WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help

Started by triplec , Jun 12 2007 12:31 AM

This topic is locked

9 replies to this topic

#1 triplec

Authentic Member

Authentic Member
52 posts

Posted 12 June 2007 - 12:31 AM

Can somebody please look at my HJT log and tell me what is causing my laptop to run so slow. I get pop ups and my pop up blocker is on. I think there might be spyware malware or adware on it. Thank You

Here is that HJT scan

Logfile of HijackThis v1.99.1
Scan saved at 11:13:13 PM, on 6/11/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\cmljayBqYW1lcw\command.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\{DCEA5DD6-03E4-1033-0516-030303110001}\Update.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\WinTouch\WinTouch.exe
C:\WINDOWS\ihvuxyi.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\uiuu\uiuum.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\uiuu\uiuua.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\DOCUME~1\lacey\LOCALS~1\Temp\xpre.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\progra~1\yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\lacey\LOCALS~1\Temp\WinAntiVirusPro2007FreeInstall.exe
C:\DOCUME~1\lacey\LOCALS~1\Temp\Rar$EX01.285\HijackThis.exe
C:\DOCUME~1\lacey\LOCALS~1\Temp\Rar$EX04.850\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\System32\pmnklkj.dll (file missing)
O2 - BHO: 0 - {452F8784-8D81-4DDD-B3B6-D20DFA77B8A9} - C:\Program Files\MSN Messenger\labutunef.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {95B0E8FF-90C6-4507-AA28-612F97109B19} - C:\WINDOWS\System32\efeby.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CEA5~1\Bar888.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\System32\mcuknbhn.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\System32\tlbcuodu.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CEA5~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{DCEA5DD6-03E4-1033-0516-030303110001}] "C:\Program Files\Common Files\{DCEA5DD6-03E4-1033-0516-030303110001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [{DCEA5DD6-02DA-1033-0516-030303110001}] "C:\Program Files\Common Files\{DCEA5DD6-02DA-1033-0516-030303110001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [{ZN}] C:\DOCUME~1\lacey\LOCALS~1\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [j7201432] rundll32 C:\WINDOWS\System32\j7201432.dll sook
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [SfKg6w] C:\WINDOWS\ihvuxyi.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\ugehbjih.dll",realset
O4 - HKLM\..\Run: [NI.UWA7P_0001_N91M0809] "C:\DOCUME~1\lacey\LOCALS~1\Temp\WinAntiVirusPro2007FreeInstall.exe" -nag
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [uiuu] C:\PROGRA~1\COMMON~1\uiuu\uiuum.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\lacey\Local Settings\Temp\TICHD003.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://tsweb.dgs.ca...tsweb/msrdp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: awttqrq - C:\WINDOWS\SYSTEM32\awttqrq.dll
O20 - Winlogon Notify: efeby - C:\WINDOWS\System32\efeby.dll
O20 - Winlogon Notify: pmnklkj - pmnklkj.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\cmljayBqYW1lcw\command.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Advertisements

Register to Remove

#2 Markka

Advanced Member

Banned
784 posts

Posted 12 June 2007 - 12:39 PM

Hi and welcome to the forums.

I'm Markka and I will be helping you with your malware issues. I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by teachers of Malware Removal University. Please be patient.

#3 Markka

Advanced Member

Banned
784 posts

Posted 13 June 2007 - 01:06 AM

Hello

Create a new folder here; C:\HJT
Then download from here HijackThis and save it into the HJT folder. (C:\HJT\HijackThis.exe)

******************************************************************************
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
******************************************************************************
Please download the following program and save it to your desktop:

http://noahdfear.gee...com/FindAWF.exe

Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
*****************************************************************************
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

*******************************************************************************
Post:
- A fresh HijackThis log
- Contents of C:\ComboFix.txt
- Logfile of FindAWF
- Contents of the Report.txt

#4 triplec

Authentic Member

Authentic Member
52 posts

Posted 15 June 2007 - 02:48 PM

Here is the new HJT Log the COMBOFIX log The AWF Log and Im working on the sdfix log... but when i restart in safe mode it doesnt allow me to log in with the account i normally log in with. Its not even an option. But my laptop is already running much better and hopefully we can figure this out. Thanks for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 1:30:40 PM, on 6/15/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\WinTouch\WinTouch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\lacey\LOCALS~1\Temp\Rar$EX00.115\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: 0 - {452F8784-8D81-4DDD-B3B6-D20DFA77B8A9} - C:\Program Files\MSN Messenger\labutunef.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\System32\ljuawcdc.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\ari\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\ari\Local Settings\Temp\thinksnet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://tsweb.dgs.ca...tsweb/msrdp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pmnklkj - pmnklkj.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

