if renaming will work. If we cannot repair the .exe issue there may be other alternatives we can try if that is successful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 melesamalover

melesamalover
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 27 February 2008 - 10:53 PM

Hey thanks alot the renaming it worked...here is that log orange blossom asked for...


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/28/2008 at 09:40 PM

Application Version : 4.0.1152

Core Rules Database Version : 3411
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 00:52:58

Memory items scanned : 165
Memory threats detected : 1
Registry items scanned : 6587
Registry threats detected : 227
File items scanned : 22706
File threats detected : 185

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\KHFCCCC.DLL
C:\WINDOWS\SYSTEM32\KHFCCCC.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{45C2A50F-8F4A-496E-AF02-D0207525BF5A}
HKCR\CLSID\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}
HKCR\CLSID\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}\InprocServer32
HKCR\CLSID\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}\InprocServer32#ThreadingModel

Trojan.Downloader-Gen/MROFIN
[runner1] C:\WINDOWS\MROFINU1535.EXE
C:\WINDOWS\MROFINU1535.EXE
C:\WINDOWS\Prefetch\MROFINU1535.EXE-06F7A78D.pf

Trojan.Unclassified/BraviaX
[braviax] C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
[braviax] C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087292.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087293.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087374.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087375.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087400.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087401.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP291\A0087563.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP291\A0087564.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP291\A0087577.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP291\A0087578.EXE
C:\WINDOWS\BRAVIAX.EXE
C:\WINDOWS\Prefetch\BRAVIAX.EXE-0B81BFC9.pf

Adware.ColoradoSheep
[mschkdsk.exe] C:\WINDOWS\SYSTEM32\MSCHKDSK.EXE
C:\WINDOWS\SYSTEM32\MSCHKDSK.EXE
HKU\S-1-5-21-208419354-743332022-890384297-1007\Software\Microsoft\Windows\CurrentVersion\Run#mschkdsk.exe [ C:\WINDOWS\system32\mschkdsk.exe ]
C:\WINDOWS\Prefetch\MSCHKDSK.EXE-2B228674.pf

Trojan.Net-Wintouch/V2
[WinTouch] C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\APPLICATION DATA\WINTOUCH\WINTOUCH.EXE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\APPLICATION DATA\WINTOUCH\WINTOUCH.EXE
C:\WINDOWS\Prefetch\WINTOUCH.EXE-13DDAC0B.pf

Adware.ClickSpring-Variant
[Scbu] C:\PROGRA~1\ASEMBL~1\ARPA.EXE
C:\PROGRA~1\ASEMBL~1\ARPA.EXE
C:\PROGRAM FILES\A?SEMBLY\ARPA.EXE
C:\WINDOWS\Prefetch\ARPA.EXE-360855B1.pf

Trojan.Unknown Origin
[zfum] C:\PROGRA~1\COMMON~1\ZFUM\ZFUMM.EXE
C:\PROGRA~1\COMMON~1\ZFUM\ZFUMM.EXE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8X63WLEB\INSTALLER[1].EXE
C:\PROGRAM FILES\COMMON FILES\ZFUM\ZFUMA.EXE
C:\PROGRAM FILES\COMMON FILES\ZFUM\ZFUML.EXE
C:\PROGRAM FILES\COMMON FILES\ZFUM\ZFUMM.EXE
C:\QRWKJYD.EXE
C:\WINDOWS\IA\KE.VBS
C:\WINDOWS\UNINSTALL_NMON.VBS
C:\WINDOWS\Prefetch\ZFUMM.EXE-2260C902.pf

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{3265CCEF-5501-09A9-5714-2900BECC80C3}
HKCR\CLSID\{3265CCEF-5501-09A9-5714-2900BECC80C3}
HKCR\CLSID\{3265CCEF-5501-09A9-5714-2900BECC80C3}\InprocServer32
HKCR\CLSID\{3265CCEF-5501-09A9-5714-2900BECC80C3}\InprocServer32#ThreadingModel
HKCR\CLSID\{3265CCEF-5501-09A9-5714-2900BECC80C3}\Programmable
HKCR\CLSID\{3265CCEF-5501-09A9-5714-2900BECC80C3}\TypeLib
C:\WINDOWS\SYSTEM32\LBE.DLL

