Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.toolbar888 Infection


  • Please log in to reply
5 replies to this topic

#1 Mountain_Man

Mountain_Man

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 28 June 2007 - 04:43 PM

My wifes' computer became infected when my son was looking for code generators for one of his PC games.

I have run AdAware and Spy-Bot on this computer.

Please help as my wife is rather irritated at the moment.

Here is the HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 2:00:37 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = liveupdate.symantecliveupate.com;liveupdate.symantec.com
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\ofqdhbon.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Shortcut to procexp.lnk = C:\Program Files\SysInternals\procexp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.akadns.net
O15 - Trusted Zone: *.ea.com
O15 - Trusted Zone: *.earthlink.net
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pogo.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.symantecliveupdate.com
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.6.4.21/omaha/omaha-en_US.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.6.4.29/aces/aces-en_US.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.5.1.24/slot...ibaba-en_US.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.6.5.22/back...ammon-en_US.cab
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/applet-6.6.1.29/batt...hlinx-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.6.0.34/blac...kjack-en_US.cab
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.com/applet-6.7.4.28/vbja...jack2-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.7.3.30/casc...scade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.7.4.35/bowl...wling-en_US.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.4.0.41/vide...k-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.6.5.22/cana...nasta-en_US.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.7.3.30/chec...ckers-en_US.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.5.3.37/ches...hess2-en_US.cab
O16 - DPF: Command and Conquer Comanche by pogo - http://game1.pogo.com/applet-6.4.4.34/ccst...e-ob-assets.cab
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.7.3.30/crib...bbage-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game1.pogo.com/applet-6.7.3.23/ytz/ytz-en_US.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.7.2.33/chec...dflag-en_US.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.7.2.33/domi...omino-en_US.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-6.4.0.34/vide...e-ob-assets.cab
O16 - DPF: EA Sports Web Soccer by pogo - http://game1.pogo.com/applet-6.5.3.37/socc...occer-en_US.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.5.2.26/euch...uchre-en_US.cab
O16 - DPF: EZ Win Bingo by pogo - http://game1.pogo.com/applet-6.4.4.27/bing...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.7.4.28/firs...lass2-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.7.4.35/supe...bingo-en_US.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.7.4.28/gree...nback-en_US.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.6.3.34/harv...rvest-en_US.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.6.4.29/hear...earts-en_US.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.7.3.23/pool2/pool-en_US.cab
O16 - DPF: Its Outta Here 2 by pogo - http://game1.pogo.com/applet-6.6.5.22/itso...fhere-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.7.2.33/jigs...igsaw-en_US.cab
O16 - DPF: Jokers Wild Poker by pogo - http://game1.pogo.com/applet-6.3.0.46/vide...d-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.8.0.25/gin2/gin2-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.6.1.29/keno/keno-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.7.3.23/mhpo...poker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.7.3.30/lott...ottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.7.5.21/mahj...hjong-en_US.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.7.3.30/mlsl...slots-en_US.cab
O16 - DPF: NASCAR Web Racing by pogo - http://game1.pogo.com/applet-6.5.3.37/nasc...ascar-en_US.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.6.1.29/paig...aigow-en_US.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.7.4.28/free...ecell-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.7.4.28/wate...wheel-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.7.3.30/flin...inger-en_US.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.6.3.34/pino...ochle-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.7.3.23/popfu/popfu-en_US.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.6.0.27/popp...zoppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.7.3.23/popp...ppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.7.4.28/hots...treak-en_US.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.7.3.30/squa...uares-en_US.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.5.4.27/ride/ride-en_US.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-6.1.2.32/slot...i-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.6.1.29/slot...wbiz2-en_US.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.37/slot...z-ob-assets.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.3.23/puck/puck-en_US.cab
O16 - DPF: Spades 2 by pogo - http://game1.pogo.com/applet-6.7.5.21/spad...ades2-en_US.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.4.4.34/spad...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.7.3.30/spid...pider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.7.3.30/sque...chies-en_US.cab
O16 - DPF: Stax by pogo - http://game1.pogo.com/applet-6.7.3.30/stax/stax-en_US.cab
O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.7.2.33/swee...eeper-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.7.4.28/swee...tooth-en_US.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.7.2.24/hold...oldem-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.3.23/peaks/peaks-en_US.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.7.4.28/jumb...umbee-en_US.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.6.0.34/turb...rbo21-en_US.cab
O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.7.3.30/turb...rbo22-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.8.0.25/memo...ories-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.7.3.23/word...homp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.7.5.28/whac...kdown-en_US.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.7.4.35/word...djong-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.7.3.30/worl...class-en_US.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166894692343
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://clubgames.pogo.com/online2/pogop/ch...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B31626DB-DAB0-4891-A261-588E6E142D3A}: NameServer = 192.168.0.1
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 29 June 2007 - 09:51 AM

