Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.trojandownloader.agent


  • This topic is locked This topic is locked
19 replies to this topic

#1 Kameron

Kameron

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 23 March 2008 - 09:02 AM

Hello, I'm currently on a DELL Laptop. I use this laptop for my work, etc. I recently opened an e-mail from a notificator I registered with promising me my vacation. Unfortunately, it was phony and I clicked on the link before noticing it wasn't a valid web address. Soon enough, millions of pop-ups filled the screen and my laptop was booting up so slow. I contacted a DELL tech support and I spent so much money and time and they told me to upgrade my memory and buy a McAffe product. My problem still isn't fixed so I'm posting here, hoping that everything will be resolved! Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:49 AM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wideopenwest.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: 0 - {2A469891-AFB4-41D8-729B-CFF53A81BB1C} - C:\Program Files\Windows Media Player\lacusyca.dll (file missing)
O2 - BHO: (no name) - {3534A30E-374C-4991-9872-7239C2AC5AC8} - C:\WINDOWS\System32\ddawv.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {5998C013-F359-45B5-816B-8C8AD0757AE7} - C:\WINDOWS\system32\uttktifc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\SYSTEM32\OPNNMMN.DLL (file missing)
O2 - BHO: (no name) - {AD1D1E89-67CB-43B1-8EA3-754DA09FE520} - C:\WINDOWS\System32\framebu.dll
O2 - BHO: (no name) - {CBB70829-743B-40A7-8CF0-9E38960E7985} - C:\WINDOWS\system32\uttktifc.dll
O2 - BHO: (no name) - {DB038F34-867A-40E3-865C-6C594325F0E3} - C:\PROGRAM FILES\INTERNET EXPLORER\HOQEZI83122.DLL (file missing)
O2 - BHO: {530ed839-d014-66c8-d394-4dfbe98f32de} - {ed23f89e-bfd4-493d-8c66-410d938de035} - C:\WINDOWS\system32\qbihdttv.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\RunOnce: [SpybotDeletingA3699] command /c del "C:\WINDOWS\SYSTEM32\afrgmgrc.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9916] cmd /c del "C:\WINDOWS\SYSTEM32\afrgmgrc.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5632] command /c del "C:\WINDOWS\SYSTEM32\aonklrbx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC498] cmd /c del "C:\WINDOWS\SYSTEM32\aonklrbx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3435] command /c del "C:\WINDOWS\SYSTEM32\esahvnru.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8857] cmd /c del "C:\WINDOWS\SYSTEM32\esahvnru.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1915] command /c del "C:\WINDOWS\SYSTEM32\afrgmgrc.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3901] cmd /c del "C:\WINDOWS\SYSTEM32\afrgmgrc.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7098] command /c del "C:\WINDOWS\SYSTEM32\aonklrbx.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8028] cmd /c del "C:\WINDOWS\SYSTEM32\aonklrbx.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3099] command /c del "C:\WINDOWS\SYSTEM32\esahvnru.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3735] cmd /c del "C:\WINDOWS\SYSTEM32\esahvnru.dll_old"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O20 - Winlogon Notify: opnnmmn - opnnmmn.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0017001206231015) (0017001206231015mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\001700~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\mhyapelx.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\prolyhduvo.html

--
End of file - 7711 bytes

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:55 AM

Posted 23 March 2008 - 09:11 AM

Hello Kameron

Welcome to BleepingComputer :thumbsup:
========================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Kameron

Kameron
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 23 March 2008 - 01:28 PM

