Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Something


  • This topic is locked This topic is locked
17 replies to this topic

#1 Doobla

Doobla

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 15 August 2006 - 12:11 AM

I do not know what is wrong with my computer. My McAfee virus scanner says something about winwaj, vundo, and other backdoors. I ran vundofix but the program could not find any problems, please help. I'm running Windows XP Pro sp2.

Here is my hijack this log. Thank you for the help.

Logfile of HijackThis v1.99.1
Scan saved at 1:10:14 AM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{2862BC45-07D9-1033-0518-040511040001}\Update.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\stickies\stickies.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Jon\Desktop\DS\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\urqpnkl.dll
O2 - BHO: (no name) - {750FB8AF-ACE2-4651-836A-D61CD6BEC395} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\pmnmnll.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: urqpnkl - C:\WINDOWS\SYSTEM32\urqpnkl.dll
O20 - Winlogon Notify: winwaj32 - C:\WINDOWS\SYSTEM32\winwaj32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

BC AdBot (Login to Remove)

 


#2 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:48 PM

Posted 15 August 2006 - 12:37 AM

Hi and welcome. My name is kairis and I will be helping you.

Please follow my steps in the right order...

Lets start.
Step 1:
Please rename hijackthis exe to hjt exe

Step 2:
Please download VundoFix.exe Link to your desktop.


* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens,Click Scan for Vundo button.
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files
* Copy&Paste the 2 entries below into the top 2 boxes

C:\WINDOWS\system32\urqpnkl.dll
C:\WINDOWS\system32\lknpqru.*

* Click Add Files and Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.

Step 3:
Download SmitfraudFix Link to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
When it is done, the results of the scan will be displayed and it will create a log named report.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!
Please post the contents of C:\vundofix.txt, Smitfraudfix report and a new HiJackThis log.

~kairis~

Edited by kairis, 15 August 2006 - 01:55 AM.


#3 Doobla

Doobla
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 15 August 2006 - 09:19 AM

Ok thanks for your help. Here is my vundo log, my smitfraud report, and my hijackthis log in that order:


VundoFix V5.1.11

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.7

Scan started at 10:20:05 AM 8/14/2006

Listing files found while scanning....


VundoFix V5.1.11

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.7

Scan started at 12:33:28 AM 8/15/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe could not be stopped
Vundofix may not be able to delete some files that were found.

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\urqpnkl.dll
C:\WINDOWS\system32\urqpnkl.dll Could not be deleted.

Performing Repairs to the registry.
Done!

---------------------------------------------------------------------

SmitFraudFix v2.81

Scan done at 10:14:30.90, Tue 08/15/2006
Run from C:\Documents and Settings\Jon\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\pmnqguh.dll FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jon\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jon\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

--------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:18:31 AM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{2862BC45-07D9-1033-0518-040511040001}\Update.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jon\Desktop\hjt.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\urqpnkl.dll
O2 - BHO: (no name) - {750FB8AF-ACE2-4651-836A-D61CD6BEC395} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\pmnmnll.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: winwaj32 - C:\WINDOWS\SYSTEM32\winwaj32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

#4 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:48 PM

Posted 15 August 2006 - 09:59 AM

Hello Doobla, thanks for the logs.

Please do NOT run your HijackThis from either a Desktop nor a Temp folder because these cannot save backups properly.
A permanent folder, such as C:\HJT, should be used.
Uninstall HijackThis and reinstall it in a permanent folder. Thanks.

Step 1:
1. Please print these instructions as they will be needed later when Internet access is not available.

2. Save these instructions in word or notepad to the desktop where they can be easily found.

Step 2:
Download VirtumundoBegone and save it to your desktop.Link

Step 3:
Reboot your computer into Safe Mode:

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Step 4:
Then doubleclick VirtumundoBeGone.exe you just downloaded and follow the instructions.

Exit when it has finished.

Step 5:
Stay in Safe Mode.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

(Warning : running option #2 on a non infected computer will remove your Desktop background.)

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to
remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; Post that log in your next reply together with a new hijackthislog.
The report can also be found at the root of the system drive, usually at C:\report.txt

Step 6:
In your next reply, please include the following logs: Smitfraudfix report, Fresh Hijackthis, and VirtumundoBeGone report. Thanks.

Edited by kairis, 15 August 2006 - 10:01 AM.


#5 Doobla

Doobla
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 15 August 2006 - 10:23 AM

Ok all done here is my smitfraud fix report, hijack this log, and virtumundobegone report in that order. Thanks for the help.


SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\pmnqguh.dll Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

----------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:22:11 AM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{2862BC45-07D9-1033-0518-040511040001}\Update.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\urqpnkl.dll
O2 - BHO: (no name) - {750FB8AF-ACE2-4651-836A-D61CD6BEC395} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\pmnmnll.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: winwaj32 - C:\WINDOWS\SYSTEM32\winwaj32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe


----------------------------------------------------------------------------------------------------


[08/15/2006, 11:11:47] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jon\Desktop\VirtumundoBeGone.exe" )
[08/15/2006, 11:11:53] - Detected System Information:
[08/15/2006, 11:11:53] - Windows Version: 5.1.2600, Service Pack 2
[08/15/2006, 11:11:53] - Current Username: Jon (Admin)
[08/15/2006, 11:11:53] - Windows is in SAFE mode with Networking.
[08/15/2006, 11:11:53] - Searching for Browser Helper Objects:
[08/15/2006, 11:11:53] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/15/2006, 11:11:53] - BHO 2: {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} (McBrwHelper Class)
[08/15/2006, 11:11:53] - BHO 3: {3EC8255F-E043-4cae-8B3B-B191550C2A22} (McAfee Privacy Service Popup Blocker)
[08/15/2006, 11:11:53] - BHO 4: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} (McAfee AntiPhishing Filter)
[08/15/2006, 11:11:53] - BHO 5: {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} ()
[08/15/2006, 11:11:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/15/2006, 11:11:53] - Checking for HKLM\...\Winlogon\Notify\urqpnkl
[08/15/2006, 11:11:53] - Key not found: HKLM\...\Winlogon\Notify\urqpnkl, continuing.
[08/15/2006, 11:11:53] - BHO 6: {750FB8AF-ACE2-4651-836A-D61CD6BEC395} ()
[08/15/2006, 11:11:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/15/2006, 11:11:53] - Checking for HKLM\...\Winlogon\Notify\mljge
[08/15/2006, 11:11:53] - Key not found: HKLM\...\Winlogon\Notify\mljge, continuing.
[08/15/2006, 11:11:53] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/15/2006, 11:11:53] - BHO 8: {873eb32d-ae1a-4183-89bd-45a77f761be4} ()
[08/15/2006, 11:11:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/15/2006, 11:11:53] - Checking for HKLM\...\Winlogon\Notify\ixt0
[08/15/2006, 11:11:53] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[08/15/2006, 11:11:53] - BHO 9: {C333CF63-767F-4831-94AC-E683D962C63C} (CoTGT_BHO Class)
[08/15/2006, 11:11:53] - BHO 10: {E521797A-22DE-4B46-8B2F-8E98AB77B942} ()
[08/15/2006, 11:11:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/15/2006, 11:11:53] - Checking for HKLM\...\Winlogon\Notify\pmnmnll
[08/15/2006, 11:11:53] - Key not found: HKLM\...\Winlogon\Notify\pmnmnll, continuing.
[08/15/2006, 11:11:53] - Finished Searching Browser Helper Objects
[08/15/2006, 11:11:53] - Finishing up...
[08/15/2006, 11:11:53] - Nothing found! Exiting...

