Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer Hijacked


  • This topic is locked This topic is locked
14 replies to this topic

#1 sdpnorm

sdpnorm

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 02 May 2008 - 12:20 PM

Love some help... going nuts tryingto fix. I have run every spyware and malware program could find. They all locate bad files... but this problem is never fixed. The browser loads again with pop-up ads and something isusing the computer's memory - it slows up over and over again. PLease tell me what to do. Thanks - Norm

Main.txt
Deckard's System Scanner v20071014.68
Run by norm on 2008-05-02 09:58:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
37: 2008-05-02 16:58:19 UTC - RP592 - Deckard's System Scanner Restore Point
36: 2008-05-02 15:51:11 UTC - RP591 - Software Distribution Service 3.0
35: 2008-05-01 09:05:13 UTC - RP590 - Software Distribution Service 3.0
34: 2008-04-30 17:56:16 UTC - RP589 - System Checkpoint
33: 2008-04-29 15:11:33 UTC - RP588 - CounterSpy - 4/29/2008 8:11:18 AM


-- First Restore Point --
1: 2008-04-14 05:03:14 UTC - RP556 - Last known good configuration


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as norm.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:58 AM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Seagull\BarTender\8.0\CmdrSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\program files\dell\traytool.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\norm\Desktop\dss.exe
C:\DOCUME~1\norm\Desktop\norm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextag.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {227701E1-C551-457E-95F6-94AED093D3F7} - C:\WINDOWS\system32\awtQJYRK.dll
O2 - BHO: (no name) - {49B29B09-A696-4014-97B6-6DEECCC42235} - (no file)
O2 - BHO: (no name) - {5EE9FC71-9D8A-477E-9061-BB2C8CFA3411} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {79E2E66C-3699-4B1F-B9CB-6A7A9AD1F509} - (no file)
O2 - BHO: (no name) - {A47C371C-16F3-4F03-A4D9-ACDBEF6231B2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {E2DE0E61-9007-485C-93D7-B09EF3DF9B9C} - (no file)
O2 - BHO: (no name) - {FCCF6271-9172-4705-B661-8270CFF7598C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [2053e721] rundll32.exe "C:\WINDOWS\system32\xkanxdxj.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [asPsDgedYj] C:\Documents and Settings\All Users\Application Data\eryfgpcj\wxorihyh.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {22D82B43-FF26-455A-A96D-A6C61F056ED7} (Gif89 xLite Class) - http://222.127.131.125/xplugxLiteTW.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163797098810
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163797471420
O16 - DPF: {6F5A14F2-0599-4780-A954-73DB8BC536B5} (FESecureX Control) - https://66.161.45.240/FESecureX/FESecureX.cab
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://222.127.131.123/xplugLite.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\Software\..\Telephony: DomainName = TKHImaging.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = TKHImaging.com
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: jkkIayYp - jkkIayYp.dll (file missing)
O21 - SSODL: RomCheck - {60375be5-c130-411b-a90b-dc8670446164} - C:\WINDOWS\Installer\{60375be5-c130-411b-a90b-dc8670446164}\RomCheck.dll (file missing)
O21 - SSODL: zip - {3daa9c48-7fa6-4621-95c1-6152b9e8a0fc} - C:\WINDOWS\Installer\{3daa9c48-7fa6-4621-95c1-6152b9e8a0fc}\zip.dll (file missing)
O21 - SSODL: ServiceUnknown - {c289e982-0072-45e1-b825-5d7c5db30366} - C:\WINDOWS\Resources\ServiceUnknown.dll (file missing)
O23 - Service: Commander Service - Seagull Scientific - C:\Program Files\Seagull\BarTender\8.0\CmdrSrv.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9284 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\norm\Desktop\backups\) ----------------

backup-20080417-143207-633 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20080417-143541-777 O2 - BHO: (no name) - {3FC0366D-6564-406D-94EF-A4DA62A03DC5} - C:\WINDOWS\system32\awtQJYRK.dll
backup-20080417-143541-868 O2 - BHO: (no name) - {EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9} - C:\WINDOWS\system32\jkkIayYp.dll
backup-20080417-143553-250 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
backup-20080417-143553-490 O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
backup-20080417-143553-517 O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080417-143553-985 O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
backup-20080418-101726-701 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 U3SHLPDR - c:\windows\system32\drivers\u3shlpdr.sys
R3 SBAPIFS - c:\windows\system32\drivers\sbapifs.sys (file missing)

S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys (file missing)
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Intel Alert Handler - c:\windows\system32\ams_ii\hndlrsvc.exe <Not Verified; Intel® Corporation; Intel Alert Management System 2>
R2 Intel Alert Originator - c:\windows\system32\ams_ii\iao.exe <Not Verified; Intel® Corporation; Intel Alert Management System 2>
R2 Intel File Transfer - c:\windows\system32\cba\xfr.exe <Not Verified; Intel® Corporation; Intel Common Base Agent>
R2 Intel PDS - c:\windows\system32\cba\pds.exe <Not Verified; Intel® Corporation; Intel Common Base Agent>
R2 NSCTOP (Symantec System Center Discovery Service) - c:\progra~1\symantec\symant~1\nsctop.exe <Not Verified; Symantec Corporation; Symantec System Center>
R2 QBCFMonitorService (QuickBooks Database Manager Service) - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>

S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1039&SUBSYS_2010107B&REV_82\4&29817089&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1039&SUBSYS_2010107B&REV_82\4&29817089&0&40F0
Service: E100B


-- Scheduled Tasks -------------------------------------------------------------

2008-05-02 09:59:03 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-02 08:50:13 420 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{54CC5A4A-7812-4C53-B446-D700A7EC159A}.job
2008-04-30 20:02:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-02 and 2008-05-02 -----------------------------