ComboFix 08-03-23.2 - James 2008-03-23 14:08:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.687 [GMT -4:00]
Running from: C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\9RBTQX09\ComboFix[1].exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Ultimate Cleaner
C:\Documents and Settings\Administrator\Application Data\Ultimate Cleaner\settings.dat
C:\Documents and Settings\Owner\Application Data\Ultimate Defender
C:\Documents and Settings\Owner\Application Data\Ultimate Defender\logs\1188611710.log
C:\Documents and Settings\Owner\Application Data\Ultimate Defender\logs\1195957641.log
C:\Documents and Settings\Owner\My Documents\SSTEM~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Insider
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Program Files\Windows Media Player\prolyhduvo.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BMdb947508.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\xpreload.ocx
C:\WINDOWS\pskt.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\a13
C:\WINDOWS\system32\drivers\jksogdvs.dat
C:\WINDOWS\system32\e2
C:\WINDOWS\system32\framebu.dll
C:\WINDOWS\system32\g1
C:\WINDOWS\system32\i8
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\qxmldxgu.ini
C:\WINDOWS\system32\smadxtbs.dll
C:\WINDOWS\system32\smgomjdh.dll
C:\WINDOWS\system32\txnsfiol.dll
C:\WINDOWS\system32\ugxdlmxq.dll
C:\WINDOWS\system32\ulklqcdw.dll
C:\WINDOWS\system32\upxdnuhx.dll
C:\WINDOWS\system32\uttktifc.dll
C:\WINDOWS\system32\uwvjsbks.dll
C:\WINDOWS\SYSTEM32\vwadd.bak2
C:\WINDOWS\SYSTEM32\vwadd.ini
C:\WINDOWS\SYSTEM32\vwadd.ini2
C:\WINDOWS\SYSTEM32\vwadd.tmp
C:\WINDOWS\system32\vwbhsjnk.dll
C:\WINDOWS\system32\wbsuvuiq.dll
C:\WINDOWS\SYSTEM32\wdcqlklu.ini
C:\WINDOWS\system32\x22
C:\WINDOWS\SYSTEM32\xhundxpu.ini
C:\WINDOWS\system32\xtryncbv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_CORE
-------\Legacy_DOMAINSERVICE
-------\Legacy_HJIZWTFE
-------\Legacy_NETWORK_MONITOR
-------\Service_DomainService
-------\Service_hjizwtfe


((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-23 13:25 . 2008-03-23 13:25 <DIR> d-------- C:\Documents and Settings\James\Application Data\SUPERAntiSpyware.com
2008-03-23 09:39 . 2008-03-23 09:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-22 20:53 . 2008-03-22 20:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-22 20:53 . 2008-03-22 20:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-03-22 20:40 . 2008-03-23 13:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-22 20:01 . 2008-03-23 03:04 354 ---hs---- C:\WINDOWS\SYSTEM32\iqdmgres.ini
2008-03-08 20:51 . 2008-03-08 21:39 354 ---hs---- C:\WINDOWS\SYSTEM32\njmykkox.ini
2008-02-24 22:02 . 2008-02-24 22:02 414 ---hs---- C:\WINDOWS\SYSTEM32\axppokoi.ini
2008-02-24 21:52 . 2008-02-24 21:59 354 ---hs---- C:\WINDOWS\SYSTEM32\ngkaabfo.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 17:26 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-23 17:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 14:08 --------- d-----w C:\Program Files\McAfee
2008-02-05 03:12 --------- d-----w C:\Program Files\Common Files\McAfee
2008-02-03 23:26 --------- d-----w C:\Documents and Settings\James\Application Data\MSN6
2008-02-03 23:26 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\MSN6
2007-11-15 00:38 0 --sha-w C:\Documents and Settings\James\Application Data\bead9b88d33f48c3c9d0411b702a307c0ba1e2bc.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A469891-AFB4-41D8-729B-CFF53A81BB1C}]
C:\Program Files\Windows Media Player\lacusyca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3534A30E-374C-4991-9872-7239C2AC5AC8}]
C:\WINDOWS\System32\ddawv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB038F34-867A-40E3-865C-6C594325F0E3}]
C:\PROGRAM FILES\INTERNET EXPLORER\HOQEZI83122.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ed23f89e-bfd4-493d-8c66-410d938de035}]
C:\WINDOWS\system32\qbihdttv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"MSI Configuration"="msiconf.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-06-21 16:06 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 21:29 1160480]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows Media Player\prolyhduvo.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2008-01-07 16:43 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnmmn]
opnnmmn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d8a74694]
C:\WINDOWS\System32\cptplttj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 09:59 126976 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 09:59 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\MSMSGS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yjgfgvmt]
regsvr32 /u C:\Documents and Settings\All Users.WINDOWS\Application Data\yjgfgvmt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpyShredder"=C:\Program Files\SpyShredder\SpyShredder.exe
"WebBuying"=C:\Program Files\Web Buying\v1.8.5\webbuying.exe
"WinAble"=C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ultimate Defender"="C:\Program Files\Ultimate Defender\UltimateDefender.exe" hide
"xorgfeno"=regsvr32 /u "C:\Documents and Settings\All Users.WINDOWS\Application Data\xorgfeno.dll"
"ubihydoh"=regsvr32 /u "C:\Documents and Settings\All Users.WINDOWS\Application Data\ubihydoh.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-23 13:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 14:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 15:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-02-02 17:00:01 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-01-07 22:56:34 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 18:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-01-19 20:00:04 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-01-21 21:00:01 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-01-07 22:56:34 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-02-20 23:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-02-05 00:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 00:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 01:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 02:00:01 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 03:00:02 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 06:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 07:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 08:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-01-07 22:56:34 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-01-21 11:00:05 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-01-07 22:56:34 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-03-23 12:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\3u1AbAJ6.exe
"2008-01-09 23:16:13 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-09 23:16:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 14:20:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-23 14:24:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-23 18:24:20
.
2008-03-23 07:04:48 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:38 PM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wideopenwest.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: 0 - {2A469891-AFB4-41D8-729B-CFF53A81BB1C} - C:\Program Files\Windows Media Player\lacusyca.dll (file missing)
O2 - BHO: (no name) - {3534A30E-374C-4991-9872-7239C2AC5AC8} - C:\WINDOWS\System32\ddawv.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {DB038F34-867A-40E3-865C-6C594325F0E3} - C:\PROGRAM FILES\INTERNET EXPLORER\HOQEZI83122.DLL (file missing)
O2 - BHO: {530ed839-d014-66c8-d394-4dfbe98f32de} - {ed23f89e-bfd4-493d-8c66-410d938de035} - C:\WINDOWS\system32\qbihdttv.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O20 - Winlogon Notify: opnnmmn - opnnmmn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\prolyhduvo.html

