Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud_c.tool888, Exploit Virus, Runtime Error


  • This topic is locked This topic is locked
10 replies to this topic

#1 garyusa

garyusa

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 23 June 2007 - 12:51 AM

Hi:

I have scanned and cleansed various infections of viruses and spyware. (Scanned with: Ad-Aware SE Persoal, Spybot, AVG 7.5, AVG anti-spyware, AVG anti-rootkit, and McAfee Stinger.)

Now for my issue:
I continue to get pop-up's and new viruses. Also I get an runtime error which prompts "just in time debugging". I'm unable to delete them permanetely. After being deleted they reappear. I've tried deleting them with virus-scanners.

My HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:05 PM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Mixer.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\explorer.exe
D:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\eutamsvp.dll",realset
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

Thanks for any help!

BC AdBot (Login to Remove)

 


m

#2 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 23 June 2007 - 02:39 AM

Hi -

You've got some nasty infections including password stealers. Do NOT do any online transactions such as online banking, online purchases, etc. until we have finished. I strongly suggest that you change your passwords at sensitive websites from a computer you know is not infected.
Also, make sure that your data files are backed up.
You will need to print these instructions because you will be working in Safe Mode without an Internet connection.

Please set your system to show all files.
- Go to Start > open My Computer
- Select the Tools menu and click Folder Options.
- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Uncheck Hide file extensions for known file types
- Uncheck Hide protected operating system files (Recommended)
- Click Apply, then OK

Reboot into SAFE MODE
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\eutamsvp.dll",realset
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt


Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.
Exit the program.

Navigate to and delete the following files if present:
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\eutamsvp.dll
C:\WINDOWS\system32\IExplorer.dll

Reboot into NORMAL MODE

Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log in your next reply.
Download ComboFix from one of the following links:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
- and save it to the Desktop.

1. Double click on combo.exe and follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new HijackThis log.

Note: Do not mouse-click ComboFix's window while it is running. That may cause your system to stall/hang.

Post back with the log from Superantispyware, ComboFix.txt and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 garyusa

garyusa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 24 June 2007 - 03:27 PM

Hi:

Had some problems. Had to reinstall my internet connect. Still receiving runtime error.
Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 1:20:13 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\atiptaxx.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36AFD3E2-4C74-44AC-A4C3-D722130ED682} - (no file)
O2 - BHO: (no name) - {52AE690E-C58D-4182-8166-D62E82905567} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D98FF1B4-FF54-4382-BA86-3FCA7F224AD6} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: WD Backup Monitor.lnk = D:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://img.member.yahoo.com/dl/atty/yinst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\
O20 - Winlogon Notify: wvurpmk - wvurpmk.dll (file missing)
O20 - Winlogon Notify: wvuttsp - wvuttsp.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

COMBOFIX

"Cooper" - 2007-06-24 13:07:38 - ComboFix 07-06-23.5 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\lnwgdyjl.dll
C:\WINDOWS\system32\ndhtkrvh.dll
C:\WINDOWS\system32\ljydgwnl.ini
C:\WINDOWS\system32\hvrkthdn.ini
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\aybeg.bak1
C:\WINDOWS\system32\aybeg.bak2
C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\aybeg.ini2
C:\WINDOWS\system32\aybeg.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\iee
C:\WINDOWS\notedad.exe
C:\WINDOWS\system32\drivern.exe
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\o02PrEz


((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))