Trojan.Media-Codec/V5
HKLM\Software\Classes\CLSID\{81705D67-3F73-4983-859B-97D0922E5ABE}
HKCR\CLSID\{81705D67-3F73-4983-859B-97D0922E5ABE}
HKCR\CLSID\{81705D67-3F73-4983-859B-97D0922E5ABE}
HKCR\CLSID\{81705D67-3F73-4983-859B-97D0922E5ABE}\Implemented Categories
HKCR\CLSID\{81705D67-3F73-4983-859B-97D0922E5ABE}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{81705D67-3F73-4983-859B-97D0922E5ABE}\InprocServer32
HKCR\CLSID\{81705D67-3F73-4983-859B-97D0922E5ABE}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\NETPROJECT\WAMDL.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{81705D67-3F73-4983-859B-97D0922E5ABE}
HKU\S-1-5-21-208419354-743332022-890384297-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{81705D67-3F73-4983-859B-97D0922E5ABE}
C:\PROGRAM FILES\NETPROJECT\SBMNTR.EXE
C:\PROGRAM FILES\NETPROJECT\SBSM.EXE
C:\PROGRAM FILES\NETPROJECT\SBUN.EXE
C:\PROGRAM FILES\NETPROJECT\SCIT.EXE
C:\PROGRAM FILES\NETPROJECT\SCM.EXE
C:\PROGRAM FILES\NETPROJECT\SCU.EXE
C:\PROGRAM FILES\NETPROJECT\WAUN.EXE

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{88EDAC46-43B9-4919-B071-F46918C3F665}
HKCR\CLSID\{88EDAC46-43B9-4919-B071-F46918C3F665}
HKCR\CLSID\{88EDAC46-43B9-4919-B071-F46918C3F665}\InprocServer32
HKCR\CLSID\{88EDAC46-43B9-4919-B071-F46918C3F665}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNLJ.DLL

Trojan.Media-Codec/V4
HKLM\Software\Classes\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}#xxx
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\InprocServer32
HKCR\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\NETPROJECT\SBMDL.DLL
HKCR\videoPl.chl
HKCR\videoPl.chl\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#ProductionEnvironment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#Publisher

Trojan.Smitfraud Variant/IE Anti-Spyware
HKLM\Software\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}

Unclassified.Unknown Origin
HKLM\System\ControlSet002\Services\cmdService
C:\WINDOWS\IA\COMMAND.EXE
HKLM\System\ControlSet002\Enum\Root\LEGACY_cmdService
HKLM\System\ControlSet003\Services\cmdService
HKLM\System\ControlSet003\Enum\Root\LEGACY_cmdService
HKLM\System\CurrentControlSet\Services\cmdService
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_cmdService

Adware.Tracking Cookie
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@apmebf[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@shortmedia.us.intellitxt[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@anad.tacoda[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@jp.advancedcleaner[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@statcounter[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@adopt.euroclick[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@www.antispyshield[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@fastclick[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@antispykit[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@questionmarket[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@rdr.hitmngr[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@bs.serving-sys[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@www.virusranger[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@winsecureav[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@www.virusheat[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@winreanimator[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@adserver[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@advancedcleaner[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@atdmt[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@ehg-libertytaxservice.hitbox[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@eas.apm.emediate[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@richmedia.yahoo[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@revsci[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@secure.advancedcleaner[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@divx.adbureau[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@adrevolver[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@ig[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@tacoda[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@ad.outerinfoads[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@www.winspykiller[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@ads.addynamix[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@serving-sys[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@winpcdoctor[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@mediaplex[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@winspycontrol[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@adrevolver[3].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@tribalfusion[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@hitbox[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@winanonymous[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@adinterax[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@cdn.atwola[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@zedo[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@anat.tacoda[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@clickbank[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@atwola[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@www.antispykit[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@2o7[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@advertising[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@media.adrevolver[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@doubleclick[1].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@collective-media[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@html[2].txt
C:\Documents and Settings\HP_Administrator\cookies\hp_administrator@www.burstnet[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@track[1].txt
C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Type
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Start
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#UninstallString
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Network Monitor

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#UninstallString
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.TargetSavers
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA#UninstallString

Adware.Adservs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\IA\ASAPPSRV.DLL

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon
C:\Program Files\Outerinfo\FF\chrome.manifest
C:\Program Files\Outerinfo\FF\components\FF.dll
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\Outerinfo\FF\components
C:\Program Files\Outerinfo\FF\install.rdf
C:\Program Files\Outerinfo\FF
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Outerinfo

Trojan.Downloader-Gen/RetAd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#runner1 [ C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF968951185EFC412806867680AEDE604D64C2661373FC12E6DCD66A47 ]