--
End of file - 5810 bytes

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:55 AM

Posted 23 March 2008 - 02:11 PM

Make sure that you paste the following file paths under the yellow bar within the OTMoveit2 program or it will not work correctly.


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\SYSTEM32\iqdmgres.ini
    C:\WINDOWS\SYSTEM32\njmykkox.ini
    C:\WINDOWS\SYSTEM32\axppokoi.ini
    C:\WINDOWS\SYSTEM32\ngkaabfo.ini 
    C:\Documents and Settings\James\Application Data\bead9b88d33f48c3c9d0411b702a307c0ba1e2bc.dat
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSI Configuration
    HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnmmn
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yjgfgvmt
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\SpyShredder
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\WebBuying
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\WinAble
    C:\Documents and Settings\All Users.WINDOWS\Application Data\yjgfgvmt.dll
    C:\Program Files\SpyShredder
    C:\Program Files\Web Buying
    C:\Program Files\WinAble
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\\Ultimate Defender
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\\xorgfeno
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\\ubihydoh
    C:\Program Files\Ultimate Defender
    C:\Documents and Settings\All Users.WINDOWS\Application Data\xorgfeno.dll
    C:\Documents and Settings\All Users.WINDOWS\Application Data\ubihydoh.dll
    C:\WINDOWS\Tasks\At10.job
    C:\WINDOWS\Tasks\At11.job
    C:\WINDOWS\Tasks\At12.job
    C:\WINDOWS\Tasks\At13.job
    C:\WINDOWS\Tasks\At14.job
    C:\WINDOWS\Tasks\At15.job
    C:\WINDOWS\Tasks\At16.job
    C:\WINDOWS\Tasks\At17.job
    C:\WINDOWS\Tasks\At18.job
    C:\WINDOWS\Tasks\At19.job
    C:\WINDOWS\Tasks\At20.job
    C:\WINDOWS\Tasks\At21.job
    C:\WINDOWS\Tasks\At22.job
    C:\WINDOWS\Tasks\At23.job
    C:\WINDOWS\Tasks\At24.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At4.job
    C:\WINDOWS\Tasks\At5.job
    C:\WINDOWS\Tasks\At6.job
    C:\WINDOWS\Tasks\At7.job
    C:\WINDOWS\Tasks\At8.job
    C:\WINDOWS\Tasks\At9.job
    C:\WINDOWS\System32\3u1AbAJ6.exe
    C:\Program Files\Windows Media Player\prolyhduvo.html


  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Kameron

Kameron
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 23 March 2008 - 03:47 PM