#6 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:48 PM

Posted 15 August 2006 - 10:48 AM

Hi again...

Please download Combofix Link
to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

#7 Doobla

Doobla
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 15 August 2006 - 11:00 AM

Done, here is the report:

Start Time= Tue 08/15/2006 11:55:06.17
Running from: C:\Documents and Settings\Jon

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-15 11:54:48 683 ( A.... ) "C:\Combo.bat"
2006-08-15 00:35:38 77312 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-08-14 23:49:00 ( .D... ) "C:\Program Files\ImTOO"
2006-08-14 23:38:52 ( .D... ) "C:\Program Files\Xilisoft"
2006-08-14 17:30:16 40973 ( ..SH. ) "C:\WINDOWS\system32\awtssrq.dll"
2006-08-14 10:26:28 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Azureus"
2006-08-14 10:16:50 40973 ( ..SH. ) "C:\WINDOWS\system32\nnnopnm.dll"
2006-08-13 20:05:44 ( .D... ) "C:\Program Files\AOL"
2006-08-13 00:35:54 458593 ( A.... ) "C:\WINDOWS\system32\pmnlm.dll"
2006-08-12 14:52:38 ( .D... ) "C:\Program Files\MP4Cam2AVI_v2.27"
2006-08-12 11:37:30 40973 ( ..... ) "C:\WINDOWS\system32\urqpnkl.dll"
2006-08-11 23:26:08 ( .D... ) "C:\Program Files\Cucusoft"
2006-08-11 23:10:30 15360 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-08-11 22:42:28 356352 ( A.... ) "C:\WINDOWS\eSellerateEngine.dll"
2006-08-11 22:33:56 ( .D... ) "C:\Program Files\MOV to AVI MPEG WMV Converter"
2006-08-09 20:45:04 ( .D... ) "C:\Program Files\WinXMedia"
2006-08-06 17:15:22 40973 ( A.SH. ) "C:\WINDOWS\system32\khfcbby.dll"
2006-08-02 23:45:28 ( .D... ) "C:\Program Files\Common Files\{2862BC45-07D9-1033-0518-040511040001}"
2006-08-01 20:16:08 ( .D... ) "C:\Program Files\Winamp"
2006-08-01 17:17:54 249856 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-08-01 17:17:46 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-08-01 16:15:32 ( .D... ) "C:\Program Files\GSpot"
2006-08-01 12:39:44 ( .D... ) "C:\Program Files\Black Isle"
2006-07-28 22:16:14 ( .D... ) "C:\Documents and Settings\Jon\Application Data\dvdcss"
2006-07-27 09:24:46 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-25 22:22:22 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Apple Computer"
2006-07-25 22:21:10 ( .D... ) "C:\Program Files\QuickTime"
2006-07-25 22:20:40 ( .D... ) "C:\Program Files\iTunes"
2006-07-25 22:20:40 ( .D... ) "C:\Program Files\iPod"
2006-07-24 14:52:52 ( .D... ) "C:\Documents and Settings\Jon\Application Data\McAfee"
2006-07-21 04:24:44 72704 ( A.... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-14 21:57:28 ( .D... ) "C:\Program Files\THQ"
2006-07-14 18:14:00 ( .D... ) "C:\Documents and Settings\Jon\Application Data\stickies"
2006-07-14 18:13:54 ( .D... ) "C:\Program Files\stickies"
2006-07-14 11:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 09:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-12 01:09:56 ( .D... ) "C:\Documents and Settings\Jon\Application Data\vlc"
2006-07-11 23:32:54 ( .D... ) "C:\Program Files\VideoLAN"
2006-07-10 15:23:54 ( .D... ) "C:\Program Files\themexp"
2006-07-09 15:06:02 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-07-09 14:56:30 ( .D... ) "C:\Program Files\Ubisoft"
2006-07-06 12:42:32 ( .D... ) "C:\Program Files\Microsoft SQL Server"
2006-07-06 12:40:08 ( .D... ) "C:\Program Files\Microsoft Visual Studio 8"
2006-07-06 11:52:32 ( .D... ) "C:\Program Files\K-Lite"
2006-07-05 06:55:02 984064 ( A.... ) "C:\WINDOWS\system32\kernel32.dll"
2006-07-04 21:16:14 ( .D... ) "C:\Program Files\Altnet"
2006-07-01 22:00:26 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Kazaa Lite"
2006-06-30 02:06:04 ( .D... ) "C:\Program Files\Swim TEAM MANAGER Lite 4.0"
2006-06-30 02:02:58 ( .D... ) "C:\Program Files\Personal SWIM MANAGER Demo"
2006-06-30 00:03:02 ( .D... ) "C:\Program Files\Swim MEET MANAGER Demo 2.0"
2006-06-29 22:56:42 53248 ( A.... ) "C:\WINDOWS\system32\Process.exe"
2006-06-29 22:49:22 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Registry Cleaner"
2006-06-29 17:15:20 24064 ( A.SH. ) "C:\WINDOWS\system32\gebbxyx.dll"
2006-06-29 16:33:16 18432 ( A.... ) "C:\WINDOWS\system32\winwaj32.dll"
2006-06-27 14:04:34 27075695 ( A.... ) "C:\Program Files\database.arz"
2006-06-26 13:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 13:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-25 14:08:52 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Sun"
2006-06-22 02:49:40 ( .D... ) "C:\Program Files\Soldier of Fortune II - Double Helix"
2006-06-18 23:12:44 ( .D... ) "C:\Program Files\TGTSoft"
2006-06-16 01:39:22 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-06-16 01:39:18 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-06-16 01:39:12 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-06-16 01:39:12 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-06-16 01:39:12 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-06-16 01:39:10 ( .D... ) "C:\Program Files\Common Files\Real"
2006-06-16 01:39:06 ( .D... ) "C:\Program Files\Real"
2006-06-16 01:38:48 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Real"
2006-06-15 01:58:38 ( .D... ) "C:\Program Files\Ares"
2006-06-10 19:45:32 767 ( A.... ) "C:\Documents and Settings\Jon\Application Data\AZU29647.tmp"
2006-06-09 20:06:42 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-06-09 15:27:18 62 ( A.SH. ) "C:\Documents and Settings\Jon\Application Data\desktop.ini"
2006-06-01 18:11:08 109568 ( A.... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-06-01 18:11:08 108544 ( A.... ) "C:\WINDOWS\system32\pxcpyi64.exe"
2006-06-01 18:10:26 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-06-01 18:09:58 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-06-01 18:09:58 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-06-01 18:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-06-01 18:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-06-01 18:09:58 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-06-01 18:09:58 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-06-01 18:09:58 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-06-01 18:09:58 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-06-01 18:07:46 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-06-01 18:07:38 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-06-01 18:07:38 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-06-01 18:07:34 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"
2006-06-01 18:07:00 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-06-01 18:06:58 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-06-01 18:06:58 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-06-01 18:06:58 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-06-01 18:06:34 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-06-01 18:06:34 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-16 04:38:40 499712 ( A.... ) "C:\WINDOWS\system32\msvcp71.dll"
2006-05-16 04:38:40 348160 ( A.... ) "C:\WINDOWS\system32\msvcr71.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-15 11:54 683 C:\Combo.bat
2006-08-15 00:49 349,760 C:\WINDOWS\system32\mcinsctl.dll
2006-08-15 00:35 77,312 C:\WINDOWS\system32\VundoFix.exe
2006-08-14 17:30 40,973 C:\WINDOWS\system32\awtssrq.dll
2006-08-14 10:19 53,346 C:\WINDOWS\system32\javaw.exe
2006-08-14 10:19 49,248 C:\WINDOWS\system32\java.exe
2006-08-14 10:19 127,078 C:\WINDOWS\system32\javaws.exe
2006-08-14 10:16 40,973 C:\WINDOWS\system32\nnnopnm.dll
2006-08-13 00:35 458,593 C:\WINDOWS\system32\pmnlm.dll
2006-08-12 11:37 40,973 C:\WINDOWS\system32\urqpnkl.dll
2006-08-11 23:09 15,360 C:\WINDOWS\system32\BASSMOD.dll
2006-08-11 22:42 356,352 C:\WINDOWS\eSellerateEngine.dll
2006-08-09 20:45 45,056 C:\WINDOWS\system32\WNASPI32.DLL
2006-08-09 20:41 395,776 C:\WINDOWS\system32\libmplayer.dll
2006-08-09 20:41 34,820 C:\WINDOWS\system32\ffdshow.reg
2006-08-09 20:41 262,144 C:\WINDOWS\system32\TomsMoComp_ff.dll
2006-08-09 20:41 2,255,360 C:\WINDOWS\system32\libavcodec.dll
2006-08-09 20:41 112,640 C:\WINDOWS\system32\libmpeg2_ff.dll
2006-08-06 17:15 40,973 C:\WINDOWS\system32\khfcbby.dll
2006-07-16 21:52 73,216 C:\WINDOWS\ST6UNST.EXE
2006-07-16 21:52 249,856 C:\WINDOWS\Setup1.exe
2006-07-09 15:06 98,304 C:\WINDOWS\system32\CmdLineExt.dll
2006-07-09 15:05 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-09 15:05 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-09 15:05 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-07-09 15:05 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-09 15:05 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-09 15:05 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-09 15:05 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-09 15:05 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-09 15:05 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-09 15:05 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-09 15:05 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-07-09 15:05 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-07-09 15:05 14,032 C:\WINDOWS\system32\x3daudio1_0.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nTrayFw"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1149906144\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{2862BC45-07D9-1033-0518-040511040001}"="\"C:\\Program Files\\Common Files\\{2862BC45-07D9-1033-0518-040511040001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder

Completion time: Tue 08/15/2006 11:55:25.39
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-15.115506.txt

Thanks

#8 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:48 PM

Posted 16 August 2006 - 01:32 AM

Hi.
Step 1:
Now please copy the following bold text in the code box to Notepad. Make sure there is no empty line above REGEDIT4.
In Notepad go to File > Save As. Name it Fixit.reg, in the drop down box at the bottom choose "All Files", and save it on your desktop.
Then double click on Fixit.reg and let it merge with the registry..

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{2862BC45-07D9-1033-0518-040511040001}"=-


Step 2:
Go to Start menu -> run -> Copy next text to the textbox and press enter:
"%userprofile%\desktop\combofix.exe" /v awtssrq nnnopnm pmnlm winwaj32 urqpnkl khfcbby

Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

==============
Restart your computer.
==============

Step3:
Please rename hijackthis.exe to scanner.exe and post new hijackthis, thanks

Edited by kairis, 16 August 2006 - 01:13 PM.


#9 Doobla

Doobla
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 17 August 2006 - 03:58 PM

Sorry for the slow reply I was driving back to school. Here is the Combofix.txt and the hijackthis in that order. Thanks.

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\SYSTEM32\AWTSSRQ.DLL
C:\WINDOWS\SYSTEM32\NNNOPNM.DLL
C:\WINDOWS\SYSTEM32\PMNLM.DLL
C:\WINDOWS\SYSTEM32\WINWAJ32.DLL
C:\WINDOWS\SYSTEM32\URQPNKL.DLL
C:\WINDOWS\SYSTEM32\KHFCBBY.DLL