ComboFix 07-06-13.3 - C:\Documents and Settings\lacey\My Documents\ComboFix.exe
"lacy" - 2007-06-15 12:55:24 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bdnmkuqk.dll
C:\WINDOWS\system32\dibrskla.dll
C:\WINDOWS\system32\hjolgkpm.dll
C:\WINDOWS\system32\hlvucoia.dll
C:\WINDOWS\system32\lmxwvvbx.dll
C:\WINDOWS\system32\mcuknbhn.dll
C:\WINDOWS\system32\sshdjkyt.dll
C:\WINDOWS\system32\tkrmdhsr.dll
C:\WINDOWS\system32\tlbcuodu.dll
C:\WINDOWS\system32\vhirknic.dll
C:\WINDOWS\system32\vvrhcalg.dll
C:\WINDOWS\system32\vylrojnq.dll
C:\WINDOWS\system32\wbvcsqae.dll
C:\WINDOWS\system32\yabyw.dll
C:\WINDOWS\system32\ddccyxy.dll
C:\WINDOWS\system32\jkklmkl.dll
C:\WINDOWS\system32\opnmlli.dll
C:\WINDOWS\system32\pmnoopn.dll
C:\WINDOWS\system32\kqukmndb.ini
C:\WINDOWS\system32\ybefe.bak1
C:\WINDOWS\system32\ybefe.bak2
C:\WINDOWS\system32\ybefe.ini
C:\WINDOWS\system32\ybefe.ini2
C:\WINDOWS\system32\ybefe.tmp
C:\WINDOWS\system32\mpkglojh.ini
C:\WINDOWS\system32\tykjdhss.ini
C:\WINDOWS\system32\cinkrihv.ini
C:\WINDOWS\system32\eaqscvbw.ini
C:\WINDOWS\system32\wybay.ini
C:\WINDOWS\system32\ybefe.bak1
C:\WINDOWS\system32\ybefe.bak2
C:\WINDOWS\system32\ybefe.ini
C:\WINDOWS\system32\ybefe.ini2
C:\WINDOWS\system32\ybefe.tmp
C:\WINDOWS\system32\ybefe.bak1
C:\WINDOWS\system32\ybefe.bak2
C:\WINDOWS\system32\ybefe.ini
C:\WINDOWS\system32\ybefe.ini2
C:\WINDOWS\system32\ybefe.tmp
C:\WINDOWS\system32\efeby.dll
C:\WINDOWS\system32\awttqrq.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\lacey\APPLIC~1.\macromedia\Flash Player\#SharedObjects\D2PAZS8M\www.broadcaster.com
C:\DOCUME~1\lacey\APPLIC~1.\macromedia\Flash Player\#SharedObjects\D2PAZS8M\www.broadcaster.com\played_list.sol
C:\DOCUME~1\lacey\APPLIC~1.\macromedia\Flash Player\#SharedObjects\D2PAZS8M\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\lacey\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\lacey\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\lacey\APPLIC~1.\mbols~1
C:\DOCUME~1\lacey\APPLIC~1.\racle~1
C:\DOCUME~1\lacey\APPLIC~1.\smante~1
C:\DOCUME~1\lacey\MYDOCU~1.\asks~1
C:\DOCUME~1\lacey\MYDOCU~1.\dobe~1
C:\DOCUME~1\lacey\MYDOCU~1.\ssembl~1
C:\DOCUME~1\lacey\MYDOCU~1.\ystem~1
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\Program Files\asembl~1
C:\Program Files\asks~1
C:\Program Files\Common Files\{3CEA5~1
C:\Program Files\Common Files\{DCEA5~1
C:\Program Files\Common Files\{DCEA5~1\system.dll
C:\Program Files\Common Files\{DCEA5~1\Update.exe
C:\Program Files\Common Files\{DCEA5~2
C:\Program Files\Common Files\{DCEA5~2\system.dll
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whAgent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\Tempb9
C:\Tempb9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\764.exe
C:\WINDOWS\cmljayBqYW1lcw\asappsrv.dll
C:\WINDOWS\cmljayBqYW1lcw\command.exe
C:\WINDOWS\ecurit~1
C:\WINDOWS\icroso~1
C:\WINDOWS\icroso~1.net
C:\WINDOWS\sembly~1
C:\WINDOWS\system32x57.exe
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\RunOnce2.t__
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\dlltk67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\winupd_KB38810001.exe
C:\WINDOWS\system32\winupd_KB44105609.exe
C:\WINDOWS\system32\winupd_KB50712874.exe
C:\WINDOWS\system32\winupd_KB62062812.exe
C:\WINDOWS\system32\winupd_KB77526596.exe
C:\WINDOWS\system32\winupd_KB93736873.exe
C:\WINDOWS\system32\winupd_KB95349334.exe
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\system32\wnsapiicom.exe
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\system32RunOnce2.t__
C:\WINDOWS\system32RunOnce2.tm_
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\ystem3~1

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_RUNTIME
-------\cmdService
-------\COM+ Messages
-------\core
-------\Network Monitor
-------\Runtime

((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))