Rogue.VirusHeat
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}#AppID
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\bqXaqbUi
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\CIygdnoRtLAw
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\ilaRndLimalHj
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\LocalServer32
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\MNqqkjm
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\NnSv
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\OMMnlGw
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\ProgID
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\Programmable
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\TypeLib
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\VersionIndependentProgID
HKCR\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}\WleAUmdpj
HKCR\TypeLib\{CBD02E9B-37EF-47D2-96B0-3ABBB2EB92BF}
HKCR\TypeLib\{CBD02E9B-37EF-47D2-96B0-3ABBB2EB92BF}\1.0
HKCR\TypeLib\{CBD02E9B-37EF-47D2-96B0-3ABBB2EB92BF}\1.0\0
HKCR\TypeLib\{CBD02E9B-37EF-47D2-96B0-3ABBB2EB92BF}\1.0\0\win32
HKCR\TypeLib\{CBD02E9B-37EF-47D2-96B0-3ABBB2EB92BF}\1.0\FLAGS
HKCR\TypeLib\{CBD02E9B-37EF-47D2-96B0-3ABBB2EB92BF}\1.0\HELPDIR
HKCR\Interface\{0EC085A8-9818-43B7-B975-EC7555EDA4D2}
HKCR\Interface\{0EC085A8-9818-43B7-B975-EC7555EDA4D2}\ProxyStubClsid
HKCR\Interface\{0EC085A8-9818-43B7-B975-EC7555EDA4D2}\ProxyStubClsid32
HKCR\Interface\{0EC085A8-9818-43B7-B975-EC7555EDA4D2}\TypeLib
HKCR\Interface\{0EC085A8-9818-43B7-B975-EC7555EDA4D2}\TypeLib#Version
HKCR\Interface\{1A74C41C-0837-4FBE-BA50-621EB70F01CE}
HKCR\Interface\{1A74C41C-0837-4FBE-BA50-621EB70F01CE}\ProxyStubClsid
HKCR\Interface\{1A74C41C-0837-4FBE-BA50-621EB70F01CE}\ProxyStubClsid32
HKCR\Interface\{1A74C41C-0837-4FBE-BA50-621EB70F01CE}\TypeLib
HKCR\Interface\{1A74C41C-0837-4FBE-BA50-621EB70F01CE}\TypeLib#Version
HKCR\Interface\{25297614-1B76-4C2C-82C6-62738AA0E8F0}
HKCR\Interface\{25297614-1B76-4C2C-82C6-62738AA0E8F0}\ProxyStubClsid
HKCR\Interface\{25297614-1B76-4C2C-82C6-62738AA0E8F0}\ProxyStubClsid32
HKCR\Interface\{25297614-1B76-4C2C-82C6-62738AA0E8F0}\TypeLib
HKCR\Interface\{25297614-1B76-4C2C-82C6-62738AA0E8F0}\TypeLib#Version
HKCR\Interface\{37F89457-1208-4670-9245-58C62BD6D870}
HKCR\Interface\{37F89457-1208-4670-9245-58C62BD6D870}\ProxyStubClsid
HKCR\Interface\{37F89457-1208-4670-9245-58C62BD6D870}\ProxyStubClsid32
HKCR\Interface\{37F89457-1208-4670-9245-58C62BD6D870}\TypeLib
HKCR\Interface\{37F89457-1208-4670-9245-58C62BD6D870}\TypeLib#Version
HKCR\Interface\{45477032-ABD0-454D-9CE4-EA34C10322F8}
HKCR\Interface\{45477032-ABD0-454D-9CE4-EA34C10322F8}\ProxyStubClsid
HKCR\Interface\{45477032-ABD0-454D-9CE4-EA34C10322F8}\ProxyStubClsid32
HKCR\Interface\{45477032-ABD0-454D-9CE4-EA34C10322F8}\TypeLib
HKCR\Interface\{45477032-ABD0-454D-9CE4-EA34C10322F8}\TypeLib#Version
HKCR\Interface\{69E34747-0B27-4B30-AE20-1023BF29E246}
HKCR\Interface\{69E34747-0B27-4B30-AE20-1023BF29E246}\ProxyStubClsid
HKCR\Interface\{69E34747-0B27-4B30-AE20-1023BF29E246}\ProxyStubClsid32
HKCR\Interface\{69E34747-0B27-4B30-AE20-1023BF29E246}\TypeLib
HKCR\Interface\{69E34747-0B27-4B30-AE20-1023BF29E246}\TypeLib#Version
HKCR\Interface\{79BE5B3B-80B2-4B77-A042-EFC90F6E0DE7}