Hi Mountain_Man, welcome to BC.

Looks like this PC is infected with Vundo and maybe LOP as well. Be advised that your wife may get even more irritated as the fix may bork her ability to play games at Pogo. We'll have to see but just be ready for that possibility.

Print out these instructions or save them to Notepad or your text editor of choice, since you won't have access to them when in safe mode.

Please download Combofix to your desktop.

Doubleclick ComboFix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done.

Post this log in your next reply.

You don't quite have the latest version of Sun's Java installed. For some reason Sun will also leave older versions of Java behind, which is a security risk, because they are unpatched and still can be called on to run. Apparently Vundo does this and using an older version is why it was able to infect you. However, Pogo uses Java extensively and sometimes people are unable to play games because of problems with Java--if there are any problems with Pogo after this update please let me know. Try this:

Updating Java:
-Go to Start > Control Panel double-click on the Software icon > add/remove programs.
-Search in the list for ALL installed versions of Java. (J2SE Runtime Environment.... )
It should have this icon next to it: Posted Image
Select each and click Remove.

Download and install CCleaner.
(Starting with v1.27.260, the standard build installs the Yahoo Toolbar as an option which is checkmarked by default during the installation. IF you do NOT want it, remove the checkmark when provided with the option OR download the toolbarfree Basic version instead.)

*After installation, see the Using and Understanding CCleaner Tutorial. Don't run it just yet.

Reboot your computer into Safe Mode.

Run CCleaner to clear out your Java cache and other junk files--I don't trust the issues function, so suggest you uncheck it for now. When finished reboot normally.

Download and install the newest version of Java from here: http://www.java.com/en/download/manual.jsp

Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
In your next reply please post:

1. Log from ComboFix
2. Log from SUPERAntiSpyware
3. A new HijackThis log

BTW, I'll be looking at your other thread in just a bit.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Mountain_Man

Mountain_Man
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 30 June 2007 - 09:04 AM

Hi Papakid,

I ran all of the programs you suggested. Ad-Aware and SpyBot both show clean now.

I will let you know about the Pogo games after my wife tests them.

Here are the log files you requested.

ComboFix 07-06-18.2 - C:\xxx\ComboFix\ComboFix.exe
"Gayle Graham" - 2007-06-29 22:25:16 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\SYSTEM32\klkkj.bak1
C:\WINDOWS\SYSTEM32\klkkj.bak2
C:\WINDOWS\SYSTEM32\klkkj.ini
C:\WINDOWS\SYSTEM32\klkkj.ini2
C:\WINDOWS\SYSTEM32\klkkj.tmp
C:\WINDOWS\SYSTEM32\klkkj.bak1
C:\WINDOWS\SYSTEM32\klkkj.bak2
C:\WINDOWS\SYSTEM32\klkkj.ini
C:\WINDOWS\SYSTEM32\klkkj.ini2
C:\WINDOWS\SYSTEM32\klkkj.tmp
C:\WINDOWS\system32\jkklk.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\retadpu1000272.exe