2007-06-24 12:59 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 12:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 12:08 <DIR> d-------- C:\DOCUME~1\Cooper\APPLIC~1\SUPERAntiSpyware.com
2007-06-24 12:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-24 11:38 43,391 --a------ C:\WINDOWS\browser.exe
2007-06-24 11:37 <DIR> d-------- C:\Program Files\SBC Self Support Tool
2007-06-24 11:37 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-06-24 11:27 <DIR> d-------- C:\Program Files\BroadJump
2007-06-23 17:49 11,776 --------- C:\WINDOWS\system32\drivers\afc.sys
2007-06-23 17:49 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-06-23 17:48 339,968 --------- C:\WINDOWS\system32\WDBtnMgr.exe
2007-06-23 17:36 9,600 --------- C:\WINDOWS\system32\drivers\hidusb.sys
2007-06-22 18:21 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-06-21 15:36 <DIR> d-------- C:\WINDOWS\Motive
2007-06-21 15:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Motive
2007-06-21 15:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion(3)
2007-06-21 15:16 6,530 ---hs---- C:\WINDOWS\system32\tttss.bak1
2007-06-20 22:40 81,920 --------- C:\WINDOWS\system32\W32n50.dll
2007-06-20 22:40 17,162 --------- C:\WINDOWS\system32\Pcandis5.sys
2007-06-20 22:40 16,848 --------- C:\WINDOWS\system32\Pcandis4.sys
2007-06-20 22:28 945,424 --------- C:\WINDOWS\system32\msjava.dll
2007-06-20 22:28 63,248 --------- C:\WINDOWS\system32\javaprxy.dll
2007-06-20 22:28 6,550 --------- C:\WINDOWS\jautoexp.dat
2007-06-20 22:28 49,424 --------- C:\WINDOWS\system32\clspack.exe
2007-06-20 22:28 46,352 --------- C:\WINDOWS\setdebug.exe
2007-06-20 22:28 404,752 --------- C:\WINDOWS\system32\javart.dll
2007-06-20 22:28 313,856 --------- C:\WINDOWS\system32\dx3j.dll
2007-06-20 22:28 286,992 --------- C:\WINDOWS\system32\vmhelper.dll
2007-06-20 22:28 21,264 --------- C:\WINDOWS\system32\msjdbc10.dll
2007-06-20 22:28 187,152 --------- C:\WINDOWS\system32\javacypt.dll
2007-06-20 22:28 172,304 --------- C:\WINDOWS\system32\jview.exe
2007-06-20 22:28 171,792 --------- C:\WINDOWS\system32\wjview.exe
2007-06-20 22:28 171,280 --------- C:\WINDOWS\system32\jit.dll
2007-06-20 22:28 154,896 --------- C:\WINDOWS\system32\msawt.dll
2007-06-20 22:28 15,120 --------- C:\WINDOWS\system32\jdbgmgr.exe
2007-06-20 22:28 139,536 --------- C:\WINDOWS\system32\javaee.dll
2007-06-20 22:28 113 --------- C:\WINDOWS\system32\zonedon.reg
2007-06-20 22:28 113 --------- C:\WINDOWS\system32\zonedoff.reg
2007-06-20 20:58 <DIR> d-------- C:\VundoFix Backups
2007-06-20 18:40 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-06-19 20:10 5,914,624 --a------ C:\DOCUME~1\Cooper\ntuser.dat
2007-06-19 17:23 3,968 --------- C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-09 08:30 <DIR> d-------- C:\Program Files\QuickTime
2007-06-09 08:26 <DIR> d-------- C:\Program Files\Apple Software Update


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 18:39:08 -------- d-----w C:\Program Files\Yahoo!
2007-06-24 02:18:02 -------- d-----w C:\DOCUME~1\Cooper\APPLIC~1\ArcSoft
2007-06-24 00:49:00 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 19:08:38 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-06-21 22:31:36 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-21 00:06:43 -------- d-----w C:\Program Files\WinASO
2007-06-20 00:21:27 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-14 02:38:51 -------- d-----w C:\DOCUME~1\Cooper\APPLIC~1\AdobeUM
2007-06-09 15:36:13 -------- d-----w C:\Program Files\iTunes
2007-05-27 02:59:12 -------- d-----w C:\Program Files\Movie Maker
2007-05-27 02:59:09 -------- d-----w C:\Program Files\Messenger


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\common\yiesrvc.dll [2005-05-26 11:39]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\common\YIeTagBm.dll [2005-01-24 09:55]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 17:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2001-11-09 10:11 C:\WINDOWS\Mixer.exe]
"AtiPTA"="atiptaxx.exe" [2001-01-17 17:28 C:\WINDOWS\system32\atiptaxx.exe]
"AVG7_CC"="d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-20 16:00]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"RemoteControl"="d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-19 22:32]
"WD Button Manager"="WDBtnMgr.exe" [2007-06-23 17:48 C:\WINDOWS\system32\WDBtnMgr.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="1" []
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnm]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurpmk]
wvurpmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuttsp]
wvuttsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk]
backup=C:\WINDOWS\pss\PlexTools Professional.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cooper^Start Menu^Programs^Startup^TA_Start.lnk]
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]


