Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde!


  • This topic is locked This topic is locked
11 replies to this topic

#1 jmkwyo

jmkwyo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 May 2008 - 04:47 PM

Virtumonde has attached itself everywhere it seems. It is hampering my ability to get into anything that has security; gmail, paypal... It has also hampered my ability to open up programs and has flooded the RAM, here are the .txt files

main:
Deckard's System Scanner v20071014.68
Run by Dan Gokey on 2008-05-30 16:32:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 1 Restore Point(s) --
1: 2008-05-30 05:33:42 UTC - RP11 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Dan Gokey.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:18 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Dan Gokey\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dan Gokey.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {01D67530-B3C8-439E-B890-C04C63E2FAA7} - C:\WINDOWS\system32\nnnkLcBS.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A0F8948-0586-4913-9C81-42FC3A86F739} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A891EAA0-7FCC-4D54-A857-E57D0C5AFD5A} - (no file)
O2 - BHO: (no name) - {AFE3582B-1F56-4DA2-B353-A0477779FC0D} - (no file)
O2 - BHO: (no name) - {BE0FF150-C7FC-4E37-8F92-4E9AF1389238} - C:\WINDOWS\system32\ljJBsTmN.dll
O2 - BHO: (no name) - {F1574DBA-828D-49C0-A7D8-524AE7129ED4} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [3cc62129] rundll32.exe "C:\WINDOWS\system32\bkvsjqyl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Go - http://download2.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/P...rs.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A5180646-FE0F-4C97-AA29-2A0F41515623} - http://zone.msn.com/bingame/zpagames/ZPA_JGS2.cab61895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/A...ersion=1,0,0,10
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attitudepositive.webex.com/client/T...bex/ieatgpc.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O20 - Winlogon Notify: ljJBsTmN - C:\WINDOWS\SYSTEM32\ljJBsTmN.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11296 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080528-114554-335 O2 - BHO: (no name) - {0CF5CA7E-6D52-4D1E-86D8-B5227F96AF22} - (no file)
backup-20080528-120424-823 O2 - BHO: (no name) - {1349A749-9FAE-450A-9121-AB571DDD20EF} - (no file)
backup-20080528-120425-139 O2 - BHO: (no name) - {5BF6E0E0-E5E8-4444-899D-74F9CB74B3F4} - (no file)
backup-20080528-120425-397 O2 - BHO: (no name) - {744ED899-9428-4EDB-9658-E5E3272D7D39} - (no file)
backup-20080528-120425-832 O2 - BHO: (no name) - {27EA5D36-BA1A-45D8-847D-644C0C7276D9} - (no file)
backup-20080528-120426-124 O2 - BHO: (no name) - {A92D9D88-B39F-4204-9D47-51707E0B2EB2} - (no file)
backup-20080528-120426-370 O2 - BHO: (no name) - {A40E507D-8BAD-4104-997D-FE62038D545B} - (no file)
backup-20080528-120427-230 O2 - BHO: (no name) - {E1D0C321-2D76-4C57-8C1D-55260B0ADFD6} - (no file)
backup-20080528-120427-315 O2 - BHO: (no name) - {B0F5FDA3-4C0A-47E1-9D18-3062F77196B6} - (no file)
backup-20080528-120427-442 O2 - BHO: (no name) - {F0EAA909-F919-44C8-B51F-1C0614F17CD3} - (no file)
backup-20080528-120427-493 O2 - BHO: (no name) - {D3D28370-D73B-4486-A2CB-B8FF73382168} - (no file)
backup-20080528-120427-554 O3 - Toolbar: (no name) - {6E90A503-DDFD-4CC5-9628-0391A05E7212} - (no file)
backup-20080528-120427-680 O2 - BHO: (no name) - {D77F08C7-C1F9-4682-98B6-86E3DC2D5D86} - (no file)
backup-20080528-120428-630 O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
backup-20080528-120428-967 O20 - Winlogon Notify: ljJBsTmN - C:\WINDOWS\SYSTEM32\ljJBsTmN.dll
backup-20080528-121549-260 O2 - BHO: (no name) - {042C1612-0655-457D-A5C2-9ACD2C177B0F} - (no file)
backup-20080528-121549-346 O2 - BHO: 673351 helper - {570EE2A3-039B-4E5F-AE6A-D7949F9D356B} - (no file)
backup-20080528-121549-951 O2 - BHO: (no name) - {BE0FF150-C7FC-4E37-8F92-4E9AF1389238} - C:\WINDOWS\system32\ljJBsTmN.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 SMBios (Intel ® System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel ® System Management BIOS Driver>