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-29 22:23 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 22:19 <DIR> d-------- C:\xxx
2007-06-29 07:20 128,576 --a------ C:\WINDOWS\SYSTEM32\asmramng.dll
2007-06-28 22:57 66,112 --a------ C:\WINDOWS\SYSTEM32\mimmyjfs.dll
2007-06-28 12:05 128,576 --a------ C:\WINDOWS\SYSTEM32\owrclvew.dll
2007-06-27 19:32 128,576 --a------ C:\WINDOWS\SYSTEM32\chtmccmq.dll
2007-06-27 19:29 66,112 --a------ C:\WINDOWS\SYSTEM32\bebymsct.dll
2007-06-27 14:44 128,576 --a------ C:\WINDOWS\SYSTEM32\amjxymsn.dll
2007-06-27 06:40 4,246 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-26 21:17 128,576 --a------ C:\WINDOWS\SYSTEM32\ofqdhbon.dll
2007-06-26 21:11 4,672 --a------ C:\WINDOWS\SYSTEM32\lkyfrwqm.exe
2007-06-26 19:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-25 20:11 199,601 --a------ C:\WINDOWS\SYSTEM32\scchk32.exe
2007-06-25 18:57 31,254 --a------ C:\WINDOWS\SYSTEM32\iifgebc.dll
2007-06-25 18:57 31,254 --a------ C:\WINDOWS\SYSTEM32\ddcawxv.dll
2007-06-12 16:51 <DIR> d-------- C:\WINDOWS\.jagex_cache_32


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 05:40:18 -------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-06-29 19:50:20 -------- d-----w C:\Program Files\EarthLink TotalAccess
2007-06-27 02:35:25 -------- d-----w C:\DOCUME~1\GAYLEG~1\APPLIC~1\Lavasoft
2007-06-27 02:32:25 -------- d-----w C:\Program Files\Lavasoft
2007-06-26 05:23:40 -------- d-----w C:\Program Files\SysInternals
2007-06-24 18:05:57 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-23 12:49:50 -------- d-----w C:\Program Files\World of Warcraft
2007-06-17 06:39:02 -------- d-----w C:\Program Files\Warcraft III
2007-06-16 07:08:25 -------- d-----w C:\Program Files\EA Games
2007-05-29 12:43:30 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-12 15:42:19 -------- d-----w C:\Program Files\MSXML 6.0
2007-05-12 14:29:06 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 01:47]
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}=C:\WINDOWS\system32\mimmyjfs.dll [2007-06-28 22:57]
{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}=C:\Program Files\EarthLink TotalAccess\PnEL.dll [2004-06-18 21:35]
{A6807262-1D7A-44AB-947B-23B71E97915C}=C:\WINDOWS\system32\iifgebc.dll [2007-06-25 18:57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-21 12:27]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 17:47]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-02 23:01]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 18:22]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-06-24 15:24]
"{A6807262-1D7A-44AB-947B-23B71E97915C}"="C:\WINDOWS\system32\iifgebc.dll" [2007-06-25 18:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
iifgebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgebc]
iifgebc.dll



Contents of the 'Scheduled Tasks' folder
2007-06-30 02:33:13 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-01-13 15:23:48 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Gayle Graham.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-29 22:39:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-29 22:45:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-29 22:45

--- E O F ---


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/30/2007 at 05:18 AM

Application Version : 3.9.1008

Core Rules Database Version : 3263
Trace Rules Database Version: 1274

Scan type : Complete Scan
Total Scan Time : 05:39:49

Memory items scanned : 431
Memory threats detected : 1
Registry items scanned : 7199
Registry threats detected : 12
File items scanned : 262791
File threats detected : 101

Trojan.Downloader-Gen/HitItQuitIt
C:\WINDOWS\SYSTEM32\IIFGEBC.DLL
C:\WINDOWS\SYSTEM32\IIFGEBC.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6807262-1D7A-44AB-947B-23B71E97915C}
HKCR\CLSID\{A6807262-1D7A-44AB-947B-23B71E97915C}
HKCR\CLSID\{A6807262-1D7A-44AB-947B-23B71E97915C}\InprocServer32
HKCR\CLSID\{A6807262-1D7A-44AB-947B-23B71E97915C}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{A6807262-1D7A-44AB-947B-23B71E97915C}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\iifgebc
C:\WINDOWS\SYSTEM32\DDCAWXV.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}
HKCR\CLSID\{1F6581D5-AA53-4B73-A6F9-41420C6B61F1}
HKCR\CLSID\{1F6581D5-AA53-4B73-A6F9-41420C6B61F1}\InprocServer32
HKCR\CLSID\{1F6581D5-AA53-4B73-A6F9-41420C6B61F1}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MIMMYJFS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}
HKCR\CLSID\{1F6581D5-AA53-4B73-A6F9-41420C6B61F1}