Contents of the 'Scheduled Tasks' folder
2007-06-09 15:26:51 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 13:10:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-24 13:12:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-24 13:12

--- E O F ---


Superantispyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/24/2007 at 12:54 PM

Application Version : 3.8.1002

Core Rules Database Version : 3260
Trace Rules Database Version: 1271

Scan type : Complete Scan
Total Scan Time : 00:43:00

Memory items scanned : 382
Memory threats detected : 1
Registry items scanned : 6281
Registry threats detected : 21
File items scanned : 27662
File threats detected : 31

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\GEBYA.DLL
C:\WINDOWS\SYSTEM32\GEBYA.DLL
HKLM\Software\Classes\CLSID\{D98FF1B4-FF54-4382-BA86-3FCA7F224AD6}
HKCR\CLSID\{D98FF1B4-FF54-4382-BA86-3FCA7F224AD6}
HKCR\CLSID\{D98FF1B4-FF54-4382-BA86-3FCA7F224AD6}\InprocServer32
HKCR\CLSID\{D98FF1B4-FF54-4382-BA86-3FCA7F224AD6}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D98FF1B4-FF54-4382-BA86-3FCA7F224AD6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC192567-65F9-4AB6-ADB7-E13575F81726}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{DC192567-65F9-4AB6-ADB7-E13575F81726}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\gebya
HKCR\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}
HKCR\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}\InprocServer32
HKCR\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}\InprocServer32#ThreadingModel

Trojan.Downloader-Gen/DriverM
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58FE4633-3D0A-4464-BD5B-939C19B57011}
HKCR\CLSID\{58FE4633-3D0A-4464-BD5B-939C19B57011}
HKCR\CLSID\{58FE4633-3D0A-4464-BD5B-939C19B57011}
HKCR\CLSID\{58FE4633-3D0A-4464-BD5B-939C19B57011}\InprocServer32
HKCR\CLSID\{58FE4633-3D0A-4464-BD5B-939C19B57011}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DRIVERN.DLL

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{8A61098D-612B-4EF2-943D-64E920684061}

Adware.Tracking Cookie
C:\Documents and Settings\Cooper\Cookies\cooper@youramateurporn[1].txt
C:\Documents and Settings\Cooper\Cookies\cooper@ad.media-servers[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@67.15.239[1].txt
C:\Documents and Settings\Cooper\Cookies\cooper@pornotube[1].txt
C:\Documents and Settings\Cooper\Cookies\cooper@gmgmacmortgage.112.2o7[1].txt
C:\Documents and Settings\Cooper\Cookies\cooper@nextag[1].txt
C:\Documents and Settings\Cooper\Cookies\cooper@ad.firstadsolution[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@adultadworld[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@expressexport[1].txt
C:\Documents and Settings\Cooper\Cookies\cooper@ads[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@www.burstnet[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@mediaplex[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@indexstats[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@overture[1].txt
C:\Documents and Settings\Cooper\Cookies\cooper@count1.exitexchange[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@exitexchange[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@adserving.cpxinteractive[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@www.claxonmedia[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@cpvfeed[2].txt
C:\Documents and Settings\Cooper\Cookies\cooper@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Cooper\Cookies\cooper@image.masterstats[1].txt

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Desktop\Online Security Guide.url

Adware.ClickSpring/Yazzle
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin#UninstallString
C:\PROGRAM FILES\COMMON FILES\YAZZLE1122OINUNINSTALLER.EXE

Trojan.Downloader-Gen/Monterrey
C:\WINDOWS\SYSTEM32\MONTERREYH_INGEN.EXE
C:\WINDOWS\SYSTEM32\MONTERREYN_INGEN.EXE
C:\WINDOWS\Prefetch\MONTERREYH_INGEN.EXE-30BACDD2.pf
C:\WINDOWS\Prefetch\MONTERREYN_INGEN.EXE-03D801E3.pf

Trace.Known Threat Sources
D:\Documents and Settings\Cooper\Local Settings\Temporary Internet Files\Content.IE5\3S8O7HLV\ffa_mv20070611[1]
D:\Documents and Settings\Cooper\Local Settings\Temporary Internet Files\Content.IE5\9YH3JHRM\nauj_20070613_1[2]


Again thanks for your help

#4 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 24 June 2007 - 05:06 PM

I get an runtime error which prompts "just in time debugging". I'm unable to delete them permanetely. After being deleted they reappear. I've tried deleting them


When you say you've tried deleting "them" - what have you tried to delete?