HKCR\Interface\{79BE5B3B-80B2-4B77-A042-EFC90F6E0DE7}\ProxyStubClsid
HKCR\Interface\{79BE5B3B-80B2-4B77-A042-EFC90F6E0DE7}\ProxyStubClsid32
HKCR\Interface\{79BE5B3B-80B2-4B77-A042-EFC90F6E0DE7}\TypeLib
HKCR\Interface\{79BE5B3B-80B2-4B77-A042-EFC90F6E0DE7}\TypeLib#Version
HKCR\Interface\{7C0EC6BF-81B9-4FE0-9447-4ED29A36BF5D}
HKCR\Interface\{7C0EC6BF-81B9-4FE0-9447-4ED29A36BF5D}\ProxyStubClsid
HKCR\Interface\{7C0EC6BF-81B9-4FE0-9447-4ED29A36BF5D}\ProxyStubClsid32
HKCR\Interface\{7C0EC6BF-81B9-4FE0-9447-4ED29A36BF5D}\TypeLib
HKCR\Interface\{7C0EC6BF-81B9-4FE0-9447-4ED29A36BF5D}\TypeLib#Version
HKCR\Interface\{7EBB34CF-1728-4136-A968-48F231DAD1B4}
HKCR\Interface\{7EBB34CF-1728-4136-A968-48F231DAD1B4}\ProxyStubClsid
HKCR\Interface\{7EBB34CF-1728-4136-A968-48F231DAD1B4}\ProxyStubClsid32
HKCR\Interface\{7EBB34CF-1728-4136-A968-48F231DAD1B4}\TypeLib
HKCR\Interface\{7EBB34CF-1728-4136-A968-48F231DAD1B4}\TypeLib#Version
HKCR\Interface\{88DAA291-B413-4C46-B378-3BE66F65369E}
HKCR\Interface\{88DAA291-B413-4C46-B378-3BE66F65369E}\ProxyStubClsid
HKCR\Interface\{88DAA291-B413-4C46-B378-3BE66F65369E}\ProxyStubClsid32
HKCR\Interface\{88DAA291-B413-4C46-B378-3BE66F65369E}\TypeLib
HKCR\Interface\{88DAA291-B413-4C46-B378-3BE66F65369E}\TypeLib#Version
HKCR\Interface\{936A2F4A-53F8-4D2F-92AA-2F9DE889841C}
HKCR\Interface\{936A2F4A-53F8-4D2F-92AA-2F9DE889841C}\ProxyStubClsid
HKCR\Interface\{936A2F4A-53F8-4D2F-92AA-2F9DE889841C}\ProxyStubClsid32
HKCR\Interface\{936A2F4A-53F8-4D2F-92AA-2F9DE889841C}\TypeLib
HKCR\Interface\{936A2F4A-53F8-4D2F-92AA-2F9DE889841C}\TypeLib#Version
HKCR\Interface\{AFCC3FA7-82A9-42D5-A405-78711E97A5D6}
HKCR\Interface\{AFCC3FA7-82A9-42D5-A405-78711E97A5D6}\ProxyStubClsid
HKCR\Interface\{AFCC3FA7-82A9-42D5-A405-78711E97A5D6}\ProxyStubClsid32
HKCR\Interface\{AFCC3FA7-82A9-42D5-A405-78711E97A5D6}\TypeLib
HKCR\Interface\{AFCC3FA7-82A9-42D5-A405-78711E97A5D6}\TypeLib#Version
HKCR\Interface\{CC05A4A3-7B28-488F-AB02-6AAEDB86ACCF}
HKCR\Interface\{CC05A4A3-7B28-488F-AB02-6AAEDB86ACCF}\ProxyStubClsid
HKCR\Interface\{CC05A4A3-7B28-488F-AB02-6AAEDB86ACCF}\ProxyStubClsid32
HKCR\Interface\{CC05A4A3-7B28-488F-AB02-6AAEDB86ACCF}\TypeLib
HKCR\Interface\{CC05A4A3-7B28-488F-AB02-6AAEDB86ACCF}\TypeLib#Version
HKCR\Interface\{E80114AA-6653-4952-9E97-5F1DC63BEE0F}
HKCR\Interface\{E80114AA-6653-4952-9E97-5F1DC63BEE0F}\ProxyStubClsid
HKCR\Interface\{E80114AA-6653-4952-9E97-5F1DC63BEE0F}\ProxyStubClsid32
HKCR\Interface\{E80114AA-6653-4952-9E97-5F1DC63BEE0F}\TypeLib
HKCR\Interface\{E80114AA-6653-4952-9E97-5F1DC63BEE0F}\TypeLib#Version
HKCR\Interface\{F9109A2A-432B-4ADD-A6FA-06BA22DCD2D9}
HKCR\Interface\{F9109A2A-432B-4ADD-A6FA-06BA22DCD2D9}\ProxyStubClsid
HKCR\Interface\{F9109A2A-432B-4ADD-A6FA-06BA22DCD2D9}\ProxyStubClsid32
HKCR\Interface\{F9109A2A-432B-4ADD-A6FA-06BA22DCD2D9}\TypeLib
HKCR\Interface\{F9109A2A-432B-4ADD-A6FA-06BA22DCD2D9}\TypeLib#Version
HKCR\Interface\{FCA3958A-8D38-4D14-8B81-CCD7F68A8A01}
HKCR\Interface\{FCA3958A-8D38-4D14-8B81-CCD7F68A8A01}\ProxyStubClsid
HKCR\Interface\{FCA3958A-8D38-4D14-8B81-CCD7F68A8A01}\ProxyStubClsid32
HKCR\Interface\{FCA3958A-8D38-4D14-8B81-CCD7F68A8A01}\TypeLib
HKCR\Interface\{FCA3958A-8D38-4D14-8B81-CCD7F68A8A01}\TypeLib#Version