[Custom Input]
< C:\WINDOWS\SYSTEM32\iqdmgres.ini >
C:\WINDOWS\SYSTEM32\iqdmgres.ini moved successfully.
< C:\WINDOWS\SYSTEM32\njmykkox.ini >
C:\WINDOWS\SYSTEM32\njmykkox.ini moved successfully.
< C:\WINDOWS\SYSTEM32\axppokoi.ini >
C:\WINDOWS\SYSTEM32\axppokoi.ini moved successfully.
< C:\WINDOWS\SYSTEM32\ngkaabfo.ini >
C:\WINDOWS\SYSTEM32\ngkaabfo.ini moved successfully.
< C:\Documents and Settings\James\Application Data\bead9b88d33f48c3c9d0411b702a307c0ba1e2bc.dat >
C:\Documents and Settings\James\Application Data\bead9b88d33f48c3c9d0411b702a307c0ba1e2bc.dat moved successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSI Configuration >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSI Configuration deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0 >
Registry key HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnmmn >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnmmn\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yjgfgvmt >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yjgfgvmt\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\SpyShredder >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\SpyShredder deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\WebBuying >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\WebBuying deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\WinAble >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\WinAble deleted successfully.
< C:\Documents and Settings\All Users.WINDOWS\Application Data\yjgfgvmt.dll >
File/Folder C:\Documents and Settings\All Users.WINDOWS\Application Data\yjgfgvmt.dll not found.
< C:\Program Files\SpyShredder >
File/Folder C:\Program Files\SpyShredder not found.
< C:\Program Files\Web Buying >
File/Folder C:\Program Files\Web Buying not found.
< C:\Program Files\WinAble >
File/Folder C:\Program Files\WinAble not found.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\\Ultimate Defender >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\\Ultimate Defender deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\\xorgfeno >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\\xorgfeno deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\\ubihydoh >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\\ubihydoh deleted successfully.
< C:\Program Files\Ultimate Defender >
File/Folder C:\Program Files\Ultimate Defender not found.
< C:\Documents and Settings\All Users.WINDOWS\Application Data\xorgfeno.dll >
File/Folder C:\Documents and Settings\All Users.WINDOWS\Application Data\xorgfeno.dll not found.
< C:\Documents and Settings\All Users.WINDOWS\Application Data\ubihydoh.dll >
File/Folder C:\Documents and Settings\All Users.WINDOWS\Application Data\ubihydoh.dll not found.
< C:\WINDOWS\Tasks\At10.job >
C:\WINDOWS\Tasks\At10.job moved successfully.
< C:\WINDOWS\Tasks\At11.job >
C:\WINDOWS\Tasks\At11.job moved successfully.
< C:\WINDOWS\Tasks\At12.job >
C:\WINDOWS\Tasks\At12.job moved successfully.
< C:\WINDOWS\Tasks\At13.job >
C:\WINDOWS\Tasks\At13.job moved successfully.
< C:\WINDOWS\Tasks\At14.job >
C:\WINDOWS\Tasks\At14.job moved successfully.
< C:\WINDOWS\Tasks\At15.job >
C:\WINDOWS\Tasks\At15.job moved successfully.
< C:\WINDOWS\Tasks\At16.job >
C:\WINDOWS\Tasks\At16.job moved successfully.
< C:\WINDOWS\Tasks\At17.job >
C:\WINDOWS\Tasks\At17.job moved successfully.
< C:\WINDOWS\Tasks\At18.job >
C:\WINDOWS\Tasks\At18.job moved successfully.
< C:\WINDOWS\Tasks\At19.job >
C:\WINDOWS\Tasks\At19.job moved successfully.
< C:\WINDOWS\Tasks\At20.job >
C:\WINDOWS\Tasks\At20.job moved successfully.
< C:\WINDOWS\Tasks\At21.job >
C:\WINDOWS\Tasks\At21.job moved successfully.
< C:\WINDOWS\Tasks\At22.job >
C:\WINDOWS\Tasks\At22.job moved successfully.
< C:\WINDOWS\Tasks\At23.job >
C:\WINDOWS\Tasks\At23.job moved successfully.
< C:\WINDOWS\Tasks\At24.job >
C:\WINDOWS\Tasks\At24.job moved successfully.
< C:\WINDOWS\Tasks\At3.job >
C:\WINDOWS\Tasks\At3.job moved successfully.
< C:\WINDOWS\Tasks\At4.job >
C:\WINDOWS\Tasks\At4.job moved successfully.
< C:\WINDOWS\Tasks\At5.job >
C:\WINDOWS\Tasks\At5.job moved successfully.
< C:\WINDOWS\Tasks\At6.job >
C:\WINDOWS\Tasks\At6.job moved successfully.
< C:\WINDOWS\Tasks\At7.job >
C:\WINDOWS\Tasks\At7.job moved successfully.
< C:\WINDOWS\Tasks\At8.job >
C:\WINDOWS\Tasks\At8.job moved successfully.
< C:\WINDOWS\Tasks\At9.job >
C:\WINDOWS\Tasks\At9.job moved successfully.
< C:\WINDOWS\System32\3u1AbAJ6.exe >
File/Folder C:\WINDOWS\System32\3u1AbAJ6.exe not found.
< C:\Program Files\Windows Media Player\prolyhduvo.html >
File/Folder C:\Program Files\Windows Media Player\prolyhduvo.html not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03232008_154016



