Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Darksma/vundo


  • Please log in to reply
47 replies to this topic

#1 lisa33

lisa33

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 14 June 2007 - 03:07 PM

Edit1 by Papakid: Split from this topic: http://www.bleepingcomputer.com/forums/t/95536/darksma/

Papakid, Ty for your help I sent you a reply by email. I am at work and I will try what you posted. vundo does not allow me to stay on the Internet long before it opens 10 pages and locks up. but I will try tonight when I get home.

Again thank you

P.S. I called my friend and no the xp I have is not legal

Edit2 by Papakid: I'm adding the log that was sent via PM to your post. I can't start a new topic in the logs forum for you because of some modifications we have made to the forum software. I will split this post to make it a new topic in the Logs forum, this way you will be the Original Poster and the modifications won't be a problem. I know this may be confusing, so I will answer this log as soon as I can.
--------------------------------------------------
I ran a tool for Vundo it said I did not have it so I'm not sure and right now very frustrated. I can't seem to get my virus scanners to run and I still can't post my log on Hijacklog it shuts down. I ran a new log so if you could post it for me I would greatly appreciate it. I have McAfee security on my pc but now it seems to have an issue.I can read on the forums and as you can see get into my mail. Thank you for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 9:20:19 PM, on 6/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\fxssvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINNT\System32\msdn_lib.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7ee521f8-b2fd-4b14-beea-46fc71316561} - C:\WINNT\system32\msrOCN.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\WINNT\System32\tmp1AB.tmp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/29afb2ccca41d5...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161133908387
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161217377436
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - AppInit_DLLs: c:\winnt\system32\byvspmm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: clusec6 - clusec6.dll (file missing)
O20 - Winlogon Notify: msrOCN - C:\WINNT\SYSTEM32\msrOCN.dll
O20 - Winlogon Notify: setsrv - setsrv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

Edited by Papakid, 14 June 2007 - 11:03 PM.


BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 15 June 2007 - 01:07 AM

OK, as far as your system being illegal, as I partly explained in the email, you have to have a legal version in order to get updates to patch your system. This pretty much started with XP to prevent piracy. Malware purveyors have gotten very efficient at exploiting security holes in your Operating System, so as long as your system remains illegal it remains unpatched and you will continue to have severe infections and problems. And it doesn't really matter how well protected you are with security programs like McAfee--those programs don't patch holes that let the malware in.

And to get legal, yes, you need to buy your own copy of XP. You are legally allowed one installation of XP on one machine. When your friend shared their copy they violated their agreement and could lose their right to use XP if caught.

I'll help you in an attempt to remove the infection. This could be useless as unpatched machines tend to get reinfected so quickly that we may never get finished. But help is on the condition that you will make a sincere attempt to get legal. You can get some fairly good deals on XP CD's and I will help with that also. But another thing to consider is the age of the machine you're using. I notice you have Windows installed in the folder that usually is for Windows 2000 so probably you upgraded to XP? It may be time to look for another computer, especially if you have any intention of upgrading to Vista--each new OS requires more computing power and to keep up with technological changes.

OK, now to the fix. Please follow these instructions exactly and in the order given.

Scan again with HijackThis and put a checkmark next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINNT\System32\msdn_lib.dll (file missing)
O2 - BHO: (no name) - {7ee521f8-b2fd-4b14-beea-46fc71316561} - C:\WINNT\system32\msrOCN.dll
O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\WINNT\System32\tmp1AB.tmp.dll
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/29afb2ccca41d5...ip/RdxIE601.cab
O20 - AppInit_DLLs: c:\winnt\system32\byvspmm.dll
O20 - Winlogon Notify: clusec6 - clusec6.dll (file missing)
O20 - Winlogon Notify: msrOCN - C:\WINNT\SYSTEM32\msrOCN.dll
O20 - Winlogon Notify: setsrv - setsrv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


Close all other windows--you should only see HijackThis on your Desktop and Taskbar--and then click the "Fix checked" button.

Please download Combofix to your desktop.

Doubleclick ComboFix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done.

Post this log in your next reply.


Please download ATF Cleaner by Atribune.

Reboot your computer into Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot normally.

Click here to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to Press any key to continue.
Press a key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically be saved to your desktop or whatever location you ran the file from.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Then scan again with HijackThis and post a new log.

So in your next reply, post logs from the following in this order:

1. combofix.txt
2. AWF.txt
3. HijackThis

Any problems let me know, but it is important that you post those logs. There will be more to do.