Rogue.WinReanimator
HKLM\Software\WinReanimator

Rogue.SysCleaner
HKU\S-1-5-21-208419354-743332022-890384297-1007\Software\WinTouch
HKU\S-1-5-21-208419354-743332022-890384297-1007\Software\Microsoft\Windows\CurrentVersion\Run#WinTouch [ C:\Documents and Settings\HP_Administrator\Application Data\WinTouch\WinTouch.exe ]

Adware.WinTouch/XInside
C:\Program Files\InetGet2
C:\Documents and Settings\HP_Administrator\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\HP_Administrator\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\HP_Administrator\Application Data\WinTouch

Adware.ClickSpring
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\APPLICATION DATA\М?CROSOFT\M?HTA.EXE

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\FAVORITES\ONLINE SECURITY TEST.URL

Trojan.Downloader-CommandDesktop
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMP\CMDINST.EXE

TargetSaver, Inc. Process
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMP\TSINSTALL_4_0_4_0_B4.EXE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMP\TSUPDATE_4_0_4_1_B3.EXE
C:\WINDOWS\SYSTEM32\TSUNINST.EXE

Trojan.SoftCashier-Installer/A
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMP\UNINST.EXE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\S9MF2NSB\INSTALLER[1].EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087302.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087385.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087409.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP291\A0087562.EXE
C:\WINDOWS\SYSTEM32\WINISTR.EXE

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1560OINUNINSTALLER.EXE
C:\PROGRAM FILES\COMMON FILES\YAZZLE1560OINADMIN.EXE

Unclassified.Unknown Origin/System
C:\PROGRAM FILES\COMMON FILES\ZFUM\ZFUMD\ZFUMC.DLL

Trojan.Downloader-Gen
C:\PROGRAM FILES\COMMON FILES\ZFUM\ZFUMP.EXE

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087294.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP290\A0087376.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP291\A0087546.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP291\A0087548.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP291\A0087559.DLL
C:\WINDOWS\SYSTEM32\PHEULJGP.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP291\A0087558.DLL

Trojan.Downloader-Gen/Bundle Installer
C:\WINDOWS\B103.EXE
C:\WINDOWS\B116.EXE
C:\WINDOWS\B138.EXE
C:\WINDOWS\B152.EXE
C:\WINDOWS\B153.EXE
C:\WINDOWS\B154.EXE