Malwarebytes' Anti-Malware 1.09
Database version: 527

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 84519
Time elapsed: 50 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\lpzjuecm.dllbox (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wneqpdfc.dllbox (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP161\A0054556.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP171\A0068570.exe (Trojan.Peed) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068693.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\xpreload.ocx (Heuristic.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Guide.lnk (Rogue.Link) -> Quarantined and deleted successfully.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:55 AM

Posted 23 March 2008 - 05:55 PM

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Kameron

Kameron
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 25 March 2008 - 08:46 PM

KASPERSKY ONLINE SCANNER REPORT
Sunday, March 23, 2008 9:07:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/03/2008
Kaspersky Anti-Virus database records: 656154


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 49311
Number of viruses found 16
Number of infected objects 94
Number of suspicious objects 1
Duration of the scan process 01:18:39

Infected Object Name Virus Name Last Action
C:\a7cc14bbedf2cac52d6fa71827b058a8\$shtdwn$.req Object is locked skipped

C:\a7cc14bbedf2cac52d6fa71827b058a8\mrt.exe Object is locked skipped

C:\a7cc14bbedf2cac52d6fa71827b058a8\mrtstub.exe Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\EasyNet\MHNData Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MSC\Logs\{27D3D452-EA4F-41D5-A733-D08541AF049B}.log Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\VirusScan\Logs\SYSTEM_ODS.Log Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner.zip/ucsecuredelete.dll Infected: not-a-virus:FraudTool.Win32.UltimateDefender.r skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService2.zip/core.sys Infected: Rootkit.Win32.Agent.mb skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService2.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SpyShredder3.zip/SpyShredder0.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.f skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SpyShredder3.zip/SpyShredder3.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SpyShredder3.zip ZIP: infected - 2 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll11.zip/ewsyiuxi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll11.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/betdkhun.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/btiranep.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll4.zip/cocinxni.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll4.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll5.zip/dibjavui.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll5.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll6.zip/diovbvhu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll6.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll7.zip/djtyhgmr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll7.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll8.zip/dlqadjik.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll8.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll9.zip/dqhrhdwc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll9.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.5/wbuninst.exe Infected: not-a-virus:AdWare.Win32.BHO.abh skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.5/webbuying.exe Infected: not-a-virus:AdWare.Win32.Agent.ta skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: infected - 2 skipped

C:\Documents and Settings\James\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\James\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\James\Local Settings\Temp\sqlite_i5luSXEuugW0A47 Object is locked skipped

C:\Documents and Settings\James\Local Settings\Temp\sqlite_OMPdHXmUGbanqKb Object is locked skipped

C:\Documents and Settings\James\Local Settings\Temp\~DF843D.tmp Object is locked skipped

C:\Documents and Settings\James\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\James\ntuser.dat Object is locked skipped

C:\Documents and Settings\James\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Trend Micro\HijackThis\hijackthis.log Suspicious: Exploit.HTML.Mht skipped

C:\QooBox\Quarantine\C\Program Files\Windows Media Player\prolyhduvo.html.vir Infected: Trojan-Clicker.HTML.IFrame.dn skipped

C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\xpreload.ocx.vir Infected: Trojan-Downloader.Win32.VB.cdq skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\jksogdvs.dat.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\smgomjdh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\txnsfiol.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ugxdlmxq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ulklqcdw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\upxdnuhx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uwvjsbks.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vwbhsjnk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wbsuvuiq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xtryncbv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-03-23_141948.07.zip/jksogdvs.dat Infected: Rootkit.Win32.Agent.aap skipped