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: (no name) - {36AFD3E2-4C74-44AC-A4C3-D722130ED682} - (no file)
O2 - BHO: (no name) - {52AE690E-C58D-4182-8166-D62E82905567} - (no file)
O2 - BHO: (no name) - {D98FF1B4-FF54-4382-BA86-3FCA7F224AD6} - (no file)
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\
O20 - Winlogon Notify: wvurpmk - wvurpmk.dll (file missing)
O20 - Winlogon Notify: wvuttsp - wvuttsp.dll (file missing)


If you are no longer using Symantec, check this as well:
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.

If you have WinSniffer, uninstall it.
- Go to Start > Control Panel > Add/Remove Programs
- Select WinSniffer > click Remove
- Exit.

Reboot your computer.

Open notepad and copy/paste the text inside the codebox below into it:

File::
C:\WINDOWS\browser.exe
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\W32n50.dll
C:\WINDOWS\jautoexp.dat

Folder::
C:\Program Files\WinSniffer

Driver::

Catch::

Registry::

Save this as ComboFix-Do.txt
Drag the Combofix-Do.txt over on to Combofix.exe and release.
Posted Image

Post back the resulting report along with a Hijackthis log.

Edited by waterfalls, 24 June 2007 - 05:11 PM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#5 garyusa

garyusa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 24 June 2007 - 06:06 PM

Hi:

just the programs I have AVG antivirus, AVG antispyware, WINASO. The runtime error only came up once after completing your first response. I did the second response have not run any other scans.

Here is the info:

"Cooper" - 2007-06-24 15:57:33 - ComboFix 07-06-23.5 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Cooper\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\jautoexp.dat
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\W32n50.dll


((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))


2007-06-24 12:59 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 12:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 12:08 <DIR> d-------- C:\DOCUME~1\Cooper\APPLIC~1\SUPERAntiSpyware.com
2007-06-24 12:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-24 11:37 <DIR> d-------- C:\Program Files\SBC Self Support Tool
2007-06-24 11:37 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-06-24 11:27 <DIR> d-------- C:\Program Files\BroadJump
2007-06-23 17:49 11,776 --------- C:\WINDOWS\system32\drivers\afc.sys
2007-06-23 17:49 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-06-23 17:48 339,968 --------- C:\WINDOWS\system32\WDBtnMgr.exe
2007-06-23 17:36 9,600 --------- C:\WINDOWS\system32\drivers\hidusb.sys
2007-06-22 18:21 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-06-21 15:36 <DIR> d-------- C:\WINDOWS\Motive
2007-06-21 15:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Motive
2007-06-21 15:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion(3)
2007-06-20 22:40 17,162 --------- C:\WINDOWS\system32\Pcandis5.sys
2007-06-20 22:40 16,848 --------- C:\WINDOWS\system32\Pcandis4.sys
2007-06-20 22:28 945,424 --------- C:\WINDOWS\system32\msjava.dll
2007-06-20 22:28 63,248 --------- C:\WINDOWS\system32\javaprxy.dll
2007-06-20 22:28 49,424 --------- C:\WINDOWS\system32\clspack.exe
2007-06-20 22:28 46,352 --------- C:\WINDOWS\setdebug.exe
2007-06-20 22:28 404,752 --------- C:\WINDOWS\system32\javart.dll
2007-06-20 22:28 313,856 --------- C:\WINDOWS\system32\dx3j.dll
2007-06-20 22:28 286,992 --------- C:\WINDOWS\system32\vmhelper.dll
2007-06-20 22:28 21,264 --------- C:\WINDOWS\system32\msjdbc10.dll
2007-06-20 22:28 187,152 --------- C:\WINDOWS\system32\javacypt.dll
2007-06-20 22:28 172,304 --------- C:\WINDOWS\system32\jview.exe
2007-06-20 22:28 171,792 --------- C:\WINDOWS\system32\wjview.exe
2007-06-20 22:28 171,280 --------- C:\WINDOWS\system32\jit.dll
2007-06-20 22:28 154,896 --------- C:\WINDOWS\system32\msawt.dll
2007-06-20 22:28 15,120 --------- C:\WINDOWS\system32\jdbgmgr.exe
2007-06-20 22:28 139,536 --------- C:\WINDOWS\system32\javaee.dll
2007-06-20 22:28 113 --------- C:\WINDOWS\system32\zonedon.reg
2007-06-20 22:28 113 --------- C:\WINDOWS\system32\zonedoff.reg
2007-06-20 20:58 <DIR> d-------- C:\VundoFix Backups
2007-06-20 18:40 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-06-19 20:10 5,914,624 --a------ C:\DOCUME~1\Cooper\ntuser.dat
2007-06-19 17:23 3,968 --------- C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-09 08:30 <DIR> d-------- C:\Program Files\QuickTime
2007-06-09 08:26 <DIR> d-------- C:\Program Files\Apple Software Update