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\SYSTEM32\WINWAJ32.DLL

16:51:43.78
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-15 17:33:44 77312 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-08-14 23:49:00 ( .D... ) "C:\Program Files\ImTOO"
2006-08-14 23:38:52 ( .D... ) "C:\Program Files\Xilisoft"
2006-08-14 10:26:28 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Azureus"
2006-08-13 20:05:44 ( .D... ) "C:\Program Files\AOL"
2006-08-12 14:52:38 ( .D... ) "C:\Program Files\MP4Cam2AVI_v2.27"
2006-08-11 23:26:08 ( .D... ) "C:\Program Files\Cucusoft"
2006-08-11 23:10:30 15360 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-08-11 22:42:28 356352 ( A.... ) "C:\WINDOWS\eSellerateEngine.dll"
2006-08-11 22:33:56 ( .D... ) "C:\Program Files\MOV to AVI MPEG WMV Converter"
2006-08-09 20:45:04 ( .D... ) "C:\Program Files\WinXMedia"
2006-08-02 23:45:28 ( .D... ) "C:\Program Files\Common Files\{2862BC45-07D9-1033-0518-040511040001}"
2006-08-01 20:16:08 ( .D... ) "C:\Program Files\Winamp"
2006-08-01 17:17:54 249856 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-08-01 17:17:46 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-08-01 16:15:32 ( .D... ) "C:\Program Files\GSpot"
2006-08-01 12:39:44 ( .D... ) "C:\Program Files\Black Isle"
2006-07-28 22:16:14 ( .D... ) "C:\Documents and Settings\Jon\Application Data\dvdcss"
2006-07-27 09:24:46 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-25 22:22:22 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Apple Computer"
2006-07-25 22:21:10 ( .D... ) "C:\Program Files\QuickTime"
2006-07-25 22:20:40 ( .D... ) "C:\Program Files\iTunes"
2006-07-25 22:20:40 ( .D... ) "C:\Program Files\iPod"
2006-07-24 14:52:52 ( .D... ) "C:\Documents and Settings\Jon\Application Data\McAfee"
2006-07-21 04:24:44 72704 ( A.... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-14 21:57:28 ( .D... ) "C:\Program Files\THQ"
2006-07-14 18:14:00 ( .D... ) "C:\Documents and Settings\Jon\Application Data\stickies"
2006-07-14 18:13:54 ( .D... ) "C:\Program Files\stickies"
2006-07-14 11:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 09:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-12 01:09:56 ( .D... ) "C:\Documents and Settings\Jon\Application Data\vlc"
2006-07-11 23:32:54 ( .D... ) "C:\Program Files\VideoLAN"
2006-07-10 15:23:54 ( .D... ) "C:\Program Files\themexp"
2006-07-09 15:06:02 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-07-09 14:56:30 ( .D... ) "C:\Program Files\Ubisoft"
2006-07-06 12:42:32 ( .D... ) "C:\Program Files\Microsoft SQL Server"
2006-07-06 12:40:08 ( .D... ) "C:\Program Files\Microsoft Visual Studio 8"
2006-07-06 11:52:32 ( .D... ) "C:\Program Files\K-Lite"
2006-07-05 06:55:02 984064 ( A.... ) "C:\WINDOWS\system32\kernel32.dll"
2006-07-04 21:16:14 ( .D... ) "C:\Program Files\Altnet"
2006-07-01 22:00:26 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Kazaa Lite"
2006-06-30 02:06:04 ( .D... ) "C:\Program Files\Swim TEAM MANAGER Lite 4.0"
2006-06-30 02:02:58 ( .D... ) "C:\Program Files\Personal SWIM MANAGER Demo"
2006-06-30 00:03:02 ( .D... ) "C:\Program Files\Swim MEET MANAGER Demo 2.0"
2006-06-29 22:56:42 53248 ( A.... ) "C:\WINDOWS\system32\Process.exe"
2006-06-29 22:49:22 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Registry Cleaner"
2006-06-29 17:15:20 24064 ( A.SH. ) "C:\WINDOWS\system32\gebbxyx.dll"
2006-06-29 16:33:16 18432 ( ..... ) "C:\WINDOWS\system32\winwaj32.dll"
2006-06-27 14:04:34 27075695 ( A.... ) "C:\Program Files\database.arz"
2006-06-26 13:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 13:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-25 14:08:52 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Sun"
2006-06-22 02:49:40 ( .D... ) "C:\Program Files\Soldier of Fortune II - Double Helix"
2006-06-18 23:12:44 ( .D... ) "C:\Program Files\TGTSoft"
2006-06-16 01:39:18 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-06-16 01:39:12 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-06-16 01:39:12 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-06-16 01:39:12 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-06-10 19:45:32 767 ( A.... ) "C:\Documents and Settings\Jon\Application Data\AZU29647.tmp"
2006-06-09 20:06:42 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-06-09 15:27:18 62 ( A.SH. ) "C:\Documents and Settings\Jon\Application Data\desktop.ini"
2006-06-01 18:11:08 109568 ( A.... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-06-01 18:11:08 108544 ( A.... ) "C:\WINDOWS\system32\pxcpyi64.exe"
2006-06-01 18:10:26 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-06-01 18:09:58 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-06-01 18:09:58 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-06-01 18:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-06-01 18:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-06-01 18:09:58 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-06-01 18:09:58 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-06-01 18:09:58 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-06-01 18:09:58 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-06-01 18:07:46 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-06-01 18:07:38 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-06-01 18:07:38 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-06-01 18:07:34 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"
2006-06-01 18:07:00 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-06-01 18:06:58 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-06-01 18:06:58 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-06-01 18:06:58 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-06-01 18:06:34 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-06-01 18:06:34 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-15 00:49 349,760 C:\WINDOWS\system32\mcinsctl.dll
2006-08-15 00:35 77,312 C:\WINDOWS\system32\VundoFix.exe
2006-08-14 10:19 53,346 C:\WINDOWS\system32\javaw.exe
2006-08-14 10:19 49,248 C:\WINDOWS\system32\java.exe
2006-08-14 10:19 127,078 C:\WINDOWS\system32\javaws.exe
2006-08-11 23:09 15,360 C:\WINDOWS\system32\BASSMOD.dll
2006-08-11 22:42 356,352 C:\WINDOWS\eSellerateEngine.dll
2006-08-09 20:45 45,056 C:\WINDOWS\system32\WNASPI32.DLL
2006-08-09 20:41 395,776 C:\WINDOWS\system32\libmplayer.dll
2006-08-09 20:41 34,820 C:\WINDOWS\system32\ffdshow.reg
2006-08-09 20:41 262,144 C:\WINDOWS\system32\TomsMoComp_ff.dll
2006-08-09 20:41 2,255,360 C:\WINDOWS\system32\libavcodec.dll
2006-08-09 20:41 112,640 C:\WINDOWS\system32\libmpeg2_ff.dll
2006-07-16 21:52 73,216 C:\WINDOWS\ST6UNST.EXE
2006-07-16 21:52 249,856 C:\WINDOWS\Setup1.exe
2006-07-09 15:06 98,304 C:\WINDOWS\system32\CmdLineExt.dll
2006-07-09 15:05 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-09 15:05 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-09 15:05 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-07-09 15:05 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-09 15:05 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-09 15:05 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-09 15:05 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-09 15:05 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-09 15:05 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-09 15:05 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-09 15:05 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-07-09 15:05 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-07-09 15:05 14,032 C:\WINDOWS\system32\x3daudio1_0.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nTrayFw"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1149906144\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder

Completion time: Thu 08/17/2006 16:51:53.50
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-15.115506.txt
ComboFix.2006-08-17.164946.txt
---------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:55:56 PM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\program files\common files\aol\1149906144\ee\aim6.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\Scanner.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\urqpnkl.dll (file missing)
O2 - BHO: (no name) - {750FB8AF-ACE2-4651-836A-D61CD6BEC395} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\pmnmnll.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: winwaj32 - C:\WINDOWS\SYSTEM32\winwaj32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

#10 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:48 PM

Posted 18 August 2006 - 01:16 AM

Hi Doobla :thumbsup: The log looks pretty good.
Lets continue.

Step 1:
Download and unzip Avenger
http://swandog46.geekstogo.com/avenger.zip
to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.
Quote:

Files to delete:
C:\WINDOWS\SYSTEM32\AWTSSRQ.DLL
C:\WINDOWS\SYSTEM32\NNNOPNM.DLL
C:\WINDOWS\SYSTEM32\PMNLM.DLL
C:\WINDOWS\SYSTEM32\WINWAJ32.DLL
C:\WINDOWS\SYSTEM32\KHFCBBY.DLL
Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

Step 2:
With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
Click in the check-box to the left of each of the following entries, if found:
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\urqpnkl.dll (file missing)
O2 - BHO: (no name) - {750FB8AF-ACE2-4651-836A-D61CD6BEC395} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\pmnmnll.dll (file missing)
O20 - Winlogon Notify: winwaj32 - C:\WINDOWS\SYSTEM32\winwaj32.dll
Select Fix Checked

Step 3:
Please rerun Combofix.