2008-05-02 09:01:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 09:00:55 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-01 17:36:57 0 d-------- C:\Documents and Settings\Administrator.TKH-PC6\Application Data\Sunbelt Software
2008-05-01 17:35:31 0 d--h----- C:\Documents and Settings\Administrator.TKH-PC6\Templates
2008-05-01 17:35:31 0 dr------- C:\Documents and Settings\Administrator.TKH-PC6\Start Menu
2008-05-01 17:35:31 0 dr-h----- C:\Documents and Settings\Administrator.TKH-PC6\SendTo
2008-05-01 17:35:31 0 d--h----- C:\Documents and Settings\Administrator.TKH-PC6\Recent
2008-05-01 17:35:31 0 d--h----- C:\Documents and Settings\Administrator.TKH-PC6\PrintHood
2008-05-01 17:35:31 0 d--h----- C:\Documents and Settings\Administrator.TKH-PC6\NetHood
2008-05-01 17:35:31 0 d-------- C:\Documents and Settings\Administrator.TKH-PC6\My Documents
2008-05-01 17:35:31 0 d--h----- C:\Documents and Settings\Administrator.TKH-PC6\Local Settings
2008-05-01 17:35:31 0 d-------- C:\Documents and Settings\Administrator.TKH-PC6\Favorites
2008-05-01 17:35:31 0 d-------- C:\Documents and Settings\Administrator.TKH-PC6\Desktop
2008-05-01 17:35:31 0 d--hs---- C:\Documents and Settings\Administrator.TKH-PC6\Cookies
2008-05-01 17:35:31 0 dr-h----- C:\Documents and Settings\Administrator.TKH-PC6\Application Data
2008-05-01 17:35:31 0 d---s---- C:\Documents and Settings\Administrator.TKH-PC6\Application Data\Microsoft
2008-05-01 17:35:31 0 d-------- C:\Documents and Settings\Administrator.TKH-PC6\Application Data\Macromedia
2008-05-01 17:35:30 524288 --ah----- C:\Documents and Settings\Administrator.TKH-PC6\NTUSER.DAT
2008-05-01 10:48:18 96320 --a------ C:\WINDOWS\system32\jrpovpjm.dll
2008-04-30 10:17:02 96320 --a------ C:\WINDOWS\system32\xkanxdxj.dll
2008-04-29 01:59:57 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-04-29 01:59:57 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-04-24 12:01:47 0 d-------- C:\WINDOWS\setup.pss
2008-04-24 12:01:32 0 d-------- C:\WINDOWS\setupupd
2008-04-18 13:58:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-04-18 13:50:47 0 d-------- C:\Program Files\Sunbelt Software
2008-04-18 10:39:36 0 d-------- C:\Program Files\WebWasher
2008-04-18 10:07:44 87616 --a------ C:\WINDOWS\system32\oorrhbil.dll
2008-04-17 14:05:20 4847648 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-17 13:58:55 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-17 13:58:35 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-17 13:58:05 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-04-17 13:54:38 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-17 13:53:34 0 d-------- C:\WINDOWS\Internet Logs
2008-04-17 13:26:16 0 d-------- C:\Documents and Settings\norm\.housecall6.6
2008-04-17 12:39:17 0 d-------- C:\Program Files\Windows Defender
2008-04-17 09:34:49 0 d-------- C:\Documents and Settings\norm\Application Data\OfficeUpdate12
2008-04-17 09:34:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-17 09:25:37 88128 --a------ C:\WINDOWS\system32\twjowfqd.dll
2008-04-17 03:07:10 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-16 16:48:26 0 d-------- C:\Documents and Settings\norm\Application Data\Sunbelt Software
2008-04-16 16:24:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-16 14:58:35 0 d-------- C:\!KillBox
2008-04-16 14:19:17 9 --a------ C:\WINDOWS\system32\2053f5af
2008-04-16 14:10:04 0 dr-h----- C:\Documents and Settings\norm\Recent
2008-04-16 14:05:51 0 d-------- C:\Program Files\CCleaner
2008-04-16 12:57:57 0 d-------- C:\VundoFix Backups
2008-04-16 12:42:18 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-04-16 12:40:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-16 10:33:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-15 17:21:49 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-15 17:04:34 0 d-------- C:\Documents and Settings\administrator\Application Data\Adobe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\a.bat
2008-04-15 17:03:42 0 d-------- C:\Documents and Settings\administrator\Desktopvirii
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-15 17:03:41 0 d-------- C:\WINDOWS\system32smp
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-15 17:03:41 4096 --a------ C:\Documents and Settings\administrator\DesktopFWebdEditor.exe
2008-04-15 17:03:41 4096 --a------ C:\Documents and Settings\administrator\Desktopfwebd.exe
2008-04-15 17:03:41 4096 --a------ C:\Documents and Settings\administrator\Desktopfilemanagerclient.exe
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-15 08:59:09 86080 --a------ C:\WINDOWS\system32\qmtbpbsu.dll
2008-04-14 17:24:13 0 d-------- C:\Program Files\AskPBar
2008-04-14 11:54:24 0 d-------- C:\Program Files\Alwil Software
2008-04-13 22:02:53 85568 --a------ C:\WINDOWS\system32\kcobnrks.dll
2008-04-13 21:59:49 471504 --ahs---- C:\WINDOWS\system32\KRYJQtwa.ini2
2008-04-13 21:59:39 272896 --a------ C:\WINDOWS\system32\awtQJYRK.dll
2008-04-13 21:54:44 0 d-------- C:\Documents and Settings\All Users\Application Data\eryfgpcj
2008-04-13 21:54:41 94208 --a------ C:\WINDOWS\system32\gfwdslcx.exe
2008-04-13 21:54:35 146 --a------ C:\clean.bat
2008-04-03 08:32:10 0 d-------- C:\Program Files\iPod
2008-04-03 08:31:55 0 d-------- C:\Program Files\iTunes
2008-04-03 08:29:35 0 d-------- C:\Program Files\QuickTime