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 18:39:08 -------- d-----w C:\Program Files\Yahoo!
2007-06-24 02:18:02 -------- d-----w C:\DOCUME~1\Cooper\APPLIC~1\ArcSoft
2007-06-24 00:49:00 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 19:08:38 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-06-21 22:31:36 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-21 00:06:43 -------- d-----w C:\Program Files\WinASO
2007-06-20 00:21:27 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-14 02:38:51 -------- d-----w C:\DOCUME~1\Cooper\APPLIC~1\AdobeUM
2007-06-09 15:36:13 -------- d-----w C:\Program Files\iTunes
2007-05-27 02:59:12 -------- d-----w C:\Program Files\Movie Maker
2007-05-27 02:59:09 -------- d-----w C:\Program Files\Messenger


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\common\yiesrvc.dll [2005-05-26 11:39]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\common\YIeTagBm.dll [2005-01-24 09:55]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 17:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2001-11-09 10:11 C:\WINDOWS\Mixer.exe]
"AtiPTA"="atiptaxx.exe" [2001-01-17 17:28 C:\WINDOWS\system32\atiptaxx.exe]
"AVG7_CC"="d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-20 16:00]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"RemoteControl"="d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-19 22:32]
"WD Button Manager"="WDBtnMgr.exe" [2007-06-23 17:48 C:\WINDOWS\system32\WDBtnMgr.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="1" []
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk]
backup=C:\WINDOWS\pss\PlexTools Professional.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cooper^Start Menu^Programs^Startup^TA_Start.lnk]
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]


Contents of the 'Scheduled Tasks' folder
2007-06-09 15:26:51 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 15:58:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-24 15:59:29
C:\ComboFix-quarantined-files.txt ... 2007-06-24 15:59
C:\ComboFix2.txt ... 2007-06-24 13:12

--- E O F ---


HJT

Logfile of HijackThis v1.99.1
Scan saved at 4:05:44 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\atiptaxx.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: WD Backup Monitor.lnk = D:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://img.member.yahoo.com/dl/atty/yinst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

Thanks for your help

#6 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 24 June 2007 - 09:28 PM

Hi -

You're quite welcome. Your log looks clean. You can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.

Please set your system to hide system files.
- Go to Start and open My Computer
- Select the Tools menu and click Folder Options.
- Select the View Tab and, under Hidden files and folders, check Do not show hidden files and folders
- Check Hide file extensions for known file types
- Check Hide protected operating system files (Recommended)
- Click Apply, then OK.

If you have not done so, please empty your Recycle Bin.

Create a new Restore Point:
- Go to Start > All Programs > Accessories > System Tools > System Restore.
- When the utility opens, select "Create a new restore point" and click Next
- Name the restore point - something like "After infection cleaned" or "After cleaning"
- Click Create.