Step 4:
Copy/paste the content of C:\avenger.txt into your reply along with a fresh HJT log and Combofix log and tell how things are running.

Edited by kairis, 18 August 2006 - 01:21 AM.


#11 Doobla

Doobla
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 18 August 2006 - 08:08 AM

Ok, here is the avenger log, the hijackthis, and the combo log in that order.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ecuppnjp

*******************

Script file located at: \??\C:\cfwvbqrc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\SYSTEM32\AWTSSRQ.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\AWTSSRQ.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\AWTSSRQ.DLL
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\NNNOPNM.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\NNNOPNM.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\NNNOPNM.DLL
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\PMNLM.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\PMNLM.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\PMNLM.DLL
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\WINWAJ32.DLL deleted successfully.


File C:\WINDOWS\SYSTEM32\KHFCBBY.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\KHFCBBY.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\KHFCBBY.DLL
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

-------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:05:36 AM, on 8/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\hjt.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\nnnkjij.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: nnnkjij - C:\WINDOWS\SYSTEM32\nnnkjij.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

---------------------------------------------------------------------------------------------------------------------

Start Time= Fri 08/18/2006 9:02:58.54
Running from: C:\Documents and Settings\Jon\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-17 16:57:00 40973 ( ..SH. ) "C:\WINDOWS\system32\nnnkjij.dll"
2006-08-15 17:33:44 77312 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-08-14 23:49:00 ( .D... ) "C:\Program Files\ImTOO"
2006-08-14 23:38:52 ( .D... ) "C:\Program Files\Xilisoft"
2006-08-14 10:26:28 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Azureus"
2006-08-13 20:05:44 ( .D... ) "C:\Program Files\AOL"
2006-08-12 14:52:38 ( .D... ) "C:\Program Files\MP4Cam2AVI_v2.27"
2006-08-11 23:26:08 ( .D... ) "C:\Program Files\Cucusoft"
2006-08-11 23:10:30 15360 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-08-11 22:42:28 356352 ( A.... ) "C:\WINDOWS\eSellerateEngine.dll"
2006-08-11 22:33:56 ( .D... ) "C:\Program Files\MOV to AVI MPEG WMV Converter"
2006-08-09 20:45:04 ( .D... ) "C:\Program Files\WinXMedia"
2006-08-02 23:45:28 ( .D... ) "C:\Program Files\Common Files\{2862BC45-07D9-1033-0518-040511040001}"
2006-08-01 20:16:08 ( .D... ) "C:\Program Files\Winamp"
2006-08-01 17:17:54 249856 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-08-01 17:17:46 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-08-01 16:15:32 ( .D... ) "C:\Program Files\GSpot"
2006-08-01 12:39:44 ( .D... ) "C:\Program Files\Black Isle"
2006-07-28 22:16:14 ( .D... ) "C:\Documents and Settings\Jon\Application Data\dvdcss"
2006-07-27 09:24:46 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-25 22:22:22 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Apple Computer"
2006-07-25 22:21:10 ( .D... ) "C:\Program Files\QuickTime"
2006-07-25 22:20:40 ( .D... ) "C:\Program Files\iTunes"
2006-07-25 22:20:40 ( .D... ) "C:\Program Files\iPod"
2006-07-24 14:52:52 ( .D... ) "C:\Documents and Settings\Jon\Application Data\McAfee"
2006-07-21 04:24:44 72704 ( A.... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-14 21:57:28 ( .D... ) "C:\Program Files\THQ"
2006-07-14 18:14:00 ( .D... ) "C:\Documents and Settings\Jon\Application Data\stickies"
2006-07-14 18:13:54 ( .D... ) "C:\Program Files\stickies"
2006-07-14 11:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 09:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-12 01:09:56 ( .D... ) "C:\Documents and Settings\Jon\Application Data\vlc"
2006-07-11 23:32:54 ( .D... ) "C:\Program Files\VideoLAN"
2006-07-10 15:23:54 ( .D... ) "C:\Program Files\themexp"
2006-07-09 15:06:02 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-07-09 14:56:30 ( .D... ) "C:\Program Files\Ubisoft"
2006-07-06 12:42:32 ( .D... ) "C:\Program Files\Microsoft SQL Server"
2006-07-06 12:40:08 ( .D... ) "C:\Program Files\Microsoft Visual Studio 8"
2006-07-06 11:52:32 ( .D... ) "C:\Program Files\K-Lite"
2006-07-05 06:55:02 984064 ( A.... ) "C:\WINDOWS\system32\kernel32.dll"
2006-07-04 21:16:14 ( .D... ) "C:\Program Files\Altnet"
2006-07-01 22:00:26 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Kazaa Lite"
2006-06-30 02:06:04 ( .D... ) "C:\Program Files\Swim TEAM MANAGER Lite 4.0"
2006-06-30 02:02:58 ( .D... ) "C:\Program Files\Personal SWIM MANAGER Demo"
2006-06-30 00:03:02 ( .D... ) "C:\Program Files\Swim MEET MANAGER Demo 2.0"
2006-06-29 22:56:42 53248 ( A.... ) "C:\WINDOWS\system32\Process.exe"
2006-06-29 22:49:22 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Registry Cleaner"
2006-06-29 17:15:20 24064 ( A.SH. ) "C:\WINDOWS\system32\gebbxyx.dll"
2006-06-27 14:04:34 27075695 ( A.... ) "C:\Program Files\database.arz"
2006-06-26 13:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 13:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-25 14:08:52 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Sun"
2006-06-22 02:49:40 ( .D... ) "C:\Program Files\Soldier of Fortune II - Double Helix"
2006-06-18 23:12:44 ( .D... ) "C:\Program Files\TGTSoft"
2006-06-16 01:39:18 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-06-16 01:39:12 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-06-16 01:39:12 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-06-16 01:39:12 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-06-10 19:45:32 767 ( A.... ) "C:\Documents and Settings\Jon\Application Data\AZU29647.tmp"
2006-06-09 20:06:42 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-06-09 15:27:18 62 ( A.SH. ) "C:\Documents and Settings\Jon\Application Data\desktop.ini"
2006-06-01 18:11:08 109568 ( A.... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-06-01 18:11:08 108544 ( A.... ) "C:\WINDOWS\system32\pxcpyi64.exe"
2006-06-01 18:10:26 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-06-01 18:09:58 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-06-01 18:09:58 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-06-01 18:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-06-01 18:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-06-01 18:09:58 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-06-01 18:09:58 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-06-01 18:09:58 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-06-01 18:09:58 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-06-01 18:07:46 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-06-01 18:07:38 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-06-01 18:07:38 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-06-01 18:07:34 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"
2006-06-01 18:07:00 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-06-01 18:06:58 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-06-01 18:06:58 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-06-01 18:06:58 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-06-01 18:06:34 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-06-01 18:06:34 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-17 16:56 40,973 C:\WINDOWS\system32\nnnkjij.dll
2006-08-15 00:49 349,760 C:\WINDOWS\system32\mcinsctl.dll
2006-08-15 00:35 77,312 C:\WINDOWS\system32\VundoFix.exe
2006-08-14 10:19 53,346 C:\WINDOWS\system32\javaw.exe
2006-08-14 10:19 49,248 C:\WINDOWS\system32\java.exe
2006-08-14 10:19 127,078 C:\WINDOWS\system32\javaws.exe
2006-08-11 23:09 15,360 C:\WINDOWS\system32\BASSMOD.dll
2006-08-11 22:42 356,352 C:\WINDOWS\eSellerateEngine.dll
2006-08-09 20:45 45,056 C:\WINDOWS\system32\WNASPI32.DLL
2006-08-09 20:41 395,776 C:\WINDOWS\system32\libmplayer.dll
2006-08-09 20:41 34,820 C:\WINDOWS\system32\ffdshow.reg
2006-08-09 20:41 262,144 C:\WINDOWS\system32\TomsMoComp_ff.dll
2006-08-09 20:41 2,255,360 C:\WINDOWS\system32\libavcodec.dll
2006-08-09 20:41 112,640 C:\WINDOWS\system32\libmpeg2_ff.dll
2006-07-16 21:52 73,216 C:\WINDOWS\ST6UNST.EXE
2006-07-16 21:52 249,856 C:\WINDOWS\Setup1.exe
2006-07-09 15:06 98,304 C:\WINDOWS\system32\CmdLineExt.dll
2006-07-09 15:05 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-09 15:05 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-09 15:05 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-07-09 15:05 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-09 15:05 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-09 15:05 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-09 15:05 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-09 15:05 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-09 15:05 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-09 15:05 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-09 15:05 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-07-09 15:05 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-07-09 15:05 14,032 C:\WINDOWS\system32\x3daudio1_0.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nTrayFw"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1149906144\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder

Completion time: Fri 08/18/2006 9:03:08.17
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-15.115506.txt
ComboFix.2006-08-17.164946.txt
ComboFix.2006-08-18.090258.txt



My virus scanner says I still have vundo, also I could not find

O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\urqpnkl.dll (file missing)

to delete in hijackthis. Thanks

Edited by Doobla, 18 August 2006 - 08:17 AM.


#12 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:48 PM

Posted 20 August 2006 - 11:31 AM

Hi Doobla, I apologize for the delay getting to your log...

Lets continue:

Step 1:
Go to Start menu -> run -> Copy next text to the textbox and press enter:
"%userprofile%\desktop\combofix.exe" /v nnnkjij

Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

==============
Restart your computer.
==============

Step 2:
Please download Killbox, extract it to your desktop. Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Delete Temp Files
Click Tools -> Delete Temp Files
Place a check mark in all locations that aren't greyed out. By default they should already be checked.
Click Delete Selected Temp Files
Once that completes, select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
(or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\gebbxyx.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
Post this log in your next reply.

Step 3:
With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
Click in the check-box to the left of each of the following entries, if found:
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\nnnkjij.dll
O20 - Winlogon Notify: nnnkjij - C:\WINDOWS\SYSTEM32\nnnkjij.dll

Select Fix Checked

Step 4:
In your next reply, please include the following logs: Fresh Hijackthis, Killbox report and combofix.txt. Thanks.

#13 Doobla

Doobla
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 20 August 2006 - 12:46 PM

Allright, all done. Here are the hijack this, killbox and combofix reports in that order. When I ran killbox there were not any PendingFileRenameOperations prompts. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:43:58 PM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\hjt.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
----------------------------------------------------------------------------------------------------
Pocket Killbox version 2.0.0.648
Running on Windows XP as Jon(Administrator)
was started @ Sunday, August 20, 2006, 1:24 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\gebbxyx.dll


I Rebooted @ 1:27:49 PM
Killbox Closed(Exit) @ 1:27:53 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Jon(Administrator)
was started @ Sunday, August 20, 2006, 1:45 PM

----------------------------------------------------------------------------------------------------
Jon - 06-08-20 13:14:55.78
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Jon\desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\nnnkjij.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components
C:\Program Files\Common Files\{2862BC45-07D9-1033-0518-040511040001}


((((((((((((((((((((((((((((((( Files Created from 2006-07-20 to 2006-08-20 ))))))))))))))))))))))))))))))))))


2006-08-19 12:42 74,281 C:\WINDOWS\system32\awtsp.dll
2006-08-19 12:26 74,281 C:\WINDOWS\system32\pmnlj.dll
2006-08-19 10:49 74,281 C:\WINDOWS\system32\awvvu.dll
2006-08-15 00:49 349,760 C:\WINDOWS\system32\mcinsctl.dll
2006-08-15 00:35 77,312 C:\WINDOWS\system32\VundoFix.exe
2006-08-11 23:09 15,360 C:\WINDOWS\system32\BASSMOD.dll
2006-08-11 22:42 356,352 C:\WINDOWS\eSellerateEngine.dll
2006-08-09 20:45 45,056 C:\WINDOWS\system32\WNASPI32.DLL
2006-08-09 20:41 395,776 C:\WINDOWS\system32\libmplayer.dll
2006-08-09 20:41 34,820 C:\WINDOWS\system32\ffdshow.reg
2006-08-09 20:41 262,144 C:\WINDOWS\system32\TomsMoComp_ff.dll
2006-08-09 20:41 2,255,360 C:\WINDOWS\system32\libavcodec.dll
2006-08-09 20:41 112,640 C:\WINDOWS\system32\libmpeg2_ff.dll
2006-08-04 15:29 526,174 C:\WINDOWS\system32\egjlm.bak2
2006-07-30 03:19 522,394 C:\WINDOWS\system32\egjlm.bak1