S3 LCILD (LCI USB Line Display Device driver) - c:\windows\system32\drivers\lcild.sys <Not Verified; Logic Controls, Inc.; Logic Controls, Inc. Line Display>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor (Adobe Active File Monitor) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
R2 AntiVirScheduler (Avira AntiVir Personal Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 PhotoshopElementsDeviceConnect (Photoshop Elements Device Connect) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsdeviceconnect.exe

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-28 10:26:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-30 and 2008-05-30 -----------------------------

2008-05-30 14:10:23 95744 --a------ C:\WINDOWS\system32\bkvsjqyl.dll
2008-05-30 14:09:37 587146 --ahs---- C:\WINDOWS\system32\SBcLknnn.ini2
2008-05-30 14:09:34 324864 --a------ C:\WINDOWS\system32\nnnkLcBS.dll
2008-05-30 12:18:41 0 dr-h----- C:\Documents and Settings\Dan Gokey\Recent
2008-05-29 20:20:21 95232 -----n--- C:\WINDOWS\system32\danyflxo.dll
2008-05-29 19:35:12 573349 --ahs---- C:\WINDOWS\system32\uCKkSvut.ini2
2008-05-29 15:16:56 573349 --ahs---- C:\WINDOWS\system32\gMnnmnnn.ini2
2008-05-28 12:04:37 95744 --a------ C:\WINDOWS\system32\sejrdnrx.dll
2008-05-27 18:45:30 13 --a------ C:\WINDOWS\system32\3cc633a7
2008-05-27 15:15:39 0 d-------- C:\Program Files\Avira
2008-05-27 15:15:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-27 12:03:40 96256 --a------ C:\WINDOWS\system32\nqoccjfs.dll
2008-05-26 12:04:05 90112 --a------ C:\WINDOWS\system32\akfxxbef.dll
2008-05-24 12:00:39 585363 --ahs---- C:\WINDOWS\system32\kSruDcdd.ini2
2008-05-23 16:56:33 0 --ahs---- C:\WINDOWS\system32\DfLVCcdd.ini2
2008-05-23 13:13:33 0 d-------- C:\Program Files\Trend Micro
2008-05-23 12:31:10 90112 --a------ C:\WINDOWS\system32\rdvbmbgr.dll
2008-05-23 11:19:07 0 --ahs---- C:\WINDOWS\system32\wvvGOqss.ini2
2008-05-22 19:04:39 0 d-------- C:\Program Files\Enigma Software Group
2008-05-22 18:42:06 0 d-------- C:\VundoFix Backups
2008-05-22 18:20:09 781915 --ahs---- C:\WINDOWS\system32\oWwHOXbc.ini2
2008-05-22 16:30:46 782374 --ahs---- C:\WINDOWS\system32\NWyJlUtv.ini2
2008-05-21 21:06:36 0 --ahs---- C:\WINDOWS\system32\yxHQAcfe.ini2
2008-05-21 17:04:52 0 d-------- C:\Documents and Settings\Dan Gokey\Application Data\MSNInstaller
2008-05-21 13:54:50 0 d-------- C:\Program Files\Lavasoft
2008-05-21 13:53:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 13:13:24 23747 --ahs---- C:\WINDOWS\system32\gMlUCcdd.ini2
2008-05-21 12:02:08 89088 --a------ C:\WINDOWS\system32\xjgsqtqf.dll
2008-05-21 11:29:07 688073 --ahs---- C:\WINDOWS\system32\ENqrrqru.ini2
2008-05-20 21:43:42 779670 --ahs---- C:\WINDOWS\system32\WaIQqtwa.ini2
2008-05-20 21:20:34 0 d-------- C:\WINDOWS\BDOSCAN8
2008-05-20 20:12:05 777313 --ahs---- C:\WINDOWS\system32\YIknonpo.ini2
2008-05-20 16:48:06 0 d-------- C:\Program Files\Panda Security
2008-05-20 16:48:04 1859 --a------ C:\WINDOWS\mozver.dat
2008-05-20 16:30:15 0 d-------- C:\Program Files\ToniArts
2008-05-20 14:26:05 0 d-------- C:\WINDOWS\resources
2008-05-20 14:10:24 2074 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-20 13:02:32 10925 --ahs---- C:\WINDOWS\system32\AKStwyay.ini2
2008-05-20 11:53:39 905282 --ahs---- C:\WINDOWS\system32\PYJSDJjl.ini2
2008-05-19 23:17:16 0 d-------- C:\WINDOWS\system32\673351
2008-05-19 19:21:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-19 19:04:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-19 17:22:16 35731 --ahs---- C:\WINDOWS\system32\qBLmnUtv.ini2
2008-05-19 17:17:01 29824 --a------ C:\WINDOWS\system32\ljJBsTmN.dll
2008-05-19 17:15:13 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-19 17:15:00 196608 --a------ C:\WINDOWS\gnowmebk.dll