Adware.Tracking Cookie
C:\Documents and Settings\Play Games\Cookies\play games@adultswim[1].txt
C:\Documents and Settings\Play Games\Cookies\play games@usateenmodels[1].txt
C:\Documents and Settings\Play Games\Cookies\play games@www.adulttrafficsolutions[1].txt
C:\Documents and Settings\Play Games\Cookies\play games@www.limpsex[1].txt
C:\Documents and Settings\Play Games\Cookies\play games@www.setsofsexygirls[2].txt
C:\Documents and Settings\Play Games\Cookies\play games@www.sexinfo101[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ad.sensismediasmart.com[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ad2.pamedia.com[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ads.gorillanation[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ads.iamgame[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ads.iamgame[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ads.iboost[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ads.intelihealth[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ads.jackpot[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ads.monster[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ads.specificclick[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ads2.ah-ha[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@ads4.clearchannel[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@adultrevenueservice[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@adultrevenueservice[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@adultrevenueservice[3].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@all.global-intermedia[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@arscounter[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@atwola[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@eval.bizrate[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@exitexchange[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@itnnetmedia[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@macromedia[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@mediamgr.ugo[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@metareward[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@metareward[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@metareward[3].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@metareward[4].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@metareward[5].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@mmmclick[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@nandomedia[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@nextag[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@pennyweb[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@pennyweb[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@pennyweb[4].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@riverbelle[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@speedyclick[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@sprinks-clicks.about[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@stats.klsoft[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@stats.manticoretechnology[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@stats.sitesuite[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@stats[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@tripod.lycos[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@windowsmedia[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@www.clickxchange[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@www.goldentigercasino[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@www.goldentigercasino[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@www.nextag[2].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@www.riverbelle[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@www.sexoffenders[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@www.sexy-erotic-lingerie[1].txt
F:\All Files From Old Computer\Documents and Settings\Default\Cookies\default@www.teenslutsgonewild[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@a.websponsors[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@ad.reunion[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@adcentriconline[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@adknowledge[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@ads.jackpot[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@ads.us.e-planning[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@ads.ussearch[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@ads1.rodale[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@adv.webmd[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@ath.belnk[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@atwola[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@banner.mapaubingo[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@bannerspace[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@banner[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@belnk[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@dist.belnk[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@focalex[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@icc.intellisrv[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@images.crossmediaservices[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@intellisrv[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@media4.sitebrand[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@nextag[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@partner2profit[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@pt.crossmediaservices[1].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@sears.crossmediaservices[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@tracking.foxnews[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@tracking[2].txt
F:\Documents and Settings\Gayle Graham\Cookies\gayle graham@www.adultadd[2].txt
F:\Documents and Settings\Play Games\Cookies\play games@adknowledge[1].txt
F:\Documents and Settings\Play Games\Cookies\play games@adultswim[1].txt
F:\Documents and Settings\Play Games\Cookies\play games@ath.belnk[1].txt
F:\Documents and Settings\Play Games\Cookies\play games@atwola[2].txt
F:\Documents and Settings\Play Games\Cookies\play games@belnk[2].txt
F:\Documents and Settings\Play Games\Cookies\play games@dist.belnk[1].txt
F:\Documents and Settings\Play Games\Cookies\play games@usateenmodels[1].txt
F:\Documents and Settings\Play Games\Cookies\play games@www.adulttrafficsolutions[1].txt
F:\Documents and Settings\Play Games\Cookies\play games@www.limpsex[1].txt
F:\Documents and Settings\Play Games\Cookies\play games@www.sexinfo101[2].txt

Trojan.Downloader-NoName
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1243\A0232596.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1245\A0234056.EXE