-- Find3M Report ---------------------------------------------------------------

2008-05-02 09:52:48 0 d-------- C:\Documents and Settings\norm\Application Data\SpamAid
2008-04-17 12:11:13 0 d-------- C:\Program Files\Trillian
2008-04-16 14:05:57 0 d-------- C:\Program Files\Yahoo!
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-14 12:36:44 0 d-------- C:\Program Files\AdBlaster
2008-04-14 08:55:23 0 d-------- C:\Program Files\Common Files
2008-04-14 08:55:21 0 d-------- C:\Documents and Settings\norm\Application Data\SUPERAntiSpyware.com
2008-04-14 08:55:17 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-27 09:26:46 98304 --a------ C:\WINDOWS\system32\mpyvalid.exe
2008-03-21 13:03:46 0 d-------- C:\Documents and Settings\norm\Application Data\Apple Computer
2008-03-17 14:49:26 524288 --a------ C:\WINDOWS\opuc.dll <Not Verified; Microsoft Corporation; 2007 Microsoft Office system>
2008-03-10 09:08:48 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-04 13:47:09 34 ---h----- C:\WINDOWS\sys2111
2008-03-04 13:47:09 34 ---h----- C:\WINDOWS\stmp718
2008-03-04 13:47:09 34 ---h----- C:\WINDOWS\kds100
2008-03-04 13:47:09 34 ---h----- C:\WINDOWS\drvr192
2008-03-04 13:32:49 0 d-------- C:\Program Files\Seagull
2008-03-04 13:26:24 0 --ah----- C:\WINDOWS\wnissy53
2008-02-21 11:29:18 96412 --a------ C:\Program Files\Common Files\Engines.lnl
2008-02-05 12:47:39 2935 --a----c- C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{227701E1-C551-457E-95F6-94AED093D3F7}]
04/13/2008 09:59 PM 272896 --a------ C:\WINDOWS\system32\awtQJYRK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49B29B09-A696-4014-97B6-6DEECCC42235}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EE9FC71-9D8A-477E-9061-BB2C8CFA3411}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79E2E66C-3699-4B1F-B9CB-6A7A9AD1F509}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A47C371C-16F3-4F03-A4D9-ACDBEF6231B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2DE0E61-9007-485C-93D7-B09EF3DF9B9C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FCCF6271-9172-4705-B661-8270CFF7598C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/23/2005 12:36 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 12:31 PM]
"ToolExe"="c:\program files\dell\traytool.exe" [04/18/2003 02:45 PM]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [01/12/2007 06:45 PM]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [12/21/2007 03:30 PM]
"2053e721"="C:\WINDOWS\system32\xkanxdxj.dll" [04/30/2008 10:17 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/04/2007 05:23 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 1:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"asPsDgedYj"=C:\Documents and Settings\All Users\Application Data\eryfgpcj\wxorihyh.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RomCheck"= {60375be5-c130-411b-a90b-dc8670446164} - C:\WINDOWS\Installer\{60375be5-c130-411b-a90b-dc8670446164}\RomCheck.dll [ ]
"zip"= {3daa9c48-7fa6-4621-95c1-6152b9e8a0fc} - C:\WINDOWS\Installer\{3daa9c48-7fa6-4621-95c1-6152b9e8a0fc}\zip.dll [ ]
"ServiceUnknown"= {c289e982-0072-45e1-b825-5d7c5db30366} - C:\WINDOWS\Resources\ServiceUnknown.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 01/12/2007 06:45 PM 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkIayYp]
jkkIayYp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtQJYRK

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2053e721]
rundll32.exe "C:\WINDOWS\system32\twjowfqd.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

*Newly Created Service* - SBAPIFS



-- End of Deckard's System Scanner: finished at 2008-05-02 10:01:19 ------------



Extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.93GHz
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 1526.73 MiB / 1063.05 MiB
Pagefile Memory (total/avail): 2136.25 MiB / 1685.61 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.46 MiB

C: is Fixed (NTFS) - 70.87 GiB total, 54.6 GiB free.
D: is Removable (No Media)
E: is Removable (No Media)
F: is Removable (FAT)
G: is Removable (No Media)
H: is Fixed (FAT32) - 3.65 GiB total, 1.64 GiB free.
I: is CDROM (No Media)
S: is Network (Unformatted)
Y: is Network (NTFS)
Z: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 3.65 GiB - H:
\PARTITION1 (bootable) - Installable File System - 70.87 GiB - C:

\\.\PHYSICALDRIVE1 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE2 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE3 - eM Bay Reader USB Device - 117.66 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 124.98 MiB - F:

\\.\PHYSICALDRIVE4 - eM Bay Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: ZoneAlarm Firewall v7.0.473.000 (Check Point, LTD.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe:*:Enabled:QuickBooks Enterprise 7.0 Data Manager"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe:*:Enabled:QuickBooks Enterprise 7.0 Data Manager"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\norm\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TKH-PC6
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\norm
LOGONSERVER=\\TKH-SERVER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\norm\LOCALS~1\Temp
TMP=C:\DOCUME~1\norm\LOCALS~1\Temp
tvdumpflags=8
USERDNSDOMAIN=TKHIMAGING.COM
USERDOMAIN=TKHIMAGING
USERNAME=norm
USERPROFILE=C:\Documents and Settings\norm
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ABD (admin)
QBDataServiceUser17
Administrator.TKH-PC6 (new local, admin)
norm (admin)
administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{78B4389F-806C-46A3-B38D-7D6AF150410C}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
AdBlaster --> C:\WINDOWS\unvise32.exe C:\Program Files\AdBlaster\uninstal.log
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AnalogX Keyword Extractor --> C:\Program Files\AnalogX\Keyword Extractor\keyexu.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ask Toolbar --> rundll32 C:\PROGRA~1\AskPBar\bar\1.bin\AskPBar.dll,O
Best Keywords Finder --> C:\PROGRA~1\FilesWeb\BKF\UNWISE.EXE C:\PROGRA~1\FilesWeb\BKF\INSTALL.LOG
Blog Blaster --> C:\PROGRA~1\BLOGBL~1\BLOGBL~1\UNWISE.EXE C:\PROGRA~1\BLOGBL~1\BLOGBL~1\INSTALL.LOG
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Dell Printer Software Uninstall --> C:\Program Files\Dell\Install\uninstall.exe
Fast Email Extractor 6 --> MsiExec.exe /I{1186703C-E6E6-4F7E-8CCD-6D26272A2579}
Feed Blaster --> C:\PROGRA~1\FEEDBL~1\BLOGBL~1\UNWISE.EXE C:\PROGRA~1\FEEDBL~1\BLOGBL~1\INSTALL.LOG
FileZilla Client 3.0.0 --> C:\Program Files\FileZilla Client\uninstall.exe
Good Keywords v2.01.120706 --> "C:\Program Files\Softnik Technologies\Good Keywords v2.01\unins000.exe"
Google Base Store Connector --> C:\Program Files\Google\Google Base Store Connector\uninst.exe
Google Ca$h Machine! Version 1.1 --> C:\PROGRA~1\GOOGLE~1\UNWISE.EXE C:\PROGRA~1\GOOGLE~1\INSTALL.LOG
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
GoToMyPC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F4D4FD-1814-4068-B316-C28FC776C6DD}\Setup.exe" -l0x9 AddRemovePrograms
HijackThis 2.0.2 --> "C:\Documents and Settings\norm\Local Settings\Temporary Internet Files\Content.IE5\BYJBNQ7E\HijackThis.exe" /uninstall
Hit Booster --> C:\PROGRA~1\HITBOO~1\BLOGBL~1\UNWISE.EXE C:\PROGRA~1\HITBOO~1\BLOGBL~1\INSTALL.LOG
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iNSTANT BOOSTER --> C:\PROGRA~1\INSTAN~1\BLOGBL~1\UNWISE.EXE C:\PROGRA~1\INSTAN~1\BLOGBL~1\INSTALL.LOG
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Network Connections --> MsiExec.exe /I{111A3D14-7596-43B0-92BA-418435C90672}
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Keyword Explorer v1.0.020307 --> "C:\Program Files\MyToolPad.Com\Keyword Explorer\unins000.exe"
LimeWire 4.14.10 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate --> C:\Program Files\Symantec\LiveUpdate\Uninst.exe -u
LiveUpdate Administration Utility --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\LiveUpdate Administration\Uninst.isu" -c"C:\Program Files\LiveUpdate Administration\ISLUA.DLL"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Small Business 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall SMALLBUSINESSR /dll OSETUP.DLL
Microsoft Office Small Business 2007 --> MsiExec.exe /X{91120000-00CA-0000-0000-0000000FF1CE}
Microsoft Office Visio 2007 Service Pack 1 (SP1) --> msiexec /package {90120000-0054-0409-0000-0000000FF1CE} /uninstall {EA35370F-586C-45E1-AC6C-A4E275C6B762}
Microsoft Office Visio 2007 Service Pack 1 (SP1) --> msiexec /package {91120000-0053-0000-0000-0000000FF1CE} /uninstall {AA4F2610-5FF1-4DCD-A6FB-BCA2D09A6443}
Microsoft Office Visio MUI (English) 2007 --> MsiExec.exe /X{90120000-0054-0409-0000-0000000FF1CE}
Microsoft Office Visio Standard 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISSTDR /dll OSETUP.DLL
Microsoft Office Visio Standard 2007 --> MsiExec.exe /X{91120000-0053-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
PhotoFiltre --> "C:\Program Files\PhotoFiltre\Uninst.exe"
QODBC Driver --> C:\Program Files\Intuit\QuickBooks Enterprise Solutions 7.0\Components\QODBC\UNINST.BAT
QuickBooks Enterprise Solutions: Mfg and Whsle Edition 7.0 --> msiexec.exe /I {78B4389F-806C-46A3-B38D-7D6AF150410C} UNIQUE_NAME="belwholesale" QBFULLNAME="QuickBooks Enterprise Solutions: Mfg and Whsle Edition 7.0" ADDREMOVE=1
QuickBooks Product Listing Service --> MsiExec.exe /I{55584E16-4D70-44EE-93DD-F144E8B7D4B7}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Quintura Search™ --> "C:\Program Files\Quintura Inc\Quintura Search\unins000.exe"
REALTEK GbE & FE Ethernet PCI NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {91120000-0053-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Security Update for Visio 2007 (KB947590) --> msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SpamAid 4.0 --> "C:\Program Files\SoftLogica\SpamAid 4.0\Uninstall.exe" "C:\Program Files\SoftLogica\SpamAid 4.0\install.log" -u
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Symantec System Center --> MsiExec.exe /I{1F211E59-C268-4A86-ACC2-5B0CD153C26C}
Symantec System Center --> MsiExec.exe /I{1F211E59-C268-4A86-ACC2-5B0CD153C26C}
The KMPlayer (remove only) --> "C:\Program Files\The KMPlayer\uninstall.exe"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0053-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb949037) --> msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {B4F188C6-6DBF-42A5-A8A3-3086D1A384F2}
WebWasher --> C:\Program Files\WebWasher\wwasher.exe /feedback:uninstall /launch:"C:\PROGRA~1\WEBWAS~1\UNWISE.EXE C:\PROGRA~1\WEBWAS~1\INSTALL.LOG"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type9072 / Warning
Event Submitted/Written: 05/02/2008 09:53:10 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type9056 / Warning
Event Submitted/Written: 05/01/2008 05:33:00 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type9049 / Error
Event Submitted/Written: 05/01/2008 05:15:37 PM
Event ID/Source: 4126 / Ci
Event Description:
Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci. Index will
be automatically restored by refiltering all documents.