The thing about people

is they change

when they walk away.--Mipso


#3 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 15 June 2007 - 08:05 AM

I will do this tonight and any help getting a legal copy of XP is appreciated as I will not be able to purchase another PC for a few months and not sure where to get a legal copy.

Thank you

#4 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 16 June 2007 - 03:04 PM

Ok I had to change to firefox to get back here. Here combofix

2006-11-29 07:48	  0	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Marcus\APPLIC~1\Install.dat.vir
2007-06-08 13:35	  12930	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\nnlihif.dll.vir
2007-06-10 13:19	  47899	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\hggfg.exe.vir
2007-06-10 15:22	  47899	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\awtsp.exe.vir
2007-06-10 18:38	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp12.tmp.dll.vir
2007-06-10 22:26	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp72E.tmp.exe.vir
2007-06-10 22:26	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp72D.tmp.dll.vir
2007-06-10 22:38	  25856	--a------	C:\Qoobox\Quarantine\C\WINNT\764.exe.vir
2007-06-10 22:56	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp737.tmp.exe.vir
2007-06-11 18:27	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp1.tmp.dll.vir
2007-06-11 18:28	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp2.tmp.exe.vir
2007-06-12 14:28	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp8F.tmp.dll.vir
2007-06-12 14:28	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp90.tmp.dll.vir
2007-06-12 21:17	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp17.tmp.exe.vir
2007-06-12 21:17	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp1C.tmp.dll.vir
2007-06-12 21:25	  47899	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\urqon.exe.vir
2007-06-12 21:42	  47899	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\wvuus.exe.vir
2007-06-12 21:43	  37437	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\msrOCN.dll.vir
2007-06-12 22:04	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp19.tmp.exe.vir
2007-06-12 22:11	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp3B.tmp.dll.vir
2007-06-12 23:08	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp1B.tmp.exe.vir
2007-06-12 23:10	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp1D.tmp.dll.vir
2007-06-12 23:25	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp23.tmp.exe.vir
2007-06-12 23:26	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp26.tmp.dll.vir
2007-06-13 22:02	  252130	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp1A3.tmp.exe.vir
2007-06-13 22:04	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp1A4.tmp.dll.vir
2007-06-13 22:14	  252130	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp1AA.tmp.exe.vir
2007-06-13 22:17	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp1AB.tmp.dll.vir
2007-06-14 21:45	  252130	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp95.tmp.exe.vir
2007-06-14 22:01	  60771	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp9A.tmp.exe.vir


Folder PATH listing
Volume serial number is 71FAE346 07D2:0118
C:\QOOBOX
\---Quarantine
	+---Registry_backups
	\---C
		+---DOCUME~1
		|   +---Lisa
		|   |   \---APPLIC~1
		|   |		   tmp72E.tmp.exe.vir
		|   |		   tmp737.tmp.exe.vir
		|   |		   tmp2.tmp.exe.vir
		|   |		   tmp1B.tmp.exe.vir
		|   |		   tmp17.tmp.exe.vir
		|   |		   tmp19.tmp.exe.vir
		|   |		   tmp23.tmp.exe.vir
		|   |		   tmp1A3.tmp.exe.vir
		|   |		   tmp1AA.tmp.exe.vir
		|   |		   tmp95.tmp.exe.vir
		|   |		   tmp9A.tmp.exe.vir
		|   |		   
		|   \---Marcus
		|	   \---APPLIC~1
		|			   Install.dat.vir
		|			   
		\---WINNT
			|   764.exe.vir
			|   
			\---SYSTEM32
					tmp90.tmp.dll.vir
					tmp12.tmp.dll.vir
					tmp72D.tmp.dll.vir
					tmp1.tmp.dll.vir
					tmp1C.tmp.dll.vir
					tmp8F.tmp.dll.vir
					tmp3B.tmp.dll.vir
					tmp1D.tmp.dll.vir
					tmp26.tmp.dll.vir
					tmp1A4.tmp.dll.vir
					tmp1AB.tmp.dll.vir
					nnlihif.dll.vir
					hggfg.exe.vir
					awtsp.exe.vir
					urqon.exe.vir
					wvuus.exe.vir
					msrOCN.dll.vir


#5 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 16 June 2007 - 03:08 PM

Here is AWF
Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\BAK

0 File(s) 0 bytes

Directory of C:\WINNT\SYSTEM32\BAK

2001-10-29 19:18 13,312 ctfmon.exe
1 File(s) 13,312 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\EFAXME~1.2\BAK