C:\QooBox\Quarantine\catchme2008-03-23_141948.07.zip/jksogdvs.dat.1 Infected: Rootkit.Win32.Agent.aap skipped

C:\QooBox\Quarantine\catchme2008-03-23_141948.07.zip ZIP: infected - 2 skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP161\A0055547.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP161\A0055547.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP161\A0055547.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP164\A0063012.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP171\A0068532.dll Infected: Trojan.Win32.Pakes.cdw skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP171\A0068537.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP171\A0068561.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068671.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqn skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068697.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068698.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068699.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068700.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068701.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068702.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068703.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068704.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068706.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068711.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068713.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068714.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068715.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068716.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068717.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068718.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068720.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068721.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068723.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068724.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068725.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068726.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068729.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068730.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068731.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068732.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068736.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068737.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068738.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP173\A0068750.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP175\A0068833.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP175\A0068834.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP175\A0068835.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP175\A0068836.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP175\A0068837.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP175\A0068839.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP175\A0068840.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP175\A0068841.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP175\A0068842.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0F57EE14-2F2C-4C63-854B-B905469AD6F8}\RP175\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\default Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\default.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\software Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\software.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\system Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\system.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\framebu.1 Infected: Trojan.Win32.Pakes.cdw skipped

C:\WINDOWS\SYSTEM32\framebu.2 Infected: Trojan.Win32.Pakes.cdw skipped

C:\WINDOWS\SYSTEM32\framebu.3 Infected: Trojan.Win32.Pakes.cdw skipped

C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

C:\WINDOWS\SYSTEM32\LogFiles\HTTPERR\httperr1.log Object is locked skipped

C:\WINDOWS\SYSTEM32\vcirxibb.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\ximtsgee.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped

C:\WINDOWS\Temp\mcafee_TTSnsIubOJF80dR Object is locked skipped

C:\WINDOWS\Temp\mcmsc_gQb3so2Qw2uMncu Object is locked skipped

C:\WINDOWS\Temp\mcmsc_ULaBN0incx2MKi6 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_V7PCL6EUP73K2pX Object is locked skipped

C:\WINDOWS\Temp\sqlite_EDXIfvfSmNWoISi Object is locked skipped

C:\WINDOWS\Temp\sqlite_O81nEd1sZbHE8xe Object is locked skipped

C:\WINDOWS\Temp\sqlite_Xmj1OWiefaow6TQ Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:55 AM

Posted 25 March 2008 - 08:53 PM

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\SYSTEM32\ximtsgee.dll 
    C:\WINDOWS\SYSTEM32\vcirxibb.dll 
    C:\WINDOWS\SYSTEM32\framebu.3
    C:\WINDOWS\SYSTEM32\framebu.2
    C:\WINDOWS\SYSTEM32\framebu.1
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll9.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll8.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll7.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll6.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll5.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll4.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip 
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll11.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SpyShredder3.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService2.zip
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner.zip
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================================
Please post back with a new Hijackthis and let me know how things are running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Kameron

Kameron
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 25 March 2008 - 09:35 PM

Things are running a bit better! I really thank you from the bottom of my heart. I'll restart now and make sure everything that used to pop-out is gone!

DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\ximtsgee.dll
C:\WINDOWS\SYSTEM32\ximtsgee.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\ximtsgee.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\vcirxibb.dll
C:\WINDOWS\SYSTEM32\vcirxibb.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\vcirxibb.dll moved successfully.
C:\WINDOWS\SYSTEM32\framebu.3 moved successfully.
C:\WINDOWS\SYSTEM32\framebu.2 moved successfully.
C:\WINDOWS\SYSTEM32\framebu.1 moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll9.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll8.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll7.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll6.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll5.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll4.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll11.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SpyShredder3.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService2.zip moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner.zip moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03252008_222644