-- Find3M Report ---------------------------------------------------------------

2008-05-30 14:04:22 8405015 --a------ C:\WINDOWS\TempFile
2008-05-29 20:55:24 0 d-------- C:\Program Files\Attitude POSitive
2008-05-21 13:53:56 0 d-------- C:\Program Files\Common Files
2008-05-20 16:30:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-19 13:29:53 0 d-------- C:\Program Files\HP
2008-05-19 13:29:43 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-12 11:09:25 0 d-------- C:\Documents and Settings\Dan Gokey\Application Data\AdobeUM
2008-05-09 17:44:14 0 d-------- C:\Documents and Settings\Dan Gokey\Application Data\U3
2008-04-10 12:31:16 0 d-------- C:\Program Files\iTunes
2008-04-10 12:31:02 0 d-------- C:\Program Files\iPod
2008-04-10 12:28:03 0 d-------- C:\Program Files\QuickTime
2008-04-10 12:25:08 0 d-------- C:\Program Files\Apple Software Update
2008-03-03 18:42:53 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01D67530-B3C8-439E-B890-C04C63E2FAA7}]
05/30/2008 02:09 PM 324864 --a------ C:\WINDOWS\system32\nnnkLcBS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A0F8948-0586-4913-9C81-42FC3A86F739}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A891EAA0-7FCC-4D54-A857-E57D0C5AFD5A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFE3582B-1F56-4DA2-B353-A0477779FC0D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE0FF150-C7FC-4E37-8F92-4E9AF1389238}]
05/19/2008 05:17 PM 29824 --a------ C:\WINDOWS\system32\ljJBsTmN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1574DBA-828D-49C0-A7D8-524AE7129ED4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [07/30/2002 12:35 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [12/09/2003 02:02 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"3cc62129"="C:\WINDOWS\system32\bkvsjqyl.dll" [05/30/2008 02:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Yahoo! Pager"="1" []
"@"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [8/18/2005 12:10:41 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 8:28:24 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [11/4/2004 8:50:52 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BE0FF150-C7FC-4E37-8F92-4E9AF1389238}"= C:\WINDOWS\system32\ljJBsTmN.dll [05/19/2008 05:17 PM 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJBsTmN]
ljJBsTmN.dll 05/19/2008 05:17 PM 29824 C:\WINDOWS\system32\ljJBsTmN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnkLcBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]
none

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"<NO NAME>"=




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8520 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-30 16:36:35 ------------

extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.66GHz
Percentage of Memory in Use: 81%
Physical Memory (total/avail): 502.73 MiB / 93.47 MiB
Pagefile Memory (total/avail): 1228.03 MiB / 687.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.96 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 26.3 GiB free.
D: is CDROM (No Media)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD400BB-22JHC0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Avira AntiVir PersonalEdition v8.0.1.15 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"="c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe"="C:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe:*:Disabled:Bejeweled2"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dan Gokey\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SERVER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dan Gokey
LOGONSERVER=\\SERVER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DANGOK~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DANGOK~1\LOCALS~1\Temp
USERDOMAIN=SERVER
USERNAME=Dan Gokey
USERPROFILE=C:\Documents and Settings\Dan Gokey
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dan Gokey (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> MsiExec.exe /I{5B782FFA-6A95-480D-8E0A-0954A14693D6}
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AccuPOS Adaptor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5A512E6-97F0-4CA5-8472-2399252BFF2D}\setup.exe" -l0x9 -removeonly
AccuPOS Retail --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25C8800C-6CBF-405C-8459-6B4FA63FF5A9}\setup.exe" -l0x9 -removeonly
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Photoshop Elements 3.0 --> MsiExec.exe /I{851C67EF-068A-4060-9EF5-2E3DDCD68382}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AT&T Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
Avira AntiVir Personal Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
CA eTrust PestPatrol --> "C:\Program Files\CA\eTrust PestPatrol\ppv5instutil.exe" /shutdownapps /uninstall
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Extended Capabilities 4.7 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 4.7 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP PSC & Officejet 4.7 Corporate Edition --> "C:\Program Files\HP\Digital Imaging\{8EA67542-82B6-4c5c-8AD3-CD36232C1362}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LiveUpdate 1.7 (Symantec Corporation) --> C:\Program Files\\Symantec\LiveUpdate\LSETUP.EXE /U
Logic Controls OPOS Ver1.71(04-13-2004) --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\LC OPOS Setup\ST6UNST.LOG"
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NiceLabel Express 4 --> "C:\Program Files\EuroPlus\Express 4\unins000.exe"
PaperPort --> MsiExec.exe /I{88D577B1-3E9D-4281-BD99-9107669CE4ED}
QuickBooks Pro 2005 --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2005" ADDREMOVE=1
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
SBC Yahoo! Applications --> C:\PROGRA~1\Yahoo!\common\uninstall.exe
SBC Yahoo! DSL Activation --> C:\PROGRA~1\Yahoo!\common\undsldlk.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
Visioneer OneTouch 9320 --> C:\PROGRA~1\VISION~1\UNWISE.EXE C:\PROGRA~1\VISION~1\INSTALL.LOG
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
XMLinst --> MsiExec.exe /I{EA23971F-2CEE-48FC-B64D-7F74A6EF90F0}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2682 / Warning
Event Submitted/Written: 05/30/2008 04:08:00 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\System Volume Information\_restore{EB52BCF7-FE81-47B0-B013-75AAD449AE4D}\RP11\A0014604.dll