2006-07-14 15:36 107,008 J2GDllCmd.exe
1 File(s) 107,008 bytes

Directory of C:\PROGRA~1\NETROPA\MULTIM~1\BAK

2000-09-21 14:34 126,976 MMKeybd.exe
1 File(s) 126,976 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

2007-03-07 10:58 1,773,568 tgcmd.exe
1 File(s) 1,773,568 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

2006-09-13 14:17 4,621,816 YAHOOM~1.EXE
1 File(s) 4,621,816 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

2007-04-29 17:21 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

2005-06-06 23:46 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\DOCUME~1\MARCUS\APPLIC~1\MYSPACE\IM\BIN\BAK

2006-11-16 16:42 1,327,104 MySpaceIM.exe
1 File(s) 1,327,104 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

13312 Oct 29 2001 "C:\WINNT\SYSTEM32\ctfmon.exe"
13312 Oct 29 2001 "C:\WINNT\SYSTEM32\bak\ctfmon.exe"
107008 Jul 14 2006 "C:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe"
126976 Sep 21 2000 "C:\Program Files\Netropa\Multimedia Keyboard\bak\MMKeybd.exe"
1773568 Mar 7 2007 "C:\Program Files\support.com\bin\bak\tgcmd.exe"
4621816 Sep 13 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
185896 Apr 29 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
1327104 Nov 16 2006 "C:\Documents and Settings\Marcus\Application Data\MySpace\IM\bin\bak\MySpaceIM.exe"


end of report

Here is Hijack


Logfile of HijackThis v1.99.1
Scan saved at 15:15, on 2007-06-16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\Lisa\Application Data\tmp10.tmp.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\WINNT\system32\notepad.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {62000082-fe21-4428-a508-84d9d3886bc7} - C:\WINNT\system32\bootISE.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\WINNT\System32\tmp20.tmp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161133908387
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161217377436
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - AppInit_DLLs: c:\winnt\system32\byvspmm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: bootISE - C:\WINNT\SYSTEM32\bootISE.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - - C:\Documents and Settings\Lisa\Application Data\tmp10.tmp.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 16 June 2007 - 11:09 PM

Hi Lisa,

That's not a normal ComboFix log. Are you sure that is combofix.txt? Did you run CF more than once or possibly you ran it before posting your log when you were trying to fix this on your own? It may be that CF isn't working correctly on your system, but please confirm if you have done something besides what I've asked you to do. I know you are frustrated but please continue to be patience and take this in stages. If you have done something else at least let me know what--you mentioned before running a tool to remove Vundo, maybe Symantec's (not surprised if that was it) but I need to know which tool. It is better to only do what I ask and follow instructions exactly--for malware like this that is difficult to remove it gives me a better idea of what works and what doesn't.

You've got a mixture of malware--not just Vundo. The HJT log is looking better but still has a ways to go. Print out these instructions or save them to Notepad or your text editor of choice, since you won't have access to them in when in safe mode.

OK, first let's fix your AWS infection. Click to download and save this file -->Attached File  fix4.bat   2.13KB   27 downloads to you desktop. Double-click to run it and when it is complete, run FindAWF.exe again and post its log.

I also want to get a look at some of your files before we delete them, so please do the following:

Download this program:

Submit Files Packer

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Reboot your computer into Safe Mode.

Highlight the files listed below in bold and right-click and select Copy.

C:\WINNT\system32\bootISE.dll
c:\winnt\system32\byvspmm.dll
C:\Documents and Settings\Lisa\Application Data\tmp10.tmp.exe
C:\WINNT\System32\tmp20.tmp.dll


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to lisa33.cab.

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply.
While in normal mode go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to the lisa33.cab file on your desktop. Click on the Send File button.

I'm afraid you've been tricked into installing SpywareBot when you thought you were getting Spybot Search & Destroy. While SpywareBot is not malware in itself, it engages in deceptive practices such as manipulating Google and are on the list of Rogue/Suspect Anti-Spyware Products & Web Sites

Please UNINSTALL the following programs through the ADD/REMOVE feature of your Control Panel:

SpywareBot

Download KillBox from here:

KillBox

Save the file to your desktop.

Boot back into Safe Mode.

Scan again with HijcakThis and put a check next to the following--do not be concerned if some entries do not exist as they may have been fixed already by SDFix--but let me know what is and isn't there:

O2 - BHO: (no name) - {62000082-fe21-4428-a508-84d9d3886bc7} - C:\WINNT\system32\bootISE.dll
O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\WINNT\System32\tmp20.tmp.dll
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O20 - AppInit_DLLs: c:\winnt\system32\byvspmm.dll
O20 - Winlogon Notify: bootISE - C:\WINNT\SYSTEM32\bootISE.dll


Click the FixChecked button.