Event Record #/Type9048 / Error
Event Submitted/Written: 05/01/2008 05:15:37 PM
Event ID/Source: 4124 / Ci
Event Description:
Content index on c:\system volume information\catalog.wci is corrupt. Please shutdown and restart
the Indexing Service (cisvc).

Event Record #/Type9047 / Warning
Event Submitted/Written: 05/01/2008 05:15:37 PM
Event ID/Source: 4132 / Ci
Event Description:
1 inconsistencies were detected in PropertyStore during recovery of catalog c:\system volume information\catalog.wci.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10264 / Warning
Event Submitted/Written: 05/02/2008 10:00:09 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%TKHIMAGING27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %TKHIMAGING27 can't undo changes that you allow.

For more information please see the following:
%TKHIMAGING275

Scan ID: {786F1E55-E540-4A2B-9C52-923A38113273}

User: TKHIMAGING\norm

Name: %TKHIMAGING271

ID: %TKHIMAGING272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %TKHIMAGING276

Alert Type: %TKHIMAGING278

Detection Type: 1.1.1593.02

Event Record #/Type10263 / Warning
Event Submitted/Written: 05/02/2008 10:00:09 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%TKHIMAGING27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %TKHIMAGING27 can't undo changes that you allow.

For more information please see the following:
%TKHIMAGING275

Scan ID: {F216B98D-D331-4655-BD78-3E5E174A9D8B}

User: TKHIMAGING\norm

Name: %TKHIMAGING271

ID: %TKHIMAGING272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %TKHIMAGING276

Alert Type: %TKHIMAGING278

Detection Type: 1.1.1593.02

Event Record #/Type10262 / Warning
Event Submitted/Written: 05/02/2008 10:00:09 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%TKHIMAGING27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %TKHIMAGING27 can't undo changes that you allow.

For more information please see the following:
%TKHIMAGING275

Scan ID: {60748B39-D7D0-4966-A0B3-0ECB777C9E22}

User: TKHIMAGING\norm

Name: %TKHIMAGING271

ID: %TKHIMAGING272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %TKHIMAGING276

Alert Type: %TKHIMAGING278

Detection Type: 1.1.1593.02

Event Record #/Type10261 / Warning
Event Submitted/Written: 05/02/2008 10:00:07 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%TKHIMAGING27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %TKHIMAGING27 can't undo changes that you allow.

For more information please see the following:
%TKHIMAGING275

Scan ID: {711ADCC9-FC23-4FC2-97DC-0B0E1FF76421}

User: TKHIMAGING\norm

Name: %TKHIMAGING271

ID: %TKHIMAGING272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %TKHIMAGING276

Alert Type: %TKHIMAGING278

Detection Type: 1.1.1593.02

Event Record #/Type10260 / Warning
Event Submitted/Written: 05/02/2008 10:00:07 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%TKHIMAGING27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %TKHIMAGING27 can't undo changes that you allow.

For more information please see the following:
%TKHIMAGING275

Scan ID: {EAC41BFF-0C86-40BB-B4FF-F42B767286D1}

User: TKHIMAGING\norm

Name: %TKHIMAGING271

ID: %TKHIMAGING272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %TKHIMAGING276

Alert Type: %TKHIMAGING278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-05-02 10:01:19 ------------

BC AdBot (Login to Remove)

 


#2 sdpnorm

sdpnorm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 06 May 2008 - 12:33 PM

Can anyone help? any ideas? thanks!!! Norm

#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:45 PM

Posted 18 May 2008 - 06:14 AM

Hello sdpnorm

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to,If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post, by replying to your own post you removed yourself from the Zero replies category that we look for to work logs and it looked like you where being helped.