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:56 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wideopenwest.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: 0 - {2A469891-AFB4-41D8-729B-CFF53A81BB1C} - C:\Program Files\Windows Media Player\lacusyca.dll (file missing)
O2 - BHO: (no name) - {3534A30E-374C-4991-9872-7239C2AC5AC8} - C:\WINDOWS\System32\ddawv.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {DB038F34-867A-40E3-865C-6C594325F0E3} - C:\PROGRAM FILES\INTERNET EXPLORER\HOQEZI83122.DLL (file missing)
O2 - BHO: {530ed839-d014-66c8-d394-4dfbe98f32de} - {ed23f89e-bfd4-493d-8c66-410d938de035} - C:\WINDOWS\system32\qbihdttv.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0127391206495289) (0127391206495289mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\012739~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

-
End of file - 6033 bytes

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:55 AM

Posted 25 March 2008 - 09:52 PM

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: 0 - {2A469891-AFB4-41D8-729B-CFF53A81BB1C} - C:\Program Files\Windows Media Player\lacusyca.dll (file missing)
O2 - BHO: (no name) - {3534A30E-374C-4991-9872-7239C2AC5AC8} - C:\WINDOWS\System32\ddawv.dll (file missing)
O2 - BHO: (no name) - {DB038F34-867A-40E3-865C-6C594325F0E3} - C:\PROGRAM FILES\INTERNET EXPLORER\HOQEZI83122.DLL (file missing)
O2 - BHO: {530ed839-d014-66c8-d394-4dfbe98f32de} - {ed23f89e-bfd4-493d-8c66-410d938de035} - C:\WINDOWS\system32\qbihdttv.dll (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx


Now click on Fix Checked and then close Hijackthis.
===========================================

Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
=================================
Unistall delete anything left over including MalwareBytes ANtimalware.

Empty your recyle bin.

Then I will need you to reset your System Restore points, please note that you will need to log into your computer with an account which has full administrator access.
You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.Click on *Start
Right-click *My Computer
Click *Properties
Click the *System Restore tab
Check *Turn off System Restore
Click *Apply, and then click *OK.
2. Reboot.

3. Turn ON System Restore.Click on *Start
Right-click *My Computer
Click *Properties
*UN-Check *Turn off System Restore*
Check *Turn on System Restore
Click *Apply, and then click *OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
============================================================
After that Your log is clean.

Please reboot after doing all of this let me know if you feel as if everything is back to normal. :thumbsup:
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Kameron

Kameron
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 25 March 2008 - 10:56 PM

Wow! Everything is amazing, thanks so much! One thing, I tried to remove the Language Bar from my Toolbar and when I right clicked and tried to do it...all of it was faded and I was unable to click it? Please check the image:

http://i26.tinypic.com/2i9jnuq.jpg

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:55 AM

Posted 26 March 2008 - 07:32 PM

Hi let's check for registry values that may be blocking you from doing that.
============================================================================
Please go to Start>Run type in Notepad.
Copy what is in the code box below into the open Notepad window.
Change the "Save As Type" to "All Files". Save it as checkthis.bat on your Desktop.
@Echo off
IF EXIST logit.txt Del logit.txt
ECHO Working .....
Reg Query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /s >> Logit.txt
Reg Query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /s >> Logit.txt
Start logit.txt
Then please double click on checkthis.bat a window will open and close quickly.This is normal.
Then a notepad document will open.
Please post the contents of that text file here in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 Kameron

Kameron
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 26 March 2008 - 08:30 PM

Alright, Ill go sign on to my laptop now and proceed with that. As of right now I'm on my regular desktop computer and I was wondering if it would be okay if you looked over a HiJack This! Log really quick, just to make sure all is well? Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:32 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\dlcxcoms.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\DRIVERS\PRINTER\540\StatMon.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wowway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [DellStatusMonitor] "C:\DRIVERS\PRINTER\540\StatMon.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O23 - Service: McAfee Application Installer Cleanup (0076931206553950) (0076931206553950mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\007693~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 10879 bytes

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:55 AM

Posted 26 March 2008 - 08:41 PM

That is fine the desktop computer log is clean.
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)


Now click on Fix Checked and then close Hijackthis.
---------------------------
After that please update your Java:
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:After that
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
================
Then that log is clean.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 Kameron

Kameron
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 26 March 2008 - 10:46 PM

Alright! Thanks I just took care of my Desktop and now here's for the laptop:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveAutoRun REG_DWORD 0x3ffffff
NoDriveTypeAutoRun REG_DWORD 0xff

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun REG_DWORD 0x91
ClassicShell REG_DWORD 0x2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users