Trojan.Downloader-UltimateFixer
C:\WINDOWS\SYSTEM32\SCCHK32.EXE


Logfile of HijackThis v1.99.1
Scan saved at 7:01:06 AM, on 6/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = liveupdate.symantecliveupate.com;liveupdate.symantec.com;<local>
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Shortcut to procexp.lnk = C:\Program Files\SysInternals\procexp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.akadns.net
O15 - Trusted Zone: *.ea.com
O15 - Trusted Zone: *.earthlink.net
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pogo.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.symantecliveupdate.com
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.6.4.21/omaha/omaha-en_US.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.6.4.29/aces/aces-en_US.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.5.1.24/slot...ibaba-en_US.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.6.5.22/back...ammon-en_US.cab
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/applet-6.6.1.29/batt...hlinx-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.6.0.34/blac...kjack-en_US.cab
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.com/applet-6.7.4.28/vbja...jack2-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.7.3.30/casc...scade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.7.4.35/bowl...wling-en_US.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.4.0.41/vide...k-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.6.5.22/cana...nasta-en_US.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.7.3.30/chec...ckers-en_US.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.5.3.37/ches...hess2-en_US.cab
O16 - DPF: Command and Conquer Comanche by pogo - http://game1.pogo.com/applet-6.4.4.34/ccst...e-ob-assets.cab
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.7.3.30/crib...bbage-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game1.pogo.com/applet-6.7.3.23/ytz/ytz-en_US.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.7.2.33/chec...dflag-en_US.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.7.2.33/domi...omino-en_US.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-6.4.0.34/vide...e-ob-assets.cab
O16 - DPF: EA Sports Web Soccer by pogo - http://game1.pogo.com/applet-6.5.3.37/socc...occer-en_US.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.5.2.26/euch...uchre-en_US.cab
O16 - DPF: EZ Win Bingo by pogo - http://game1.pogo.com/applet-6.4.4.27/bing...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.7.4.28/firs...lass2-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.7.4.35/supe...bingo-en_US.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.7.4.28/gree...nback-en_US.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.6.3.34/harv...rvest-en_US.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.6.4.29/hear...earts-en_US.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.7.3.23/pool2/pool-en_US.cab
O16 - DPF: Its Outta Here 2 by pogo - http://game1.pogo.com/applet-6.6.5.22/itso...fhere-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.7.2.33/jigs...igsaw-en_US.cab
O16 - DPF: Jokers Wild Poker by pogo - http://game1.pogo.com/applet-6.3.0.46/vide...d-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.8.0.25/gin2/gin2-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.6.1.29/keno/keno-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.7.3.23/mhpo...poker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.7.3.30/lott...ottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.7.5.21/mahj...hjong-en_US.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.7.3.30/mlsl...slots-en_US.cab
O16 - DPF: NASCAR Web Racing by pogo - http://game1.pogo.com/applet-6.5.3.37/nasc...ascar-en_US.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.6.1.29/paig...aigow-en_US.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.7.4.28/free...ecell-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.7.4.28/wate...wheel-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.7.3.30/flin...inger-en_US.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.6.3.34/pino...ochle-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.7.3.23/popfu/popfu-en_US.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.6.0.27/popp...zoppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.7.3.23/popp...ppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.7.4.28/hots...treak-en_US.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.7.3.30/squa...uares-en_US.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.5.4.27/ride/ride-en_US.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-6.1.2.32/slot...i-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.6.1.29/slot...wbiz2-en_US.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.37/slot...z-ob-assets.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.3.23/puck/puck-en_US.cab
O16 - DPF: Spades 2 by pogo - http://game1.pogo.com/applet-6.7.5.21/spad...ades2-en_US.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.4.4.34/spad...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.7.3.30/spid...pider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.7.3.30/sque...chies-en_US.cab
O16 - DPF: Stax by pogo - http://game1.pogo.com/applet-6.7.3.30/stax/stax-en_US.cab
O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.7.2.33/swee...eeper-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.7.4.28/swee...tooth-en_US.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.7.2.24/hold...oldem-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.3.23/peaks/peaks-en_US.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.7.4.28/jumb...umbee-en_US.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.6.0.34/turb...rbo21-en_US.cab
O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.7.3.30/turb...rbo22-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.8.0.25/memo...ories-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.7.3.23/word...homp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.7.5.28/whac...kdown-en_US.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.7.4.35/word...djong-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.7.3.30/worl...class-en_US.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166894692343
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://clubgames.pogo.com/online2/pogop/ch...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FDFF65F-AE06-41A1-89B0-39BD52DAC011}: NameServer = 207.69.188.185 207.69.188.186
O17 - HKLM\System\CCS\Services\Tcpip\..\{B31626DB-DAB0-4891-A261-588E6E142D3A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FDFF65F-AE06-41A1-89B0-39BD52DAC011}: NameServer = 207.69.188.185 207.69.188.186
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 30 June 2007 - 12:43 PM

OK, good, looks like the active Vundo infection is gone and just a few leftovers to clean up.