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-20 13:16 -------- d-------- C:\Program Files\Common Files
2006-08-20 13:00 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-20 11:42 -------- d-------- C:\Documents and Settings\Jon\Application Data\Azureus
2006-08-19 12:42 74281 --a------ C:\WINDOWS\system32\awtsp.dll
2006-08-19 12:26 74281 --a------ C:\WINDOWS\system32\pmnlj.dll
2006-08-19 10:49 74281 --a------ C:\WINDOWS\system32\awvvu.dll
2006-08-18 17:37 -------- d-------- C:\Program Files\stickies
2006-08-15 17:33 77312 --a------ C:\WINDOWS\system32\VundoFix.exe
2006-08-15 10:22 -------- d-------- C:\Program Files\Xilisoft
2006-08-15 01:02 -------- d-------- C:\Program Files\Internet Explorer
2006-08-14 23:55 -------- d-------- C:\Program Files\ImTOO
2006-08-14 10:26 -------- d-------- C:\Program Files\Azureus
2006-08-14 10:19 -------- d-------- C:\Program Files\Java
2006-08-13 20:12 -------- d---s---- C:\Documents and Settings\Jon\Application Data\Microsoft
2006-08-13 20:12 -------- d-------- C:\Program Files\Swim TEAM MANAGER Lite 4.0
2006-08-13 20:06 -------- d-------- C:\Program Files\AOL
2006-08-12 14:46 -------- d-------- C:\Program Files\WinXMedia
2006-08-12 10:16 -------- d-------- C:\Program Files\iTunes
2006-08-11 23:52 -------- d-------- C:\Documents and Settings\Jon\Application Data\Apple Computer
2006-08-11 23:26 -------- d-------- C:\Program Files\Cucusoft
2006-08-11 23:10 15360 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-08-11 22:42 356352 --a------ C:\WINDOWS\eSellerateEngine.dll
2006-08-11 22:39 -------- d-------- C:\Program Files\MOV to AVI MPEG WMV Converter
2006-08-11 16:09 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-10 16:18 -------- d-------- C:\Documents and Settings\Jon\Application Data\McAfee.com Personal Firewall
2006-08-09 21:06 -------- d-------- C:\Program Files\iPod
2006-08-09 16:51 526174 --ahs---- C:\WINDOWS\system32\egjlm.bak2
2006-08-08 16:51 522394 --ahs---- C:\WINDOWS\system32\egjlm.bak1
2006-08-02 21:39 -------- d-------- C:\Program Files\Winamp
2006-08-01 17:17 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-08-01 17:17 249856 --------- C:\WINDOWS\Setup1.exe
2006-08-01 16:23 -------- d-------- C:\Program Files\Soldier of Fortune II - Double Helix
2006-08-01 16:22 -------- d-------- C:\Program Files\K-Lite
2006-08-01 16:15 -------- d-------- C:\Program Files\GSpot
2006-08-01 12:39 -------- d-------- C:\Program Files\Black Isle
2006-07-28 22:17 -------- d-------- C:\Documents and Settings\Jon\Application Data\dvdcss
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-25 22:21 -------- d-------- C:\Program Files\QuickTime
2006-07-24 14:52 -------- d-------- C:\Documents and Settings\Jon\Application Data\McAfee
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-14 21:57 -------- d-------- C:\Program Files\THQ
2006-07-14 19:14 -------- d-------- C:\Documents and Settings\Jon\Application Data\stickies
2006-07-13 16:58 -------- d-------- C:\Program Files\Sony
2006-07-12 01:09 -------- d-------- C:\Documents and Settings\Jon\Application Data\vlc
2006-07-11 23:32 -------- d-------- C:\Program Files\VideoLAN
2006-07-10 15:23 -------- d-------- C:\Program Files\themexp
2006-07-09 15:06 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-07-09 14:56 -------- d-------- C:\Program Files\Ubisoft
2006-07-06 12:44 -------- d-------- C:\Program Files\Microsoft SQL Server
2006-07-06 12:43 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-06 12:43 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-06 12:40 -------- d-------- C:\Program Files\Microsoft Visual Studio 8
2006-07-06 11:53 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-07-04 21:16 -------- d-------- C:\Program Files\Altnet
2006-07-01 22:00 -------- d-------- C:\Documents and Settings\Jon\Application Data\Kazaa Lite
2006-06-30 02:13 -------- d-------- C:\Program Files\Personal SWIM MANAGER Demo
2006-06-30 02:09 -------- d-------- C:\Program Files\Swim MEET MANAGER Demo 2.0
2006-06-29 22:56 53248 --a------ C:\WINDOWS\system32\Process.exe
2006-06-29 22:49 -------- d-------- C:\Documents and Settings\Jon\Application Data\Registry Cleaner
2006-06-29 17:15 24064 --ahs---- C:\WINDOWS\system32\gebbxyx.dll
2006-06-27 14:04 27075695 --a------ C:\Program Files\database.arz
2006-06-25 14:08 -------- d-------- C:\Documents and Settings\Jon\Application Data\Sun
2006-06-23 21:31 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-06-10 19:45 767 --a------ C:\Documents and Settings\Jon\Application Data\AZU29647.tmp
2006-06-09 20:06 0 -rahs---- C:\MSDOS.SYS
2006-06-09 20:06 0 -rahs---- C:\IO.SYS
2006-06-09 20:06 0 --a------ C:\CONFIG.SYS
2006-06-09 20:06 0 --a------ C:\AUTOEXEC.BAT
2006-06-09 15:27 62 --ahs---- C:\Documents and Settings\Jon\Application Data\desktop.ini
2006-06-01 18:11 109568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2006-06-01 18:11 108544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2006-06-01 18:10 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-06-01 18:09 90112 --a------ C:\WINDOWS\system32\dpl100.dll
2006-06-01 18:09 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-06-01 18:09 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-06-01 18:09 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-06-01 18:09 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-06-01 18:09 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-06-01 18:09 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-06-01 18:09 200704 --a------ C:\WINDOWS\system32\dtu100.dll
2006-06-01 18:07 536576 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-06-01 18:07 245408 --a------ C:\WINDOWS\system32\unicows.dll
2006-06-01 18:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-06-01 18:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-06-01 18:06 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-06-01 18:06 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-06-01 18:06 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-06-01 18:06 619156 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-01 18:06 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-06-01 18:06 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1149906144\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""



Completion time: Sun 08/20/2006 13:21:01.71
ComboFix.txt
ComboFix2.txt

#14 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:48 PM

Posted 21 August 2006 - 04:17 AM

Hi Doobla.
Unfortunately You have still Vundo infection. Dont worry, lets fix them..

Step 1:
Go to Start menu -> run -> Copy next text to the textbox and press enter:
"%userprofile%\desktop\combofix.exe" /v egjlm awvvu pmnlj
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

Step 2:
1. Reboot Your System in Safe Mode
How to use the F8 method to Start Your Computer in Safe Mode
Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe mode menu item
Press Enter.
2. Using Windows Explorer (Windows Key + E), locate the following files/folders, and DELETE them (if still present):
C:\WINDOWS\system32\gebbxyx.dll<==File
C:\WINDOWS\system32\awvvu.dll<==File
C:\WINDOWS\system32\pmnlj.dll<==File
C:\WINDOWS\system32\egjlm<==You will have to do a Search for this one using Windows Search Function
3. Exit Explorer, and REBOOT BACK INTO NORMAL MODE
4. Finally, RUN Hijackthis again and produce a new HJT log.

#15 Doobla

Doobla
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 21 August 2006 - 11:27 AM

I could not find any of those files. I used search and looked through the files. Here are my other logs. I don't know what to do.