Go to START>Run then copy the following bold text and paste into the text field and hit Enter:

sc stop "DomainService -"

Repeat the same steps for the following:

sc delete "DomainService -"

Using My Computer/Windows Explorer, delete the following folders:

C:\Program Files\SpywareBot
C:\BAK
C:\Program Files\Messenger\BAK

Now open KillBox.

* Click Tools>Delete Temp Files
* Click Options then Process all Profiles. Also make sure Empty IE on Browser closed is checked.
* If you wish to save cookies take the check out of the box next to Cookies
* Click Delete Selected Temp Files. You will see Completed in blue text once the deletions are done.
* Click Exit (Save Settings)


* In KillBox's main screen, select the Delete on Reboot option.
* Click on the All Files button.
* Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINNT\System32\tmp20.tmp.dll
C:\WINNT\system32\bootISE.dll
c:\winnt\system32\byvspmm.dll
C:\Documents and Settings\Lisa\Application Data\tmp10.tmp.exe


* Go to the File menu of Killbox, and choose Paste from Clipboard.
NOTE: You must use the File menu--pasting by right-clicking the mouse will only enter one file.
* Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
* Post this log in your next reply.

Lastly, Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.
I know this is a lot to do and there may be more still. Just take your time and if you have any questions ask first. I've asked for several logs, and some of them are long. They may not all fit into a single reply, so you may need to use more than one post, which is fine--just please be sure everything is posted and nothing gets cut off.

If the ComboFix is not combofix.txt please post that first. If you've run it more than once I would like to see a log that looks something like this; if you've run it more than once you should have a C:\ComboFix2.txt or similar--please find the latest one that looks like the example and post it for me if possible.

So now the logs I would like to see are:

1. The correct combofix.txt if available (if not don't worry about it).
2. New AWF.txt
3. Report.txt from SDFix
4. The Actions History Log from KillBox
5. The two logs from DSS--main.txt and extra.txt

And don't forget to submit the cab file. But if you have any problems with that at all don't worry about it.

I'll have to get into advice on buying a legal Windows later. It will cost a good chunk of change even if you find a good deal so I need to know what your budget is like and if you prefer XP Home or Pro. With Vista out now, you may or may not be able to find a legal copy in your local computer store, but best deals are online. However, I would not recommend you do any financial transactions on the infected computer until you are cleaned up.

The thing about people

is they change

when they walk away.--Mipso


#7 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 June 2007 - 10:54 AM

Thank you I will try and get this stuff done within the next couple of days. Sorry about combo fix I ran into a problem while trying to do the programs. Regarding XP software budget is tight but will check around and start saving for it under $200 would be good.

Thank you for all your help

#8 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 June 2007 - 06:10 PM

Hello Papakid,

I hope I did the fix4.bat file correct. The screen disappeared a couple seconds after it started running so I waited 15 minutes I assumed it ran. Regarding the tool I ran earlier it way Symantec. Question for you I'm being told MySpace is a computer nightmare, I have a teenager who is there alot, good or bad? Here is the AWF log:


Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\BAK

0 File(s) 0 bytes

Directory of C:\WINNT\SYSTEM32\BAK

2001-10-29 19:18 13,312 ctfmon.exe
1 File(s) 13,312 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\EFAXME~1.2\BAK

2006-07-14 15:36 107,008 J2GDllCmd.exe
1 File(s) 107,008 bytes

Directory of C:\PROGRA~1\NETROPA\MULTIM~1\BAK

2000-09-21 14:34 126,976 MMKeybd.exe
1 File(s) 126,976 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

2007-03-07 10:58 1,773,568 tgcmd.exe
1 File(s) 1,773,568 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

2006-09-13 14:17 4,621,816 YAHOOM~1.EXE
1 File(s) 4,621,816 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

2007-04-29 17:21 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

2005-06-06 23:46 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\DOCUME~1\MARCUS\APPLIC~1\MYSPACE\IM\BIN\BAK

2006-11-16 16:42 1,327,104 MySpaceIM.exe
1 File(s) 1,327,104 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