You've disabled some BHO's with AutoRuns, which is OK as long as they are Vundo BHO's, but it is better to delete them from the registry. I would first like to see what they are so I don't delete something that is legit also. Please do the following:

Open AutoRuns and click on the Internet Explorer tab.
Open Notepad.
Highlite each entry under HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects.
Then click on the Entry menu and choose Copy.
Paste each line into Notepad, save the file to your desktop, and post the information back here please.

I don't know if you or your wife installed Party Poker and use it, but it gets downloaded along with malware, ads on its site could lead to malware at times and in general it can't really be trusted. If you can do without it I would advise you to do so and uninstall from Add/Remove via your Control Panel, but this is at your option.

Also there are several sites in IE's Trusted Zone. This is not a good idea--only use that zone if you cannot open a site any other way or if required for work or school. That zone gives too many rights to sites to run any scripts and downloads without asking you and there are virtually no sites out there you should trust that much. Even sites that you are familiar with and never give problems get hijacked by the bad guys--see this article for an example, and note this doesn't just happen to MySpace.

http://www.webware.com/8301-1_109-9737828-2.html?tag=blog

Scan again with HijackThis and put a checkmark next to the following entries:

O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

Close all other windows--you should only see HijackThis on your Desktop and Taskbar--and then click the "Fix checked" button.

Then, Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\asmramng.dll
C:\WINDOWS\SYSTEM32\owrclvew.dll
C:\WINDOWS\SYSTEM32\chtmccmq.dll
C:\WINDOWS\SYSTEM32\bebymsct.dll
C:\WINDOWS\SYSTEM32\amjxymsn.dll
C:\WINDOWS\SYSTEM32\ofqdhbon.dll
C:\WINDOWS\SYSTEM32\lkyfrwqm.exe


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. It may ask to reboot, but if not reboot anyway and post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Also are you familiar with this folder?

C:\xxx

If it was not created by one of the computer's users, please do the following:

1. Download FileFind.zip and unzip to your desktop.

2. Double-click FindFile.exe
3. In the box labeled "Enter the directory to search" hilight the text already in the field and copy and paste the following bold text into it:

C:\xxx

4. In the box labeled "Enter the File to Search" leave the text already in the field.
5. Click "Find" to begin the search.
6. When the search is done, it will list the total number of files found.
7. Double-click on "Export"
8. Notepad should open with the results and paste those in your next reply. The text file named export.txt will also be saved in the root of your C:\ directory.

Let me know how things are running now.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 Mountain_Man

Mountain_Man
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 01 July 2007 - 12:25 PM

Papakid,

The c:\xxx folder is mine. I am using it to hold all of the .txt and .log files I am sending to you.

I uninstalled PartyPoker. It hadn't been used since 2005.

Here is the additional info you requested.

Autoruns.txt
--------------
AcroIEHlprObj ClassAdobe Acrobat IE Helper Version 6.0 for ActivieX Adobe Systems Incorporated c:\program files\adobe\acrobat 6.0\reader\activex\acroiehelper.dll
PnIEBrowserHelperObj ClassEarthlink Popup Blocker EarthLink, Inc. c:\program files\earthlink totalaccess\pnel.dll
SSVHelper ClassJava™ Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre1.6.0_01\bin\ssv.dll


ComboFix 07-06-18.2 - C:\xxx\ComboFix\ComboFix.exe
"Gayle Graham" - 2007-07-01 10:00:44 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))