Event Record #/Type2676 / Success
Event Submitted/Written: 05/30/2008 02:04:21 PM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type2670 / Success
Event Submitted/Written: 05/29/2008 07:29:59 PM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type2669 / Error
Event Submitted/Written: 05/29/2008 07:25:47 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application QBW32.EXE, version 15.0.4004.469, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2668 / Warning
Event Submitted/Written: 05/29/2008 05:24:07 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\System Volume Information\_restore{EB52BCF7-FE81-47B0-B013-75AAD449AE4D}\RP10\A0011510.dll



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type124323 / Warning
Event Submitted/Written: 05/30/2008 02:04:54 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\POS on the network \Device\NetBT_Tcpip_{F96DCBF8-4F2B-45D0-B60E-45D82EDA11B8}.
The data is the error code.

Event Record #/Type124302 / Error
Event Submitted/Written: 05/30/2008 02:02:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type124301 / Error
Event Submitted/Written: 05/30/2008 00:19:20 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
avgio
avipbb
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
ssmdrv
Tcpip

Event Record #/Type124300 / Error
Event Submitted/Written: 05/30/2008 00:19:20 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type124299 / Error
Event Submitted/Written: 05/30/2008 00:19:20 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-05-30 16:36:35 ------------

Thank you!!!
-jason

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 30 May 2008 - 06:27 PM

Hello jmkwyo,

Welcome to Bleeping Computer :thumbsup:

First you should know that you're actually doing more harm than good by running 2 Anti Virus programs. (Norton and Avira) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable or uninstall the other one, and use it as an on demand only scan occasionally.


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 jmkwyo

jmkwyo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 May 2008 - 07:46 PM

Thanks...

all of a sudden internet explorer reappeared on my desktop after I ran combofix. I noticed that I do not have a recovery console probably should install that... Anyways here is the combofix log with the hjthis log to follow:

ComboFix 08-05-29.1 - Dan Gokey 2008-05-30 19:24:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.91 [GMT -5:00]
Running from: C:\Documents and Settings\Dan Gokey\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\gnowmebk.dll
C:\WINDOWS\system32\673351
C:\WINDOWS\system32\akfxxbef.dll
C:\WINDOWS\system32\AKStwyay.ini
C:\WINDOWS\system32\AKStwyay.ini2
C:\WINDOWS\system32\bkvsjqyl.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\chyfltgn.ini
C:\WINDOWS\system32\ctewfywk.ini
C:\WINDOWS\system32\DfLVCcdd.ini
C:\WINDOWS\system32\DfLVCcdd.ini2
C:\WINDOWS\system32\dvvndfsr.ini
C:\WINDOWS\system32\ENqrrqru.ini
C:\WINDOWS\system32\ENqrrqru.ini2
C:\WINDOWS\system32\febxxfka.ini
C:\WINDOWS\system32\fqtqsgjx.ini
C:\WINDOWS\system32\gMlUCcdd.ini
C:\WINDOWS\system32\gMlUCcdd.ini2
C:\WINDOWS\system32\gMnnmnnn.ini
C:\WINDOWS\system32\gMnnmnnn.ini2
C:\WINDOWS\system32\jjxceywo.ini
C:\WINDOWS\system32\kSruDcdd.ini
C:\WINDOWS\system32\kSruDcdd.ini2
C:\WINDOWS\system32\kvvsgeqr.ini
C:\WINDOWS\system32\lyqjsvkb.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mivcctgs.ini
C:\WINDOWS\system32\nqoccjfs.dll
C:\WINDOWS\system32\NWyJlUtv.ini
C:\WINDOWS\system32\NWyJlUtv.ini2
C:\WINDOWS\system32\oeshuymn.ini
C:\WINDOWS\system32\oWwHOXbc.ini
C:\WINDOWS\system32\oWwHOXbc.ini2
C:\WINDOWS\system32\oxlfynad.ini
C:\WINDOWS\system32\PYJSDJjl.ini
C:\WINDOWS\system32\PYJSDJjl.ini2
C:\WINDOWS\system32\qBLmnUtv.ini
C:\WINDOWS\system32\qBLmnUtv.ini2
C:\WINDOWS\system32\rdvbmbgr.dll
C:\WINDOWS\system32\rgbmbvdr.ini
C:\WINDOWS\system32\SBcLknnn.ini
C:\WINDOWS\system32\SBcLknnn.ini2
C:\WINDOWS\system32\sejrdnrx.dll
C:\WINDOWS\system32\sfjccoqn.ini
C:\WINDOWS\system32\swdwpugp.ini
C:\WINDOWS\system32\uCKkSvut.ini
C:\WINDOWS\system32\uCKkSvut.ini2
C:\WINDOWS\system32\ulcnjeum.ini
C:\WINDOWS\system32\vptwnidg.ini
C:\WINDOWS\system32\WaIQqtwa.ini
C:\WINDOWS\system32\WaIQqtwa.ini2
C:\WINDOWS\system32\wvvGOqss.ini
C:\WINDOWS\system32\wvvGOqss.ini2
C:\WINDOWS\system32\xjgsqtqf.dll
C:\WINDOWS\system32\xkfdradq.ini
C:\WINDOWS\system32\xnqaptnr.ini
C:\WINDOWS\system32\xrndrjes.ini
C:\WINDOWS\system32\YIknonpo.ini
C:\WINDOWS\system32\YIknonpo.ini2
C:\WINDOWS\system32\yxHQAcfe.ini
C:\WINDOWS\system32\yxHQAcfe.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 19:34 . 2008-05-30 19:34 324,864 --a------ C:\WINDOWS\system32\xxyvsPij.dll
2008-05-30 19:34 . 2008-05-30 19:34 344 --ahs---- C:\WINDOWS\system32\jiPsvyxx.ini2
2008-05-30 19:34 . 2008-05-30 19:38 344 --ahs---- C:\WINDOWS\system32\jiPsvyxx.ini
2008-05-30 16:32 . 2008-05-30 16:32 <DIR> d-------- C:\Deckard
2008-05-30 14:09 . 2008-05-30 14:09 324,864 --a------ C:\WINDOWS\system32\nnnkLcBS.dll
2008-05-27 18:45 . 2008-05-27 18:45 13 --a------ C:\WINDOWS\system32\3cc633a7
2008-05-27 15:15 . 2008-05-30 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-23 13:13 . 2008-05-23 13:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 19:04 . 2008-05-23 12:33 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-22 18:42 . 2008-05-22 18:42 <DIR> d-------- C:\VundoFix Backups
2008-05-21 17:04 . 2008-05-21 17:04 <DIR> d-------- C:\Documents and Settings\Dan Gokey\Application Data\MSNInstaller
2008-05-21 13:54 . 2008-05-21 13:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-21 13:53 . 2008-05-21 13:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 21:20 . 2008-05-21 11:15 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-20 16:48 . 2008-05-28 11:11 <DIR> d-------- C:\Program Files\Panda Security
2008-05-20 16:48 . 2008-05-20 16:48 1,859 --a------ C:\WINDOWS\mozver.dat
2008-05-20 16:30 . 2008-05-20 16:30 <DIR> d-------- C:\Program Files\ToniArts
2008-05-20 14:26 . 2008-05-20 14:26 <DIR> d-------- C:\WINDOWS\resources
2008-05-20 14:10 . 2008-05-20 14:10 2,074 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-20 05:19 . 2008-05-19 17:15 160,256 --a------ C:\WINDOWS\system32\3FF.tmp
2008-05-19 20:02 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-19 19:21 . 2008-05-21 20:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-19 19:21 . 2008-05-22 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-19 19:04 . 2008-05-21 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-19 17:17 . 2008-05-19 17:17 29,824 --a------ C:\WINDOWS\system32\ljJBsTmN.dll
2008-05-19 17:15 . 2008-05-20 05:19 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-17 03:01 . 2008-05-17 03:01 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-10 12:31 . 2008-04-10 12:31 <DIR> d-------- C:\Program Files\iPod
2008-04-10 12:30 . 2008-04-10 12:31 <DIR> d-------- C:\Program Files\iTunes
2008-04-10 12:23 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 00:12 --------- d-----w C:\Program Files\Attitude POSitive
2008-05-20 21:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 18:29 --------- d-----w C:\Program Files\HP
2008-05-19 18:29 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-12 16:09 --------- d-----w C:\Documents and Settings\Dan Gokey\Application Data\AdobeUM
2008-05-09 22:44 --------- d-----w C:\Documents and Settings\Dan Gokey\Application Data\U3
2008-04-10 17:28 --------- d-----w C:\Program Files\QuickTime
2008-04-10 17:25 --------- d-----w C:\Program Files\Apple Software Update
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-10 16:26 2,572 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-07-26 20:06 71,816 -c--a-w C:\Documents and Settings\Dan Gokey\Application Data\GDIPFONTCACHEV1.DAT
2003-07-28 11:16 36,864 -c--a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2003-07-28 11:16 172,032 -c--a-w C:\WINDOWS\inf\i386\viceo.dll
2003-07-28 11:01 36,207 -c--a-w C:\WINDOWS\inf\i386\9320FW.bin
2003-07-28 11:01 274,432 -c--a-w C:\WINDOWS\inf\i386\9320LLD.dll
2003-07-28 11:01 155,648 -c--a-w C:\WINDOWS\inf\i386\rtscan.dll
2001-08-03 23:29 13,824 -c--a-w C:\WINDOWS\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25EF2BB9-F20E-480C-97FD-2142C53B4F97}]
2008-05-30 14:09 324864 --a------ C:\WINDOWS\system32\nnnkLcBS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53D63A0C-AD22-4E9F-ABE4-D1835D843D3F}]
2008-05-30 19:34 324864 --a------ C:\WINDOWS\system32\xxyvsPij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE0FF150-C7FC-4E37-8F92-4E9AF1389238}]
2008-05-19 17:17 29824 --a------ C:\WINDOWS\system32\ljJBsTmN.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="1" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 12:35 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"3cc62129"="C:\WINDOWS\system32\juxnftsh.dll" [2008-05-30 19:38 95744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-08-18 12:10:41 217088]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BE0FF150-C7FC-4E37-8F92-4E9AF1389238}"= C:\WINDOWS\system32\ljJBsTmN.dll [2008-05-19 17:17 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJBsTmN]
ljJBsTmN.dll 2008-05-19 17:17 29824 C:\WINDOWS\system32\ljJBsTmN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\xxyvsPij