Trojan.Downloader-Gen/Installer
C:\WINDOWS\B104.EXE

Trojan.Unclassified/CRU629
C:\WINDOWS\CRU629.DAT
C:\WINDOWS\SYSTEM32\CRU629.DAT

Trojan.Unclassified/User32DAT
C:\WINDOWS\SYSTEM32\USERS32.DAT

Trace.Known Threat Sources
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BEKNR50D\style[1].css
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\E96JADY5\a537119c47192bc08952189ae8782f08[1].zip
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\E96JADY5\Binaries1[1].zip
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\S9MF2NSB\ajax[1].htm
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\K96389Y3\1f9df714e4b6e5f82eaa297034bbbe90[1].zip
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\K96389Y3\affupdate2[1].htm
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\MT6787IP\Binaries3[1].zip
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\E96JADY5\setup_en[1].exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\8X63WLEB\ack[1].htm
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\8X63WLEB\17PHolmes[1].cmt
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1ABK52V\ack[1].htm
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q1KVQXQ5\ack[1].htm
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\85INKXA3\ack[1].htm
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\GHM30LIF\ctxad-576[1].0005
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\C9EVCXYR\tsupdate2[1].htm
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\C9EVCXYR\checkin[1].htm
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q5A5SLIR\26453da423d82a5fc6fae941d05f1151[1].zip
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\CHO7WB0Z\8154ff2675af1b6e0677560871425153[1].zip
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\8X63WLEB\mrofinu[1].zip
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\85INKXA3\ack[2].htm
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5A3OTUN\718f466754402ac597de014577627f96[1].zip
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\E96JADY5\ctxad-576[1].sig
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\K96389Y3\ctxad-576[1].0004
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\C9EVCXYR\ack[1].htm
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\85INKXA3\ctxad-576[1].0000
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BEKNR50D\c1f5cc94a30f082054f3a00e6655462d[1].zip
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\8X63WLEB\ctxad-576[1].0002
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5A3OTUN\ctxad-576[1].0001

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:09 PM

Posted 28 February 2008 - 10:55 AM

Appears you had several nasty infections. Can you post the vundofix log. It will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt.

Also, please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 melesamalover

melesamalover
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 29 February 2008 - 04:31 AM

here is the vundofix


VundoFix V6.7.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 19:22:03 2008/02/28

Listing files found while scanning....

C:\Program Files\PowerISO\PWRISOSH.DLL
C:\WINDOWS\system32\fbuplxjj.dll
C:\WINDOWS\system32\geqvwgdy.dll
C:\WINDOWS\system32\jfwwusul.dll
C:\WINDOWS\system32\khfcccc.dll
C:\WINDOWS\system32\mnvcbgix.dll
C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
C:\WINDOWS\system32\NCTAudioFile2.dll
C:\WINDOWS\system32\NCTAudioPlayer2.dll
C:\WINDOWS\system32\NCTAudioRecord2.dll
C:\WINDOWS\system32\NCTAVIFile.dll
C:\WINDOWS\system32\NCTQuickTimeFile.dll
C:\WINDOWS\system32\NCTVideoCoreM.dll
C:\WINDOWS\system32\NCTWMAFile2.dll
C:\WINDOWS\system32\pgjluehp.ini
C:\WINDOWS\system32\pheuljgp.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\uvvvvsvl.dll
C:\WINDOWS\system32\vdxaswrp.dll
C:\WINDOWS\system32\vzqaavpw.dll
C:\windows\system32\vzqaavpw.dllbox
C:\WINDOWS\system32\winistr.exe

Beginning removal...

Attempting to delete C:\Program Files\PowerISO\PWRISOSH.DLL
C:\Program Files\PowerISO\PWRISOSH.DLL Has been deleted!

Attempting to delete C:\WINDOWS\system32\fbuplxjj.dll
C:\WINDOWS\system32\fbuplxjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geqvwgdy.dll
C:\WINDOWS\system32\geqvwgdy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jfwwusul.dll
C:\WINDOWS\system32\jfwwusul.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\khfcccc.dll
C:\WINDOWS\system32\khfcccc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mnvcbgix.dll
C:\WINDOWS\system32\mnvcbgix.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
C:\WINDOWS\system32\NCTAudioCDGrabber2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAudioFile2.dll
C:\WINDOWS\system32\NCTAudioFile2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAudioPlayer2.dll
C:\WINDOWS\system32\NCTAudioPlayer2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAudioRecord2.dll
C:\WINDOWS\system32\NCTAudioRecord2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAVIFile.dll
C:\WINDOWS\system32\NCTAVIFile.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTQuickTimeFile.dll
C:\WINDOWS\system32\NCTQuickTimeFile.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTVideoCoreM.dll
C:\WINDOWS\system32\NCTVideoCoreM.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTWMAFile2.dll
C:\WINDOWS\system32\NCTWMAFile2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pgjluehp.ini
C:\WINDOWS\system32\pgjluehp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pheuljgp.dll
C:\WINDOWS\system32\pheuljgp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnlj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uvvvvsvl.dll
C:\WINDOWS\system32\uvvvvsvl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vdxaswrp.dll
C:\WINDOWS\system32\vdxaswrp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vzqaavpw.dll
C:\WINDOWS\system32\vzqaavpw.dll Has been deleted!

Attempting to delete C:\windows\system32\vzqaavpw.dllbox
C:\windows\system32\vzqaavpw.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\winistr.exe
C:\WINDOWS\system32\winistr.exe Has been deleted!