Let me ask you if this is a company computer and networked to other computers ?????

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#4 sdpnorm

sdpnorm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 19 May 2008 - 04:47 PM

Mod Edit: To merge new HJT log with existing topic. ~ TMacK

this is a new posted topic - as requested...... thanks Norm

-------

Hello sdpnorm

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to,If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post, by replying to your own post you removed yourself from the Zero replies category that we look for to work logs and it looked like you where being helped.

Let me ask you if this is a company computer and networked to other computers ????? - i am on a small networkless than 15 users), but no one else has these issues.

the only problem appearso be
-------
main.txt

Deckard's System Scanner v20071014.68
Run by norm on 2008-05-19 14:35:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as norm.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:42 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Seagull\BarTender\8.0\CmdrSrv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\program files\dell\traytool.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Intuit\QuickBooks Enterprise Solutions 7.0\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\norm\Desktop\dss.exe
C:\DOCUME~1\norm\Desktop\norm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextag.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49B29B09-A696-4014-97B6-6DEECCC42235} - (no file)
O2 - BHO: (no name) - {5EE9FC71-9D8A-477E-9061-BB2C8CFA3411} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {79E2E66C-3699-4B1F-B9CB-6A7A9AD1F509} - (no file)
O2 - BHO: (no name) - {A47C371C-16F3-4F03-A4D9-ACDBEF6231B2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {E1B0667C-5170-43FC-B906-7BF813ECBCA4} - C:\WINDOWS\system32\awtQJYRK.dll
O2 - BHO: (no name) - {E2DE0E61-9007-485C-93D7-B09EF3DF9B9C} - (no file)
O2 - BHO: (no name) - {FCCF6271-9172-4705-B661-8270CFF7598C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [2053e721] rundll32.exe "C:\WINDOWS\system32\mfhyhutr.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [asPsDgedYj] C:\Documents and Settings\All Users\Application Data\eryfgpcj\wxorihyh.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {22D82B43-FF26-455A-A96D-A6C61F056ED7} (Gif89 xLite Class) - http://222.127.131.125/xplugxLiteTW.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163797098810
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163797471420
O16 - DPF: {6F5A14F2-0599-4780-A954-73DB8BC536B5} (FESecureX Control) - https://66.161.45.240/FESecureX/FESecureX.cab
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://222.127.131.123/xplugLite.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\Software\..\Telephony: DomainName = TKHImaging.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = TKHImaging.com
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: jkkIayYp - jkkIayYp.dll (file missing)
O21 - SSODL: RomCheck - {60375be5-c130-411b-a90b-dc8670446164} - C:\WINDOWS\Installer\{60375be5-c130-411b-a90b-dc8670446164}\RomCheck.dll (file missing)
O21 - SSODL: zip - {3daa9c48-7fa6-4621-95c1-6152b9e8a0fc} - C:\WINDOWS\Installer\{3daa9c48-7fa6-4621-95c1-6152b9e8a0fc}\zip.dll (file missing)
O21 - SSODL: ServiceUnknown - {c289e982-0072-45e1-b825-5d7c5db30366} - C:\WINDOWS\Resources\ServiceUnknown.dll (file missing)
O23 - Service: Commander Service - Seagull Scientific - C:\Program Files\Seagull\BarTender\8.0\CmdrSrv.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9736 bytes

-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-19 11:26:33 93248 --a------ C:\WINDOWS\system32\mfhyhutr.dll
2008-05-18 11:25:56 92736 -----n--- C:\WINDOWS\system32\mmomqsnb.dll
2008-05-17 11:25:26 92224 -----n--- C:\WINDOWS\system32\dlacubkj.dll
2008-05-16 11:26:00 90688 -----n--- C:\WINDOWS\system32\yhujcsui.dll
2008-05-09 07:25:46 0 d--h----- C:\WINDOWS\PIF
2008-05-02 09:01:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 09:00:55 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-01 17:36:57 0 d-------- C:\Documents and Settings\Administrator.TKH-PC6\Application Data\Sunbelt Software
2008-05-01 17:35:31 0 d--h----- C:\Documents and Settings\Administrator.TKH-PC6\Templates
2008-05-01 17:35:31 0 dr------- C:\Documents and Settings\Administrator.TKH-PC6\Start Menu
2008-05-01 17:35:31 0 dr-h----- C:\Documents and Settings\Administrator.TKH-PC6\SendTo
2008-05-01 17:35:31 0 d--h----- C:\Documents and Settings\Administrator.TKH-PC6\Recent
2008-05-01 17:35:31 0 d--h----- C:\Documents and Settings\Administrator.TKH-PC6\PrintHood
2008-05-01 17:35:31 0 d--h----- C:\Documents and Settings\Administrator.TKH-PC6\NetHood
2008-05-01 17:35:31 0 d-------- C:\Documents and Settings\Administrator.TKH-PC6\My Documents
2008-05-01 17:35:31 0 d--h----- C:\Documents and Settings\Administrator.TKH-PC6\Local Settings
2008-05-01 17:35:31 0 d-------- C:\Documents and Settings\Administrator.TKH-PC6\Favorites
2008-05-01 17:35:31 0 d-------- C:\Documents and Settings\Administrator.TKH-PC6\Desktop
2008-05-01 17:35:31 0 d--hs---- C:\Documents and Settings\Administrator.TKH-PC6\Cookies
2008-05-01 17:35:31 0 dr-h----- C:\Documents and Settings\Administrator.TKH-PC6\Application Data
2008-05-01 17:35:31 0 d---s---- C:\Documents and Settings\Administrator.TKH-PC6\Application Data\Microsoft
2008-05-01 17:35:31 0 d-------- C:\Documents and Settings\Administrator.TKH-PC6\Application Data\Macromedia
2008-05-01 17:35:30 524288 --ah----- C:\Documents and Settings\Administrator.TKH-PC6\NTUSER.DAT
2008-05-01 10:48:18 96320 --a------ C:\WINDOWS\system32\jrpovpjm.dll
2008-04-24 12:01:47 0 d-------- C:\WINDOWS\setup.pss
2008-04-24 12:01:32 0 d-------- C:\WINDOWS\setupupd