13312 Oct 29 2001 "C:\WINNT\SYSTEM32\ctfmon.exe"
13312 Oct 29 2001 "C:\WINNT\SYSTEM32\bak\ctfmon.exe"
107008 Jul 14 2006 "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe"
107008 Jul 14 2006 "C:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe"
126976 Sep 21 2000 "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe"
126976 Sep 21 2000 "C:\Program Files\Netropa\Multimedia Keyboard\bak\MMKeybd.exe"
1773568 Mar 7 2007 "C:\Program Files\support.com\bin\tgcmd.exe"
1773568 Mar 7 2007 "C:\Program Files\support.com\bin\bak\tgcmd.exe"
4621816 Sep 13 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
185896 Apr 29 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 Apr 29 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
1327104 Nov 16 2006 "C:\Documents and Settings\Marcus\Application Data\MySpace\IM\bin\MySpaceIM.exe"
1327104 Nov 16 2006 "C:\Documents and Settings\Marcus\Application Data\MySpace\IM\bin\bak\MySpaceIM.exe"


end of report

#9 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 June 2007 - 08:15 PM

Hello Papakid, Here is the Report.txt fromSD. Here is a heads up I had a problem with the File packer I don't things were pasted when I went to click paste it was greyed out.


SDFix: Version 1.88

Run by Lisa on 2007-06-18 at 20:54

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\mssms.dll - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINNT\
C:\WINNT
No streams found.

Checking C:\WINNT\system32
C:\WINNT\system32
No streams found.

Checking C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
No streams found.

Checking C:\WINNT\system32\ntoskrnl.exe
C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Documents and Settings\\Lisa\\Application Data\\tmp10.tmp.exe"="C:\\Documents and Settings\\Lisa\\Applica"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Program Files\Dell\Backup\DellBckp.exe
C:\WINNT\SYSTEM32\CONFIG\system.tmp.LOG
C:\WINNT\SYSTEM32\CONFIG\software.tmp.LOG
C:\WINNT\SYSTEM32\CONFIG\default.tmp.LOG
C:\Documents and Settings\Administrator\Local Settings\Temp\Offices.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Officeh.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off8s.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off8h.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off2s.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off2h.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off15As.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off15Ah.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off3s.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off3h.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off3s.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off3h.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off3.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1201.tmp
C:\Documents and Settings\Lisa\My Documents\~WRL0001.tmp

Listing User Accounts:

User accounts for \\D8VVJ611

Administrator Guest HelpAssistant
Lisa Marcus SUPPORT_388945a0


Finished

#10 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 June 2007 - 09:39 PM

Here is the combofix log, when I run this McAfee is having to block Vundo alot. Also I sent the lisa33.cab file but again not sure it had anything on it.

2006-11-29 07:48	  0	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Marcus\APPLIC~1\Install.dat.vir
2007-06-08 13:35	  12930	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\nnlihif.dll.vir
2007-06-10 13:19	  47899	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\hggfg.exe.vir
2007-06-10 15:22	  47899	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\awtsp.exe.vir
2007-06-10 18:38	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp12.tmp.dll.vir
2007-06-10 22:26	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp72E.tmp.exe.vir
2007-06-10 22:26	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp72D.tmp.dll.vir
2007-06-10 22:38	  25856	--a------	C:\Qoobox\Quarantine\C\WINNT\764.exe.vir
2007-06-10 22:56	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp737.tmp.exe.vir
2007-06-11 18:27	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp1.tmp.dll.vir
2007-06-11 18:28	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp2.tmp.exe.vir
2007-06-12 14:28	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp8F.tmp.dll.vir
2007-06-12 14:28	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp90.tmp.dll.vir
2007-06-12 21:17	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp17.tmp.exe.vir
2007-06-12 21:17	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp1C.tmp.dll.vir
2007-06-12 21:25	  47899	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\urqon.exe.vir
2007-06-12 21:42	  47899	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\wvuus.exe.vir
2007-06-12 21:43	  37437	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\msrOCN.dll.vir
2007-06-12 22:04	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp19.tmp.exe.vir
2007-06-12 22:11	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp3B.tmp.dll.vir
2007-06-12 23:08	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp1B.tmp.exe.vir
2007-06-12 23:10	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp1D.tmp.dll.vir
2007-06-12 23:25	  252221	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp23.tmp.exe.vir
2007-06-12 23:26	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp26.tmp.dll.vir
2007-06-13 22:02	  252130	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp1A3.tmp.exe.vir
2007-06-13 22:04	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp1A4.tmp.dll.vir
2007-06-13 22:14	  252130	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp1AA.tmp.exe.vir
2007-06-13 22:17	  39124	--a------	C:\Qoobox\Quarantine\C\WINNT\SYSTEM32\tmp1AB.tmp.dll.vir
2007-06-14 21:45	  252130	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp95.tmp.exe.vir
2007-06-14 22:01	  60771	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp9A.tmp.exe.vir
2007-06-16 15:10	  122880	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp12.tmp.exe.vir
2007-06-16 15:11	  252130	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp18.tmp.exe.vir
2007-06-16 15:14	  60771	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp20.tmp.exe.vir
2007-06-16 15:24	  122880	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp25.tmp.exe.vir
2007-06-16 15:25	  252130	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp28.tmp.exe.vir
2007-06-16 15:25	  60771	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp29.tmp.exe.vir
2007-06-16 15:56	  122880	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Lisa\APPLIC~1\tmp48.tmp.exe.vir