Performing Repairs to the registry.
Done!

#12 melesamalover

melesamalover
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 29 February 2008 - 06:17 AM

here is the sdfix......



SDFix: Version 1.149

Run by HP_Administrator on 2008/03/01 at 04:52

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 31232 2008/02/25 20:16
"C:\WINDOWS\system32\drivers\beep.sys" 31232 2008/02/25 20:16

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 2008/02/29 02:00
"C:\WINDOWS\system32\drivers\beep.sys" 4224 2008/02/29 02:00



Checking Files :

Trojan Files Found:

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\aax1F2.tmp.exe - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Program Files\JavaCore\JavaCore.exe - Deleted
C:\Program Files\JavaCore\UnInstall.exe - Deleted
C:\Program Files\NoDNS\NoDNS.exe - Deleted
C:\Program Files\NoDNS\UnInstall.exe - Deleted
C:\Program Files\Temporary\InsiDERInst.exe - Deleted
C:\WINDOWS\sysInf.dat - Deleted



Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\NoDNS - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 05:05:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:40,77,b2,38,1d,82,4f,52,1e,78,4f,14,fe,1d,90,3f,f0,fa,c5,f8,ec,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:68,2f,39,65,e5,cf,b7,68,aa,89,95,e5,7b,bf,a6,2d,a3,1a,32,54,42,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,21,9f,c1,d9,4e,78,63,0e,81,81,ea,97,3f,3a,15,41,a7,..
"khjeh"=hex:d9,c3,7a,f2,5d,d2,a2,6b,69,87,6d,ce,bf,ea,45,0f,cc,82,5f,0a,b3,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:08,af,82,55,00,b0,86,62,9b,d5,26,06,d8,fe,bf,f5,d5,53,92,ca,51,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:40,77,b2,38,1d,82,4f,52,1e,78,4f,14,fe,1d,90,3f,f0,fa,c5,f8,ec,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:68,2f,39,65,e5,cf,b7,68,aa,89,95,e5,7b,bf,a6,2d,a3,1a,32,54,42,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,21,9f,c1,d9,4e,78,63,0e,81,81,ea,97,3f,3a,15,41,a7,..
"khjeh"=hex:d9,c3,7a,f2,5d,d2,a2,6b,69,87,6d,ce,bf,ea,45,0f,cc,82,5f,0a,b3,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:08,af,82,55,00,b0,86,62,9b,d5,26,06,d8,fe,bf,f5,d5,53,92,ca,51,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:40,77,b2,38,1d,82,4f,52,1e,78,4f,14,fe,1d,90,3f,f0,fa,c5,f8,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:68,2f,39,65,e5,cf,b7,68,aa,89,95,e5,7b,bf,a6,2d,a3,1a,32,54,42,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,21,9f,c1,d9,4e,78,63,0e,81,81,ea,97,3f,3a,15,41,a7,..
"khjeh"=hex:d9,c3,7a,f2,5d,d2,a2,6b,69,87,6d,ce,bf,ea,45,0f,cc,82,5f,0a,b3,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:08,af,82,55,00,b0,86,62,9b,d5,26,06,d8,fe,bf,f5,d5,53,92,ca,51,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x30fbA]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,90,7f,14,00,00,00,00,00,54,b2,29,69,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x30fbA]
"DisplayName"="\x0192A\x192J\x0192c\x192L\x201cd\x152\xf5\x90\xed\x2039L"
"UnInstallString"="C:\WINDOWS\eiunin21.exe "C:\Program Files\\x0192A\x192J\x0192c\x192L\x201cd\x152\xf5\x90\xed\x2039L\INSTALL.DAT""
"InstallLocation"="C:\Program Files\\x0192A\x192J\x0192c\x192L\x201cd\x152\xf5\x90\xed\x2039L"
"InstallDate"="11/30/2007"
"VersionMajor"=dword:00000001
"VersionMinor"=dword:00000000
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"MNEInstaller"=dword:00000001
"DisplayIcon"="C:\Program Files\\x0192A\x192J\x0192c\x192L\x201cd\x152\xf5\x90\xed\x2039L\akatsukibk.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes]
"\31j\x58a8\16f\35g?"="\xff2d\xff33 \x660e\x671d"
"\31j\x58a8\xff740\xff770\xff830\xff6f0?"="\xff2d\xff33 \x30b4\x30b7\x30c3\x30af"
"\xff740\xff770\xff830\xff6f0"="\xff2d\xff33 \x30b4\x30b7\x30c3\x30af"
"z\xf8f3\x30fb|\xf8f3o\xf8f3x\xf8f3?"="\xff2d\xff33 \x30b4\x30b7\x30c3\x30af"
"x\xf8f3p\xf8f3\x30fbt\xf8f3?"="Courier"
"\x80\xf8f3r\xf8f3\x30fb}\xf8f3\x30fb\x30fb\x30fb\x30fb?????"="Times New Roman"
"\x30fb\x30fb\x30fb\x30fb\x30fbv\xf8f3?????"="Arial"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x30fbA]
"Order"=hex:08,00,00,00,02,00,00,00,12,01,00,00,01,00,00,00,02,00,00,00,8a,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D9E1750F-DB80-D26E-DB06-4DA7592B3377}]
"ianeidjfmhkkofkifk"=hex:6a,61,63,67,6c,67,69,67,62,64,6a,6d,63,63,6a,70,64,64,62,6d,00,..
"hadeggmmcfajbbdm"=hex:6a,61,63,67,6c,67,69,67,62,64,6a,6d,63,63,6a,70,64,64,62,6d,00,..