Jon - 06-08-21 11:51:31.17
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Jon\desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\pmnlj.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2006-07-21 to 2006-08-21 ))))))))))))))))))))))))))))))))))


2006-08-19 12:42 74,281 C:\WINDOWS\system32\awtsp.dll
2006-08-15 00:49 349,760 C:\WINDOWS\system32\mcinsctl.dll
2006-08-15 00:35 77,312 C:\WINDOWS\system32\VundoFix.exe
2006-08-11 23:09 15,360 C:\WINDOWS\system32\BASSMOD.dll
2006-08-11 22:42 356,352 C:\WINDOWS\eSellerateEngine.dll
2006-08-09 20:45 45,056 C:\WINDOWS\system32\WNASPI32.DLL
2006-08-09 20:41 395,776 C:\WINDOWS\system32\libmplayer.dll
2006-08-09 20:41 34,820 C:\WINDOWS\system32\ffdshow.reg
2006-08-09 20:41 262,144 C:\WINDOWS\system32\TomsMoComp_ff.dll
2006-08-09 20:41 2,255,360 C:\WINDOWS\system32\libavcodec.dll
2006-08-09 20:41 112,640 C:\WINDOWS\system32\libmpeg2_ff.dll
2006-08-04 15:29 526,174 C:\WINDOWS\system32\egjlm.bak2
2006-07-30 03:19 522,394 C:\WINDOWS\system32\egjlm.bak1


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-21 11:50 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-20 13:16 -------- d-------- C:\Program Files\Common Files
2006-08-20 11:42 -------- d-------- C:\Documents and Settings\Jon\Application Data\Azureus
2006-08-19 12:42 74281 --a------ C:\WINDOWS\system32\awtsp.dll
2006-08-18 17:37 -------- d-------- C:\Program Files\stickies
2006-08-15 17:33 77312 --a------ C:\WINDOWS\system32\VundoFix.exe
2006-08-15 10:22 -------- d-------- C:\Program Files\Xilisoft
2006-08-15 01:02 -------- d-------- C:\Program Files\Internet Explorer
2006-08-14 23:55 -------- d-------- C:\Program Files\ImTOO
2006-08-14 10:26 -------- d-------- C:\Program Files\Azureus
2006-08-14 10:19 -------- d-------- C:\Program Files\Java
2006-08-13 20:12 -------- d---s---- C:\Documents and Settings\Jon\Application Data\Microsoft
2006-08-13 20:12 -------- d-------- C:\Program Files\Swim TEAM MANAGER Lite 4.0
2006-08-13 20:06 -------- d-------- C:\Program Files\AOL
2006-08-12 14:46 -------- d-------- C:\Program Files\WinXMedia
2006-08-12 10:16 -------- d-------- C:\Program Files\iTunes
2006-08-11 23:52 -------- d-------- C:\Documents and Settings\Jon\Application Data\Apple Computer
2006-08-11 23:26 -------- d-------- C:\Program Files\Cucusoft
2006-08-11 23:10 15360 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-08-11 22:42 356352 --a------ C:\WINDOWS\eSellerateEngine.dll
2006-08-11 22:39 -------- d-------- C:\Program Files\MOV to AVI MPEG WMV Converter
2006-08-11 16:09 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-10 16:18 -------- d-------- C:\Documents and Settings\Jon\Application Data\McAfee.com Personal Firewall
2006-08-09 21:06 -------- d-------- C:\Program Files\iPod
2006-08-09 16:51 526174 --ahs---- C:\WINDOWS\system32\egjlm.bak2
2006-08-08 16:51 522394 --ahs---- C:\WINDOWS\system32\egjlm.bak1
2006-08-02 21:39 -------- d-------- C:\Program Files\Winamp
2006-08-01 17:17 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-08-01 17:17 249856 --------- C:\WINDOWS\Setup1.exe
2006-08-01 16:23 -------- d-------- C:\Program Files\Soldier of Fortune II - Double Helix
2006-08-01 16:22 -------- d-------- C:\Program Files\K-Lite
2006-08-01 16:15 -------- d-------- C:\Program Files\GSpot
2006-08-01 12:39 -------- d-------- C:\Program Files\Black Isle
2006-07-28 22:17 -------- d-------- C:\Documents and Settings\Jon\Application Data\dvdcss
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-25 22:21 -------- d-------- C:\Program Files\QuickTime
2006-07-24 14:52 -------- d-------- C:\Documents and Settings\Jon\Application Data\McAfee
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-14 21:57 -------- d-------- C:\Program Files\THQ
2006-07-14 19:14 -------- d-------- C:\Documents and Settings\Jon\Application Data\stickies
2006-07-13 16:58 -------- d-------- C:\Program Files\Sony
2006-07-12 01:09 -------- d-------- C:\Documents and Settings\Jon\Application Data\vlc
2006-07-11 23:32 -------- d-------- C:\Program Files\VideoLAN
2006-07-10 15:23 -------- d-------- C:\Program Files\themexp
2006-07-09 15:06 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-07-09 14:56 -------- d-------- C:\Program Files\Ubisoft
2006-07-06 12:44 -------- d-------- C:\Program Files\Microsoft SQL Server
2006-07-06 12:43 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-06 12:43 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-06 12:40 -------- d-------- C:\Program Files\Microsoft Visual Studio 8
2006-07-06 11:53 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-07-04 21:16 -------- d-------- C:\Program Files\Altnet
2006-07-01 22:00 -------- d-------- C:\Documents and Settings\Jon\Application Data\Kazaa Lite
2006-06-30 02:13 -------- d-------- C:\Program Files\Personal SWIM MANAGER Demo
2006-06-30 02:09 -------- d-------- C:\Program Files\Swim MEET MANAGER Demo 2.0
2006-06-29 22:56 53248 --a------ C:\WINDOWS\system32\Process.exe
2006-06-29 22:49 -------- d-------- C:\Documents and Settings\Jon\Application Data\Registry Cleaner
2006-06-27 14:04 27075695 --a------ C:\Program Files\database.arz
2006-06-25 14:08 -------- d-------- C:\Documents and Settings\Jon\Application Data\Sun
2006-06-23 21:31 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-06-10 19:45 767 --a------ C:\Documents and Settings\Jon\Application Data\AZU29647.tmp
2006-06-09 20:06 0 -rahs---- C:\MSDOS.SYS
2006-06-09 20:06 0 -rahs---- C:\IO.SYS
2006-06-09 20:06 0 --a------ C:\CONFIG.SYS
2006-06-09 20:06 0 --a------ C:\AUTOEXEC.BAT
2006-06-09 15:27 62 --ahs---- C:\Documents and Settings\Jon\Application Data\desktop.ini
2006-06-01 18:11 109568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2006-06-01 18:11 108544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2006-06-01 18:10 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-06-01 18:09 90112 --a------ C:\WINDOWS\system32\dpl100.dll
2006-06-01 18:09 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-06-01 18:09 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-06-01 18:09 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-06-01 18:09 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-06-01 18:09 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-06-01 18:09 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-06-01 18:09 200704 --a------ C:\WINDOWS\system32\dtu100.dll
2006-06-01 18:07 536576 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-06-01 18:07 245408 --a------ C:\WINDOWS\system32\unicows.dll
2006-06-01 18:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-06-01 18:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-06-01 18:06 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-06-01 18:06 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-06-01 18:06 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-06-01 18:06 619156 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-01 18:06 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-06-01 18:06 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1149906144\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""



Completion time: Mon 08/21/2006 11:54:13.40
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
--------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:26:38 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\iTunes\iTunes.exe
c:\program files\common files\aol\1149906144\ee\aim6.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\HJT\hjt.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149906144\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users