-- Find3M Report ---------------------------------------------------------------

2008-05-19 14:35:30 915136 --ahs---- C:\WINDOWS\system32\KRYJQtwa.ini2
2008-05-19 12:38:18 0 d-------- C:\Documents and Settings\norm\Application Data\SpamAid
2008-05-08 15:30:03 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-18 13:50:47 0 d-------- C:\Program Files\Sunbelt Software
2008-04-18 10:42:03 0 d-------- C:\Program Files\WebWasher
2008-04-18 10:07:44 87616 --a------ C:\WINDOWS\system32\oorrhbil.dll
2008-04-17 14:13:04 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-17 12:39:19 0 d-------- C:\Program Files\Windows Defender
2008-04-17 12:11:13 0 d-------- C:\Program Files\Trillian
2008-04-17 09:34:57 0 d-------- C:\Documents and Settings\norm\Application Data\OfficeUpdate12
2008-04-17 09:29:12 88128 --a------ C:\WINDOWS\system32\twjowfqd.dll
2008-04-17 03:07:16 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-16 16:48:26 0 d-------- C:\Documents and Settings\norm\Application Data\Sunbelt Software
2008-04-16 14:19:17 9 --a------ C:\WINDOWS\system32\2053f5af
2008-04-16 14:06:14 0 d-------- C:\Program Files\CCleaner
2008-04-16 14:05:57 0 d-------- C:\Program Files\Yahoo!
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-15 17:03:42 4096 --a------ C:\WINDOWS\a.bat
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-04-15 17:03:41 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-15 17:03:40 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-15 08:59:09 86080 --a------ C:\WINDOWS\system32\qmtbpbsu.dll
2008-04-14 17:24:13 0 d-------- C:\Program Files\AskPBar
2008-04-14 12:36:44 0 d-------- C:\Program Files\AdBlaster
2008-04-14 11:54:24 0 d-------- C:\Program Files\Alwil Software
2008-04-14 08:55:23 0 d-------- C:\Program Files\Common Files
2008-04-14 08:55:21 0 d-------- C:\Documents and Settings\norm\Application Data\SUPERAntiSpyware.com
2008-04-14 08:55:17 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-13 22:02:54 85568 --a------ C:\WINDOWS\system32\kcobnrks.dll
2008-04-13 21:59:42 272896 --a------ C:\WINDOWS\system32\awtQJYRK.dll
2008-04-13 21:54:35 146 --a------ C:\clean.bat
2008-04-03 08:32:28 0 d-------- C:\Program Files\iTunes
2008-04-03 08:32:10 0 d-------- C:\Program Files\iPod
2008-04-03 08:30:13 0 d-------- C:\Program Files\QuickTime
2008-03-27 09:26:46 98304 --a------ C:\WINDOWS\system32\mpyvalid.exe
2008-03-21 13:03:46 0 d-------- C:\Documents and Settings\norm\Application Data\Apple Computer
2008-03-17 14:49:26 524288 --a------ C:\WINDOWS\opuc.dll <Not Verified; Microsoft Corporation; 2007 Microsoft Office system>
2008-03-04 13:47:09 34 ---h----- C:\WINDOWS\sys2111
2008-03-04 13:47:09 34 ---h----- C:\WINDOWS\stmp718
2008-03-04 13:47:09 34 ---h----- C:\WINDOWS\kds100
2008-03-04 13:47:09 34 ---h----- C:\WINDOWS\drvr192
2008-03-04 13:26:24 0 --ah----- C:\WINDOWS\wnissy53
2008-02-21 11:29:18 96412 --a------ C:\Program Files\Common Files\Engines.lnl


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49B29B09-A696-4014-97B6-6DEECCC42235}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EE9FC71-9D8A-477E-9061-BB2C8CFA3411}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79E2E66C-3699-4B1F-B9CB-6A7A9AD1F509}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A47C371C-16F3-4F03-A4D9-ACDBEF6231B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1B0667C-5170-43FC-B906-7BF813ECBCA4}]
04/13/2008 09:59 PM 272896 --a------ C:\WINDOWS\system32\awtQJYRK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2DE0E61-9007-485C-93D7-B09EF3DF9B9C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FCCF6271-9172-4705-B661-8270CFF7598C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/23/2005 12:36 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 12:31 PM]
"ToolExe"="c:\program files\dell\traytool.exe" [04/18/2003 02:45 PM]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [01/12/2007 06:45 PM]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [12/21/2007 03:30 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"2053e721"="C:\WINDOWS\system32\mfhyhutr.dll" [05/19/2008 11:26 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/04/2007 05:23 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 1:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"asPsDgedYj"=C:\Documents and Settings\All Users\Application Data\eryfgpcj\wxorihyh.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RomCheck"= {60375be5-c130-411b-a90b-dc8670446164} - C:\WINDOWS\Installer\{60375be5-c130-411b-a90b-dc8670446164}\RomCheck.dll [ ]
"zip"= {3daa9c48-7fa6-4621-95c1-6152b9e8a0fc} - C:\WINDOWS\Installer\{3daa9c48-7fa6-4621-95c1-6152b9e8a0fc}\zip.dll [ ]
"ServiceUnknown"= {c289e982-0072-45e1-b825-5d7c5db30366} - C:\WINDOWS\Resources\ServiceUnknown.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 01/12/2007 06:45 PM 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkIayYp]
jkkIayYp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtQJYRK

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2053e721]
rundll32.exe "C:\WINDOWS\system32\twjowfqd.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

*Newly Created Service* - SBAPIFS



-- End of Deckard's System Scanner: finished at 2008-05-19 14:37:07 ------------

Edited by TMacK, 19 May 2008 - 04:58 PM.


#5 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:45 PM

Posted 19 May 2008 - 06:46 PM

Hello Norm,

Your infected with the Vundo Trojan and being networked to other computers could be a problem, I will be back in a bit

Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#6 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:45 PM

Posted 19 May 2008 - 07:32 PM

Norm,

First download and install Hijackthis by Trendmicro, I don't need to see the Deckard report any longer unless we need it in the future. You also need to understand that its possible to infect the other computers on your network so follow these instructions .

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.



I need you to download a couple of programs but understand that its very important that after you download them to disconnect from your network by unplugging the lan cable.


Download VundoFix to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.




Download and install this program, check for updates , disconnect from the network and then proceed running the program.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a Hijackthis log.