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a--c--- 2004-09-23 08:44 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a--c--- 2004-09-24 05:06 2559488 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2004-06-05 22:41 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-06-05 22:45 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a--c--- 2004-03-12 21:17 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2003-12-10 04:52 380928 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
--a--c--- 2004-01-20 11:30 110592 C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a--c--- 2004-03-12 21:09 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2004-09-23 06:27 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra--c--- 2003-10-14 10:22 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a--c--- 2003-12-09 14:02 57344 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
S3 LCILD;LCI USB Line Display Device driver;C:\WINDOWS\system32\DRIVERS\LCILD.sys [2004-11-05 22:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 15:26:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 19:34:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ljJBsTmN.dll
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\juxnftsh.dll
-> C:\WINDOWS\system32\xxyvsPij.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-30 19:41:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-31 00:41:06

Pre-Run: 28,133,658,624 bytes free
Post-Run: 28,094,087,168 bytes free

277 --- E O F --- 2008-05-17 08:02:01


hijack this log:::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:24 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Go - http://download2.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/P...rs.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A5180646-FE0F-4C97-AA29-2A0F41515623} - http://zone.msn.com/bingame/zpagames/ZPA_JGS2.cab61895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/A...ersion=1,0,0,10
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attitudepositive.webex.com/client/T...bex/ieatgpc.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9679 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 30 May 2008 - 09:40 PM