Folder PATH listing
Volume serial number is 71FAE346 07D2:0118
C:\QOOBOX
\---Quarantine
	+---Registry_backups
	\---C
		+---DOCUME~1
		|   +---Lisa
		|   |   \---APPLIC~1
		|   |		   tmp72E.tmp.exe.vir
		|   |		   tmp737.tmp.exe.vir
		|   |		   tmp2.tmp.exe.vir
		|   |		   tmp1B.tmp.exe.vir
		|   |		   tmp17.tmp.exe.vir
		|   |		   tmp19.tmp.exe.vir
		|   |		   tmp23.tmp.exe.vir
		|   |		   tmp1A3.tmp.exe.vir
		|   |		   tmp1AA.tmp.exe.vir
		|   |		   tmp95.tmp.exe.vir
		|   |		   tmp9A.tmp.exe.vir
		|   |		   tmp12.tmp.exe.vir
		|   |		   tmp18.tmp.exe.vir
		|   |		   tmp20.tmp.exe.vir
		|   |		   tmp25.tmp.exe.vir
		|   |		   tmp28.tmp.exe.vir
		|   |		   tmp29.tmp.exe.vir
		|   |		   tmp48.tmp.exe.vir
		|   |		   
		|   \---Marcus
		|	   \---APPLIC~1
		|			   Install.dat.vir
		|			   
		\---WINNT
			|   764.exe.vir
			|   
			\---SYSTEM32
					tmp90.tmp.dll.vir
					tmp12.tmp.dll.vir
					tmp72D.tmp.dll.vir
					tmp1.tmp.dll.vir
					tmp1C.tmp.dll.vir
					tmp8F.tmp.dll.vir
					tmp3B.tmp.dll.vir
					tmp1D.tmp.dll.vir
					tmp26.tmp.dll.vir
					tmp1A4.tmp.dll.vir
					tmp1AB.tmp.dll.vir
					nnlihif.dll.vir
					hggfg.exe.vir
					awtsp.exe.vir
					urqon.exe.vir
					wvuus.exe.vir
					msrOCN.dll.vir


#11 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 June 2007 - 09:45 PM

DSS start and then stops and I get the following error message: Autolt Error: Line 0 (File "C\Documents and Settings\Lisa\Desktop\dss.exe"):

#12 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 June 2007 - 09:58 PM

Hello, I tried a few time to get DSS to run and it won't. I really thank you for all your help and I apologize ahead of time if I screwed any of this up. Oh in regards to the files you wanted fixed by running Hijcak this, they were all there and I did not get a message when I ran the killbox. I can tell you vundo has not left :thumbsup:

#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 18 June 2007 - 10:20 PM

Hi Lisa, You're doing fine actually--I just found out today that apparently DSS and ComboFix may not work correctly on an unpatched system. Go ahead and scan again with HijackThis and post a new log and I'll be looing over what you have posted already.

It may be tomorrow before I come up with detailed instructions. Looks like we will have to get rid of AWS manually which is a bit tedious.

The thing about people

is they change

when they walk away.--Mipso


#14 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 19 June 2007 - 03:33 PM

Ok Thank you I will run it tonight and post. I don't mind tedious, not your fault.

#15 lisa33

lisa33
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 19 June 2007 - 04:44 PM

Papakid here is my hijacklog:

Logfile of HijackThis v1.99.1
Scan saved at 17:38, on 2007-06-19
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {62000082-fe21-4428-a508-84d9d3886bc7} - C:\WINNT\system32\bootISE.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161133908387
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161217377436
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - AppInit_DLLs: c:\winnt\system32\byvspmm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: bootISE - bootISE.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Lisa\Application Data\tmp10.tmp.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users