Post both the Vundofix log, the Malwarebytes log and when your done with both scans then post a HJT log

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#7 sdpnorm

sdpnorm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 19 May 2008 - 07:50 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:29 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Seagull\BarTender\8.0\CmdrSrv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\program files\dell\traytool.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Intuit\QuickBooks Enterprise Solutions 7.0\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextag.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [2053e721] rundll32.exe "C:\WINDOWS\system32\mfhyhutr.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [asPsDgedYj] C:\Documents and Settings\All Users\Application Data\eryfgpcj\wxorihyh.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {22D82B43-FF26-455A-A96D-A6C61F056ED7} (Gif89 xLite Class) - http://222.127.131.125/xplugxLiteTW.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163797098810
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163797471420
O16 - DPF: {6F5A14F2-0599-4780-A954-73DB8BC536B5} (FESecureX Control) - https://66.161.45.240/FESecureX/FESecureX.cab
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://222.127.131.123/xplugLite.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\Software\..\Telephony: DomainName = TKHImaging.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = TKHImaging.com
O21 - SSODL: RomCheck - {60375be5-c130-411b-a90b-dc8670446164} - C:\WINDOWS\Installer\{60375be5-c130-411b-a90b-dc8670446164}\RomCheck.dll (file missing)
O21 - SSODL: zip - {3daa9c48-7fa6-4621-95c1-6152b9e8a0fc} - C:\WINDOWS\Installer\{3daa9c48-7fa6-4621-95c1-6152b9e8a0fc}\zip.dll (file missing)
O21 - SSODL: ServiceUnknown - {c289e982-0072-45e1-b825-5d7c5db30366} - C:\WINDOWS\Resources\ServiceUnknown.dll (file missing)
O23 - Service: Commander Service - Seagull Scientific - C:\Program Files\Seagull\BarTender\8.0\CmdrSrv.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8331 bytes

#8 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:45 PM

Posted 19 May 2008 - 08:26 PM

Good, HJT installed exactly where we want it to be

Now run Vundofix, Malwarebytes and post the logs and then when your done with both these scans post a New HJT log.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#9 sdpnorm

sdpnorm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 20 May 2008 - 12:51 AM

i ran Vundofix - it did not find anything and did not create a log.

i ran Malwarebytes and it found many items - i removed them. listed are the logs.

it seems to be running better so far...... anything else i need to fix? thank you soooo much!!! Norm

-----

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 58193
Time elapsed: 19 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 29
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 84

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtQJYRK.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\mfhyhutr.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a4b49ac1-9c3e-42bc-b193-33cdc3a1b044} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a4b49ac1-9c3e-42bc-b193-33cdc3a1b044} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{1f60e7f1-0051-4531-8310-8da152244ada} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{575d6631-f4c7-41f9-b10d-b2a3b5e3cc3c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{32fab2d6-f408-4fa9-aece-6a7a62ea6611} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{deeb4b2a-c2b5-4583-b79d-f189dd461136} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0a8b58b-32e6-42f6-9aa7-10725bbec62a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fa095694-3fc6-46a2-8886-bf17f2e1a81c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{972ac46b-d958-46d9-af77-878c689d1786} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sgoblxtm.btrp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sgoblxtm.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qvdntlmw.bqvx (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qvdntlmw.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2053e721 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Clicker) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqjyrk -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqjyrk -> Delete on reboot.

Folders Infected:
C:\WINDOWS\Installer\{60375be5-c130-411b-a90b-dc8670446164} (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{3daa9c48-7fa6-4621-95c1-6152b9e8a0fc} (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\awtQJYRK.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\KRYJQtwa.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\KRYJQtwa.ini2 (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jrpovpjm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mjpvoprj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kcobnrks.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\skrnbock.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfhyhutr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rtuhyhfm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oorrhbil.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\libhrroo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qmtbpbsu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\usbpbtmq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twjowfqd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dqfwojwt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mpyvalid.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\norm\Local Settings\Temporary Internet Files\Content.IE5\M7IRCF4B\kriv[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32akttzn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32anticipator.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32awtoolb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32bdn.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32bsva-egihsg52.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32dpcproxy.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32emesx.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32h@tkeysh@@k.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hoproxy.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hxiwlgpm.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hxiwlgpm.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32medup012.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32medup020.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32msgp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32msnbho.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32mssecu.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32msvchost.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32mtr2.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32mwin32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32netode.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32newsd32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ps1.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32psof1.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32psoft1.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32regc64.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32regm64.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32Rundl1.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32sncntr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ssurf022.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ssvchost.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ssvchost.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32sysreq.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32taack.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32taack.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32temp#01.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32thun.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32thun32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32VBIEWER.OCX (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32vbsys2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32vcatchpi.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32winlogonpc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32WINWGPX.EXE (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopblackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\DesktopEditorFKWP1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\DesktopEditorFKWP2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopfilemanagerclient.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopfkwp1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopfkwp2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Desktopfwebd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\DesktopFWebdEditor.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\DesktopTrojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\norm\g2mdlhlpx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:15 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Seagull\BarTender\8.0\CmdrSrv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\ams_ii\iao.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\program files\dell\traytool.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextag.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49B29B09-A696-4014-97B6-6DEECCC42235} - (no file)
O2 - BHO: (no name) - {5EE9FC71-9D8A-477E-9061-BB2C8CFA3411} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {79E2E66C-3699-4B1F-B9CB-6A7A9AD1F509} - (no file)
O2 - BHO: (no name) - {A47C371C-16F3-4F03-A4D9-ACDBEF6231B2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {E2DE0E61-9007-485C-93D7-B09EF3DF9B9C} - (no file)
O2 - BHO: (no name) - {FCCF6271-9172-4705-B661-8270CFF7598C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [asPsDgedYj] C:\Documents and Settings\All Users\Application Data\eryfgpcj\wxorihyh.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {22D82B43-FF26-455A-A96D-A6C61F056ED7} (Gif89 xLite Class) - http://222.127.131.125/xplugxLiteTW.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163797098810
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163797471420
O16 - DPF: {6F5A14F2-0599-4780-A954-73DB8BC536B5} (FESecureX Control) - https://66.161.45.240/FESecureX/FESecureX.cab
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://222.127.131.123/xplugLite.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\Software\..\Telephony: DomainName = TKHImaging.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = TKHImaging.com
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: jkkIayYp - jkkIayYp.dll (file missing)
O21 - SSODL: RomCheck - {60375be5-c130-411b-a90b-dc8670446164} - C:\WINDOWS\Installer\{60375be5-c130-411b-a90b-dc8670446164}\RomCheck.dll (file missing)
O21 - SSODL: ServiceUnknown - {c289e982-0072-45e1-b825-5d7c5db30366} - C:\WINDOWS\Resources\ServiceUnknown.dll (file missing)
O23 - Service: Commander Service - Seagull Scientific - C:\Program Files\Seagull\BarTender\8.0\CmdrSrv.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 8830 bytes

#10 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:45 PM

Posted 20 May 2008 - 03:51 AM

Good Morning Norm,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {49B29B09-A696-4014-97B6-6DEECCC42235} - (no file)
O2 - BHO: (no name) - {5EE9FC71-9D8A-477E-9061-BB2C8CFA3411} - (no file)
O2 - BHO: (no name) - {79E2E66C-3699-4B1F-B9CB-6A7A9AD1F509} - (no file)
O2 - BHO: (no name) - {A47C371C-16F3-4F03-A4D9-ACDBEF6231B2} - (no file)
O2 - BHO: (no name) - {E2DE0E61-9007-485C-93D7-B09EF3DF9B9C} - (no file)
O2 - BHO: (no name) - {FCCF6271-9172-4705-B661-8270CFF7598C} - (no file)