2007-07-01 08:42 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-29 23:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-29 23:28 <DIR> d-------- C:\DOCUME~1\GAYLEG~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-29 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-29 22:23 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 22:19 <DIR> d-------- C:\xxx
2007-06-29 07:20 128,576 --a------ C:\WINDOWS\SYSTEM32\asmramng.dll
2007-06-28 12:05 128,576 --a------ C:\WINDOWS\SYSTEM32\owrclvew.dll
2007-06-27 19:32 128,576 --a------ C:\WINDOWS\SYSTEM32\chtmccmq.dll
2007-06-27 19:29 66,112 --a------ C:\WINDOWS\SYSTEM32\bebymsct.dll
2007-06-27 14:44 128,576 --a------ C:\WINDOWS\SYSTEM32\amjxymsn.dll
2007-06-27 06:40 4,246 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-26 21:17 128,576 --a------ C:\WINDOWS\SYSTEM32\ofqdhbon.dll
2007-06-26 21:11 4,672 --a------ C:\WINDOWS\SYSTEM32\lkyfrwqm.exe
2007-06-26 19:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-12 16:51 <DIR> d-------- C:\WINDOWS\.jagex_cache_32


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 16:55:28 -------- d-----w C:\Program Files\PartyPoker
2007-07-01 15:35:06 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-01 13:14:17 -------- d-----w C:\Program Files\EarthLink TotalAccess
2007-07-01 13:11:57 -------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-06-27 02:35:25 -------- d-----w C:\DOCUME~1\GAYLEG~1\APPLIC~1\Lavasoft
2007-06-27 02:32:25 -------- d-----w C:\Program Files\Lavasoft
2007-06-26 05:23:40 -------- d-----w C:\Program Files\SysInternals
2007-06-23 12:49:50 -------- d-----w C:\Program Files\World of Warcraft
2007-06-17 06:39:02 -------- d-----w C:\Program Files\Warcraft III
2007-06-16 07:08:25 -------- d-----w C:\Program Files\EA Games
2007-05-29 12:43:30 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-12 15:42:19 -------- d-----w C:\Program Files\MSXML 6.0
2007-05-12 14:29:06 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 01:47]
{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}=C:\Program Files\EarthLink TotalAccess\PnEL.dll [2004-06-18 21:35]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-21 12:27]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 17:47]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-02 23:01]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 18:22]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-06-24 15:24]



Contents of the 'Scheduled Tasks' folder
2007-06-30 02:33:13 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-01-13 15:23:48 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Gayle Graham.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 10:05:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-01 10:07:10
C:\ComboFix-quarantined-files.txt ... 2007-07-01 10:06