Hello,

You're welcome. :thumbsup:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\xxyvsPij.dll
C:\WINDOWS\system32\jiPsvyxx.ini2
C:\WINDOWS\system32\jiPsvyxx.ini
C:\WINDOWS\system32\nnnkLcBS.dll
C:\WINDOWS\system32\3FF.tmp
C:\WINDOWS\system32\ljJBsTmN.dll
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\juxnftsh.dll
C:\WINDOWS\system32\3cc633a7

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25EF2BB9-F20E-480C-97FD-2142C53B4F97}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53D63A0C-AD22-4E9F-ABE4-D1835D843D3F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE0FF150-C7FC-4E37-8F92-4E9AF1389238}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJBsTmN]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 jmkwyo

jmkwyo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 31 May 2008 - 04:56 PM

Hello again my computer friend, once again thanks for the help
After I ran combo fix and it restarted it booted up and gave me the error of c:/windows/system32/juxnfish.dll (might be misspelled)... I still can't use firefox properly says the ssl protocol has been disabled...


Ok I ran combo fix again per your directions... here is the log it spat out... below it will be the hjt log! Thanks talk to you soon hopefully! :thumbsup:

ComboFix 08-05-29.1 - Dan Gokey 2008-05-31 16:32:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.92 [GMT -5:00]
Running from: C:\Documents and Settings\Dan Gokey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan Gokey\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\3cc633a7
C:\WINDOWS\system32\3FF.tmp
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\jiPsvyxx.ini
C:\WINDOWS\system32\jiPsvyxx.ini2
C:\WINDOWS\system32\juxnftsh.dll
C:\WINDOWS\system32\ljJBsTmN.dll
C:\WINDOWS\system32\nnnkLcBS.dll
C:\WINDOWS\system32\xxyvsPij.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\3cc633a7
C:\WINDOWS\system32\3FF.tmp
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\hstfnxuj.ini
C:\WINDOWS\system32\jiPsvyxx.ini
C:\WINDOWS\system32\jiPsvyxx.ini2
C:\WINDOWS\system32\juxnftsh.dll
C:\WINDOWS\system32\ljJBsTmN.dll
C:\WINDOWS\system32\nnnkLcBS.dll
C:\WINDOWS\system32\xxyvsPij.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 16:32 . 2008-05-30 16:32 <DIR> d-------- C:\Deckard
2008-05-27 15:15 . 2008-05-30 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-23 13:13 . 2008-05-23 13:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 19:04 . 2008-05-23 12:33 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-22 18:42 . 2008-05-22 18:42 <DIR> d-------- C:\VundoFix Backups
2008-05-21 17:04 . 2008-05-21 17:04 <DIR> d-------- C:\Documents and Settings\Dan Gokey\Application Data\MSNInstaller
2008-05-21 13:54 . 2008-05-21 13:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-21 13:53 . 2008-05-21 13:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 21:20 . 2008-05-21 11:15 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-20 16:48 . 2008-05-28 11:11 <DIR> d-------- C:\Program Files\Panda Security
2008-05-20 16:48 . 2008-05-20 16:48 1,859 --a------ C:\WINDOWS\mozver.dat
2008-05-20 16:30 . 2008-05-20 16:30 <DIR> d-------- C:\Program Files\ToniArts
2008-05-20 14:26 . 2008-05-20 14:26 <DIR> d-------- C:\WINDOWS\resources
2008-05-20 14:10 . 2008-05-20 14:10 2,074 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-19 20:02 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-19 19:21 . 2008-05-21 20:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-19 19:21 . 2008-05-22 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-19 19:04 . 2008-05-21 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 03:01 . 2008-05-17 03:01 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-10 12:31 . 2008-04-10 12:31 <DIR> d-------- C:\Program Files\iPod
2008-04-10 12:30 . 2008-04-10 12:31 <DIR> d-------- C:\Program Files\iTunes
2008-04-10 12:23 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 21:38 --------- d-----w C:\Program Files\Attitude POSitive
2008-05-20 21:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 18:29 --------- d-----w C:\Program Files\HP
2008-05-19 18:29 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-12 16:09 --------- d-----w C:\Documents and Settings\Dan Gokey\Application Data\AdobeUM
2008-05-09 22:44 --------- d-----w C:\Documents and Settings\Dan Gokey\Application Data\U3
2008-04-10 17:28 --------- d-----w C:\Program Files\QuickTime
2008-04-10 17:25 --------- d-----w C:\Program Files\Apple Software Update
2007-07-26 20:06 71,816 -c--a-w C:\Documents and Settings\Dan Gokey\Application Data\GDIPFONTCACHEV1.DAT
2003-07-28 11:16 36,864 -c--a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2003-07-28 11:16 172,032 -c--a-w C:\WINDOWS\inf\i386\viceo.dll
2003-07-28 11:01 36,207 -c--a-w C:\WINDOWS\inf\i386\9320FW.bin
2003-07-28 11:01 274,432 -c--a-w C:\WINDOWS\inf\i386\9320LLD.dll
2003-07-28 11:01 155,648 -c--a-w C:\WINDOWS\inf\i386\rtscan.dll
2001-08-03 23:29 13,824 -c--a-w C:\WINDOWS\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_19.40.01.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-31 00:33:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-31 21:40:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="1" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 12:35 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"3cc62129"="C:\WINDOWS\system32\juxnftsh.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-08-18 12:10:41 217088]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a--c--- 2004-09-23 08:44 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a--c--- 2004-09-24 05:06 2559488 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2004-06-05 22:41 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-06-05 22:45 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a--c--- 2004-03-12 21:17 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2003-12-10 04:52 380928 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
--a--c--- 2004-01-20 11:30 110592 C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a--c--- 2004-03-12 21:09 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2004-09-23 06:27 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra--c--- 2003-10-14 10:22 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a--c--- 2003-12-09 14:02 57344 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
S3 LCILD;LCI USB Line Display Device driver;C:\WINDOWS\system32\DRIVERS\LCILD.sys [2004-11-05 22:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 15:26:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 16:41:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2008-05-31 16:49:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-31 21:48:47
ComboFix2.txt 2008-05-31 00:41:32