Not sure what these are, if you know and use them then keep them if not remove these three also
O16 - DPF: {22D82B43-FF26-455A-A96D-A6C61F056ED7} (Gif89 xLite Class) - http://222.127.131.125/xplugxLiteTW.cab
O16 - DPF: {6F5A14F2-0599-4780-A954-73DB8BC536B5} (FESecureX Control) - https://66.161.45.240/FESecureX/FESecureX.cab
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://222.127.131.123/xplugLite.cab

O20 - Winlogon Notify: jkkIayYp - jkkIayYp.dll (file missing)

O21 - SSODL: RomCheck - {60375be5-c130-411b-a90b-dc8670446164} - C:\WINDOWS\Installer\{60375be5-c130-411b-a90b-dc8670446164}\RomCheck.dll (file missing)
O21 - SSODL: ServiceUnknown - {c289e982-0072-45e1-b825-5d7c5db30366} - C:\WINDOWS\Resources\ServiceUnknown.dll (file missing)





It looks like we got rid of Vundo but there are markers in your log for the SDBot worm for this next tool to be effective it has to be run from Safemode, download the tool , unplug your network cable and boot to safemode to run it. Don't let safemode intimidate you, sometimes it takes a few tries to get the timing right.

To Enter Safemode

  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#11 sdpnorm

sdpnorm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 20 May 2008 - 11:58 AM

wow - you were burning the midnight oil :-)..... here you go:

SDFix: Version 1.184
Run by Administrator on Tue 05/20/2008 at 09:33 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 09:43:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe:*:Enabled:QuickBooks Enterprise 7.0 Data Manager"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe:*:Enabled:QuickBooks Enterprise 7.0 Data Manager"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 12 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT2.tmp"
Tue 6 Mar 2007 31,744 ...H. --- "C:\Documents and Settings\norm\Application Data\Microsoft\Templates\~WRL1682.tmp"
Wed 6 Dec 2006 30,720 ...H. --- "C:\Documents and Settings\norm\Application Data\Microsoft\Templates\~WRL1871.tmp"
Fri 30 Mar 2007 19,968 ...H. --- "C:\Documents and Settings\norm\Application Data\Microsoft\Word\~WRL3342.tmp"
Thu 28 Oct 2004 30,208 A..H. --- "C:\Documents and Settings\norm\My Documents\Excel & Word\Leadership\~WRL1667.tmp"
Thu 24 Jan 2008 54,784 ...H. --- "C:\Documents and Settings\norm\Desktop\GM\Process Documentation\CST\~WRL0001.tmp"
Sun 11 Apr 2004 505,856 A..H. --- "C:\Documents and Settings\norm\Desktop\home stuff\Excel and Word\Home\Camping\~WRL1049.tmp"
Sun 11 Apr 2004 41,984 A..H. --- "C:\Documents and Settings\norm\Desktop\home stuff\Excel and Word\Home\Camping\~WRL1933.tmp"
Sun 11 Apr 2004 492,544 A..H. --- "C:\Documents and Settings\norm\Desktop\home stuff\Excel and Word\Home\Camping\~WRL2730.tmp"
Sun 11 Apr 2004 492,544 A..H. --- "C:\Documents and Settings\norm\Desktop\home stuff\Excel and Word\Home\Camping\~WRL3544.tmp"
Wed 25 Feb 2004 48,640 A..H. --- "C:\Documents and Settings\norm\My Documents\Excel & Word\Data Media\Sales and Marketing\Website\Zaw\~WRL0174.tmp"
Tue 18 May 2004 87,552 A..H. --- "C:\Documents and Settings\norm\My Documents\Excel & Word\Data Media\Sales and Marketing\Website\Zaw\~WRL0281.tmp"
Thu 3 Jun 2004 91,648 A..H. --- "C:\Documents and Settings\norm\My Documents\Excel & Word\Data Media\Sales and Marketing\Website\Zaw\~WRL0512.tmp"
Thu 3 Jun 2004 94,208 A..H. --- "C:\Documents and Settings\norm\My Documents\Excel & Word\Data Media\Sales and Marketing\Website\Zaw\~WRL0792.tmp"
Wed 25 Feb 2004 51,712 A..H. --- "C:\Documents and Settings\norm\My Documents\Excel & Word\Data Media\Sales and Marketing\Website\Zaw\~WRL2942.tmp"

Finished!

----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:59 AM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Seagull\BarTender\8.0\CmdrSrv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\program files\dell\traytool.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextag.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A47C371C-16F3-4F03-A4D9-ACDBEF6231B2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163797098810
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163797471420
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\Software\..\Telephony: DomainName = TKHImaging.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TKHImaging.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = TKHImaging.com
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Commander Service - Seagull Scientific - C:\Program Files\Seagull\BarTender\8.0\CmdrSrv.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 7417 bytes

#12 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:45 PM

Posted 20 May 2008 - 12:17 PM

Hello Norm,

I just check in now and then , never know who and how many posters are going to post back, sometimes none and sometimes to many to count :thumbsup:

You can remove this entry with HJT.
O2 - BHO: (no name) - {A47C371C-16F3-4F03-A4D9-ACDBEF6231B2} - (no file)



You need to keep your Java up to date , the older versions had some holes to let the bad stuff in.
  • Your Java is out of date and leaving your system vulnerable.
  • Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
  • It should have an icon next to it:
    Posted Image
    Select it and click Remove.
  • Reboot your system.
  • Then go to the Sun Microsystems and install the update
  • Java Runtime Environment (JRE) 6 Update 6 <--This is what you need to download and install.
  • If you chose the online installation, it will prompt you to run the program.
  • If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
  • Then after install you can verify your installation here Sun Java Verify
I like to to do the offline installation and save the setup file in case I may need it in the future



The rest of your log looks fine, how are things running now ??

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#13 sdpnorm

sdpnorm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 20 May 2008 - 01:16 PM

hi ken: thank you very much!!!!!! so far so good.... i will do these last tasks. Wow - what a pain the a!!!!!

what's the best way to protect myself from this in the future??

#14 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:45 PM

Posted 20 May 2008 - 04:34 PM

Glad all is well, here is some reading for you written by the fine folks who have written all the programs we have used. Now plug that network cable back in and get back to work :thumbsup:

Safe Surfn
Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#15 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:45 PM

Posted 31 May 2008 - 10:10 PM

Since this issue appears to be resolved this thread will now be closed. Thank you for using Bleeping Computer.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users