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 10:15:21 AM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = liveupdate.symantecliveupate.com;liveupdate.symantec.com
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Shortcut to procexp.lnk = C:\Program Files\SysInternals\procexp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.akadns.net
O15 - Trusted Zone: *.ea.com
O15 - Trusted Zone: *.earthlink.net
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pogo.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.symantecliveupdate.com
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.6.4.21/omaha/omaha-en_US.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.6.4.29/aces/aces-en_US.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.5.1.24/slot...ibaba-en_US.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.6.5.22/back...ammon-en_US.cab
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/applet-6.6.1.29/batt...hlinx-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.6.0.34/blac...kjack-en_US.cab
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.com/applet-6.7.4.28/vbja...jack2-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.7.3.30/casc...scade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.7.4.35/bowl...wling-en_US.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.4.0.41/vide...k-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.6.5.22/cana...nasta-en_US.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.7.3.30/chec...ckers-en_US.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.5.3.37/ches...hess2-en_US.cab
O16 - DPF: Command and Conquer Comanche by pogo - http://game1.pogo.com/applet-6.4.4.34/ccst...e-ob-assets.cab
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.7.3.30/crib...bbage-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game1.pogo.com/applet-6.7.3.23/ytz/ytz-en_US.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.7.2.33/chec...dflag-en_US.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.7.2.33/domi...omino-en_US.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-6.4.0.34/vide...e-ob-assets.cab
O16 - DPF: EA Sports Web Soccer by pogo - http://game1.pogo.com/applet-6.5.3.37/socc...occer-en_US.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.5.2.26/euch...uchre-en_US.cab
O16 - DPF: EZ Win Bingo by pogo - http://game1.pogo.com/applet-6.4.4.27/bing...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.7.4.28/firs...lass2-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.7.4.35/supe...bingo-en_US.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.7.4.28/gree...nback-en_US.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.6.3.34/harv...rvest-en_US.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.6.4.29/hear...earts-en_US.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.7.3.23/pool2/pool-en_US.cab
O16 - DPF: Its Outta Here 2 by pogo - http://game1.pogo.com/applet-6.6.5.22/itso...fhere-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.7.2.33/jigs...igsaw-en_US.cab
O16 - DPF: Jokers Wild Poker by pogo - http://game1.pogo.com/applet-6.3.0.46/vide...d-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.8.0.25/gin2/gin2-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.6.1.29/keno/keno-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.7.3.23/mhpo...poker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.7.3.30/lott...ottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.7.5.21/mahj...hjong-en_US.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.7.3.30/mlsl...slots-en_US.cab
O16 - DPF: NASCAR Web Racing by pogo - http://game1.pogo.com/applet-6.5.3.37/nasc...ascar-en_US.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.6.1.29/paig...aigow-en_US.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.7.4.28/free...ecell-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.7.4.28/wate...wheel-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.7.3.30/flin...inger-en_US.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.6.3.34/pino...ochle-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.7.3.23/popfu/popfu-en_US.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.6.0.27/popp...zoppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.7.3.23/popp...ppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.7.4.28/hots...treak-en_US.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.7.3.30/squa...uares-en_US.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.5.4.27/ride/ride-en_US.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-6.1.2.32/slot...i-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.6.1.29/slot...wbiz2-en_US.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.37/slot...z-ob-assets.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.3.23/puck/puck-en_US.cab
O16 - DPF: Spades 2 by pogo - http://game1.pogo.com/applet-6.7.5.21/spad...ades2-en_US.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.4.4.34/spad...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.7.3.30/spid...pider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.7.3.30/sque...chies-en_US.cab
O16 - DPF: Stax by pogo - http://game1.pogo.com/applet-6.7.3.30/stax/stax-en_US.cab
O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.7.2.33/swee...eeper-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.7.4.28/swee...tooth-en_US.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.7.2.24/hold...oldem-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.3.23/peaks/peaks-en_US.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.7.4.28/jumb...umbee-en_US.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.6.0.34/turb...rbo21-en_US.cab
O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.7.3.30/turb...rbo22-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.8.0.25/memo...ories-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.7.3.23/word...homp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.7.5.28/whac...kdown-en_US.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.7.4.35/word...djong-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.7.3.30/worl...class-en_US.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166894692343
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://clubgames.pogo.com/online2/pogop/ch...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B31626DB-DAB0-4891-A261-588E6E142D3A}: NameServer = 192.168.0.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 01 July 2007 - 01:10 PM

The c:\xxx folder is mine. I am using it to hold all of the .txt and .log files I am sending to you.

Ah, OK, I should have known that since the following appeared in your first CF log--I overlooked it:

ComboFix 07-06-18.2 - C:\xxx\ComboFix\ComboFix.exe

Problem is for all of CF's many functions to work correctly, it must be run from the desktop. Apparently the first run deleted several Vundo files, but the CF-Do.txt left those other files on your system. Please move ComboFix.exe and ComboFix-Do.txt to your desktop long enough to carry out the instructions in my previous post. Then post the log so I can confirm that it worked.

Here is the additional info you requested.

Autoruns.txt
--------------
AcroIEHlprObj ClassAdobe Acrobat IE Helper Version 6.0 for ActivieX Adobe Systems Incorporated c:\program files\adobe\acrobat 6.0\reader\activex\acroiehelper.dll
PnIEBrowserHelperObj ClassEarthlink Popup Blocker EarthLink, Inc. c:\program files\earthlink totalaccess\pnel.dll
SSVHelper ClassJava™ Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre1.6.0_01\bin\ssv.dll

Thanks, you're in good shape there. No further action required.

I uninstalled PartyPoker. It hadn't been used since 2005.

OK, you can fix the following with HijackThis if still there for a little extra cleanup:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

While you are in there you can also fix these Trusted Zone settings as per my previous advice and if you so desire--I would at least fix the first two:

O15 - Trusted Zone: *.akadns.net
O15 - Trusted Zone: *.ea.com
O15 - Trusted Zone: *.earthlink.net
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pogo.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.symantecliveupdate.com

Reboot after both fixes and post fresh logs, please.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users