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 63


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:Enabled:DISCover FTP"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:μTorrent"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1193795761\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1193795761\\EE\\AOLServiceHost.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\SecondLife\\SLVoice.exe"="C:\\Program Files\\SecondLife\\SLVoice.exe:*:Enabled:SLVoice"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 1 Jun 2007 211 A.SHR --- "C:\BOOT.BAK"
Thu 28 Jul 2005 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Thu 28 Jul 2005 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Mon 10 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 28 Jan 2008 230,400 ..SHR --- "C:\Documents and Settings\HP_Administrator\Application Data\М?crosoft\m?hta.exe"
Sun 18 Sep 2005 788,568 A..H. --- "C:\Program Files\Online Services\Canada\KOL\client.exe"
Wed 17 Aug 2005 13,459,528 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe"
Wed 17 Aug 2005 233,472 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\webutil8.exe"
Wed 17 Aug 2005 389,120 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\WinsockFix.exe"
Sat 23 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT11.tmp"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL"
Sun 18 Sep 2005 77,824 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\AcsInstN.dll"
Sun 18 Sep 2005 6,961,146 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acsnet.zip"
Sun 18 Sep 2005 3,058,888 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe"
Sun 18 Sep 2005 307,289 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspcheck.dll"
Sun 18 Sep 2005 7,083,361 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspsetup.exe"
Wed 21 Sep 2005 1,960,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\autoit\autoit-v3.zip"
Sun 18 Sep 2005 550,488 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\deskbar\deskbr.exe"
Sun 18 Sep 2005 553,984 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\flash\FlashAX.exe"
Sun 18 Sep 2005 2,242,759 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe"
Sun 18 Sep 2005 24,064 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\NISChk.dll"
Sun 18 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpchk.dll"
Sun 18 Sep 2005 748,728 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe"
Sun 18 Sep 2005 7,515,304 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\qt.exe"
Sun 18 Sep 2005 86,016 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\QTInsInf.dll"
Sun 18 Sep 2005 45,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealChk.dll"
Sun 18 Sep 2005 5,111,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealPl8.EXE"
Sun 18 Sep 2005 4,378,673 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\real_upd.exe"
Sun 18 Sep 2005 360,448 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\rp9codec.exe"
Sun 18 Sep 2005 40,960 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SiNdInst.dll"
Sun 18 Sep 2005 473,736 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe"
Sun 18 Sep 2005 12,288 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbinst.dll"
Sun 18 Sep 2005 516,032 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe"
Sun 18 Sep 2005 597,080 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\toolbar\toolbr.exe"
Sun 18 Sep 2005 590,688 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\TSsetup.exe"
Sun 18 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\tsverchk.dll"
Sun 18 Sep 2005 49,152 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\AOLVPChk.dll"
Sun 18 Sep 2005 61,440 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\VPPrePop.exe"
Sun 18 Sep 2005 3,858,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\Vwpt.exe"

Finished!

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:09 PM

Posted 29 February 2008 - 08:18 AM

Just as I thought, lots of malware lurking about.

Further your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
Also let me know how your computer is running and if there are any more signs of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 melesamalover

melesamalover
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 29 February 2008 - 07:14 PM

Well besides having a red X over my C drive, i get this same pop up about cars and sometime alot of pop ups at the same time but other than that its fine.Thanks so much this site is my savior!!!!

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:09 PM

Posted 01 March 2008 - 07:22 AM

If you still have the red X and pop ups, then you still have part of the infection on your system. This issue will require further investigation. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users