Pre-Run: 28,110,880,768 bytes free
Post-Run: 28,089,606,144 bytes free

210 --- E O F --- 2008-05-17 08:02:01


HJT Log!!!! :::::::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:42 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [3cc62129] rundll32.exe "C:\WINDOWS\system32\juxnftsh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Go - http://download2.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/P...rs.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A5180646-FE0F-4C97-AA29-2A0F41515623} - http://zone.msn.com/bingame/zpagames/ZPA_JGS2.cab61895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/A...ersion=1,0,0,10
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attitudepositive.webex.com/client/T...bex/ieatgpc.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10351 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 31 May 2008 - 05:45 PM

Hello there,

For Firefox, go Tools > Options> Advanced>Encryption and check the SSL box, then click OK.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [3cc62129] rundll32.exe "C:\WINDOWS\system32\juxnftsh.dll",b

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Delete the following file, if present:

C:\WINDOWS\system32\juxnftsh.dll

Reboot your computer.

Let me know if that helps those issues. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 jmkwyo

jmkwyo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 31 May 2008 - 06:30 PM

Hello again tea,

The 'SSL' box was already checked, so i left it and told it to recognize certificates and clicked ok...
I deleted that file on hjt, rebooted and tried to start up firefox, and again I get this message...

Alert: Could not initialize the browser's security component. The most likely cause is problems
with files in your browser's profile directory. Please check that this directory has no read/write
restrictions and your hd is not full or close to full. It is recommended that you exit the browser
and fix the problem. If you continue to use this broswer session, you might see incorrect browser
behavirou when accessing security features.

it still won't let me in gmail either.

I think i will run spybot again to see if the virtumonde demon is gone yet.

Danke Schon!!

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 31 May 2008 - 06:48 PM

Uninstall it, reboot, and then reinstall it. It's possible it's been corrupted.

De nada! :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 jmkwyo

jmkwyo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 31 May 2008 - 07:41 PM

Well all systems seem to be on green. I had to restart the computer twice and install and reinstall twice but firefox is running now too. I am going to update to SP3 hopefully it will help to keep these dirty little rodents off of this computer. Thank you for all the help... i'll never forget you ;) God Bless Texas... well most of it anyways :thumbsup:

Regards from the Great Midwest!

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 31 May 2008 - 08:12 PM

Excellent! :thumbsup: Glad that took care of it. You're most welcome for the help. :)

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

The only thing I see missing in your arsenal is a software Firewall. You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 jmkwyo

jmkwyo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 31 May 2008 - 08:42 PM

I'm downloading that now... and SP3. Once again, thanks, keep up the incredibly mundane work :thumbsup: *tips his hat

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 04 June 2008 - 01:51 PM

You're most welcome, and take care! :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users