Delete the old Restore Points:
- Go to Start > All Programs > Accessories > System Tools > Disk Cleanup. Click Ok.
- Click the "More Options" tab.
- Where it states "System Restore" - click Clean up.
- All of the old Restore Points will be deleted EXCEPT for the one you just created.

Reboot your computer.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster. SpywareBlaster doesn't scan and clean for so-called spyware but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls and also prevents the installation of any of them via a webpage. Update it periodically.

Install IE-SPYAD puts over 20,000 sites in your restricted zone, so you will be protected when you visit innocent-looking sites that are not actually innocent at all.

* Avoid illegal sites because that's where most malware is present.
* Don't click on links inside pop-ups. If you should get them, use ALT + F4 to close them.
* Don't click on links in spam messages claiming to offer anti-spyware software because most of these so-called removers ARE spyware.
* Download free software only from sites you know and trust because a lot of free software can bundle other software, including spyware.

Let your anti-virus and anti-spyware scanners scan frequently and don't forget to update before scanning.

I suggest you perform an online virus-scan once in a while (Housecall and/or Bitdefender) because what one virus-scanner can't find, another one maybe can.

Make sure your Windows has the latest updates by going here.

More information on how to prevent malware can be found at So how did I get infected in the first place? (by Tony Klein) and Malware Prevention: Prevent Re-infection.

Happy surfing again! :thumbsup:

Edited by waterfalls, 24 June 2007 - 09:30 PM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#7 garyusa

garyusa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 24 June 2007 - 10:05 PM

Once again thanks.

I scanned everything - everything was clean.

One problem I ran into - I had spyware blaster 3.51 on my computer and was going to update it a error (upon starting spyblaster) came up "Microsoft Office Professional Edition 2003 required installation file SKU011.cab could not be found" requested to insert CD. I cancelled since I'm not sure why spyblaster would need Office. After cancelling spyblaster started and was working fine. I tryed to uninstall and reinstall same problem.

Is it ok to load that file from Office?

Thanks

#8 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 24 June 2007 - 10:34 PM

Found this. Seems like it's identical to the problem you're having:
http://www.wilderssecurity.com/archive/ind...p/t-133718.html
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 garyusa

garyusa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 25 June 2007 - 10:10 PM

Hi:

Still have some problems:

The following spyware (cookies) are showing up:

mediaplex
questionmarket
sextracker

In history the following items are unable to be deleted:

filereseachcenter.com
superantispyware.com

I was unable to fix the spyblaster problem but I don't think its related.

I ran adware, spybot, and superantispyware

In msconfig my startup has 2 items that I have unchecked that do not seem right. In WINASO I deleted them but they are still in msconfig. The entries are:

Startup Command Location
1 1 Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run

(2nd item startup and command are blank)


Here is my hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 8:00:55 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\atiptaxx.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: WD Backup Monitor.lnk = D:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://img.member.yahoo.com/dl/atty/yinst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

Thanks for your help.

#10 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 26 June 2007 - 09:50 AM

You need to change your settings for cookies.
In Firefox, click Tools > Options > Privacy tab
- Tick "Allow sites to set Cookies"
- From the drop-down arrow, select "ask me every time"
- Click OK
- When you are surfing and do accept cookies, choose the option "Session Only"
In Internet Explorer, click Tools > Internet Options > Privacy tab > Advanced
- Tick "Override automatic cookie handling"
- Under "First-party Cookies" - tick "Prompt"
- Under "Third-party Cookies - tick "Block"
- Click OK and Apply
Rule of thumb: Don't accept cookies for every site - be selective. You can deny most cookies, and you will be blocked from most of the tracking cookies.

Go to Start > Control Panel > Internet Options
- Click the "General" tab
- Under "Browsing history" click "Delete" > then click "Settings"
- At the bottom under "History" - enter either 1 or 0
- Click OK and Apply

I know what WINASO is, but I do not use it. Also, I don't understand what entries you're trying to delete. Deleting items because "they don't seem right" can be dangerous in that you can end up deleting legit files and crippling your computer.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 08 July 2007 - 03:56 PM

Since this issue appears resolved ... this topic is closed.

Everyone else please begin a new topic.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users