2007-06-15 12:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-13 21:04 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-13 21:04 <DIR> d-------- C:\WINDOWS\system32\o02PrEz
2007-06-13 21:04 <DIR> d-------- C:\Temp\iee
2007-06-13 20:45 62,516 --a------ C:\WINDOWS\system32\ljuawcdc.dll
2007-06-12 11:32 2,580 --a------ C:\WINDOWS\system32\twbwuenp.exe
2007-06-12 10:56 9,472 --a------ C:\WINDOWS\bokja.exe
2007-06-12 10:56 30,976 --a------ C:\WINDOWS\saiemod.dll
2007-06-12 10:56 29,952 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-06-12 10:56 29,952 --a------ C:\WINDOWS\pbar.dll
2007-06-12 10:56 28,160 --a------ C:\WINDOWS\system32\satmat.exe
2007-06-12 10:56 27,904 --a------ C:\WINDOWS\system32\Bi.dll
2007-06-12 10:56 27,136 --a------ C:\WINDOWS\system32\Biprep.exe
2007-06-12 10:56 26,880 --a------ C:\WINDOWS\bjam.dll
2007-06-12 10:56 25,600 --a------ C:\WINDOWS\system32\updatetc.exe
2007-06-12 10:56 25,088 --a------ C:\WINDOWS\system32\salm.exe
2007-06-12 10:56 25,088 --a------ C:\WINDOWS\system32\msdn_lib.dll
2007-06-12 10:56 22,272 --a------ C:\WINDOWS\2020search2.dll
2007-06-12 10:56 21,760 --a------ C:\WINDOWS\mssvr.exe
2007-06-12 10:56 21,504 --a------ C:\WINDOWS\system32\wml.exe
2007-06-12 10:56 21,248 --a------ C:\WINDOWS\mspphe.dll
2007-06-12 10:56 20,992 --a------ C:\WINDOWS\voiceip.dll
2007-06-12 10:56 19,712 --a------ C:\WINDOWS\2020search.dll
2007-06-12 10:56 17,920 --a------ C:\WINDOWS\7search.dll
2007-06-12 10:56 17,664 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-06-12 10:56 15,616 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-06-12 10:56 15,104 --a------ C:\WINDOWS\system32\SUSP.exe
2007-06-12 10:56 14,848 --a------ C:\WINDOWS\stcloader.exe
2007-06-12 10:56 14,592 --a------ C:\WINDOWS\flt.dll
2007-06-12 10:56 14,080 --a------ C:\WINDOWS\bi.dll
2007-06-12 10:56 12,544 --a------ C:\WINDOWS\swin32.dll
2007-06-12 10:56 12,032 --a------ C:\WINDOWS\cdsm32.dll
2007-06-12 10:56 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-06-12 10:56 10,496 --a------ C:\WINDOWS\system32\180ax.exe
2007-06-12 10:55 11,271 --a------ C:\sysafce.exe
2007-06-11 23:18 <DIR> d--hs---- C:\UWA7P
2007-06-11 23:17 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-11 23:17 <DIR> d-------- C:\DOCUME~1\lacey\APPLIC~1\WinAntiVirus Pro 2007
2007-06-11 23:16 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-11 23:16 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-11 23:16 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-06-11 23:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-06 09:32 34,304 --a------ C:\WINDOWS\ihvuxyi.exe
2007-06-06 09:32 <DIR> d-------- C:\Program Files\WinTouch
2007-06-05 10:29 14,868 --a------ C:\WINDOWS\system32\omskildd.exe
2007-06-05 10:28 2,580 --a------ C:\WINDOWS\system32\icowcqwc.exe
2007-06-03 23:28 2,580 --a------ C:\WINDOWS\system32\lnfslryf.exe
2007-06-02 21:57 2,580 --a------ C:\WINDOWS\system32\ffwwuqrb.exe
2007-05-31 20:08 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-31 20:08 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-05-31 20:08 <DIR> d-------- C:\Temp\x2b
2007-05-31 20:08 <DIR> d-------- C:\Temp
2007-05-30 16:59 <DIR> d-------- C:\DOCUME~1\lacey\APPLIC~1\Move Networks
2007-05-22 17:43 <DIR> d-------- C:\Program Files\MySpace
2007-05-22 17:43 <DIR> d-------- C:\DOCUME~1\lacey\APPLIC~1\MySpace

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-15 19:18:12 -------- d-----w C:\Program Files\Common Files\uiuu
2007-06-15 19:16:43 -------- d-----w C:\Program Files\Common Files\Network Associates
2007-06-01 03:09:11 -------- d-----w C:\Program Files\MSN Messenger
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\cmljayBqYW1lcw\wA53uV1NsqY5wT.vbs

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-09-29 12:53]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}=C:\Program Files\Outerinfo\Outerinfo.dll []
{452F8784-8D81-4DDD-B3B6-D20DFA77B8A9}=C:\Program Files\MSN Messenger\labutunef.dll []
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}=C:\WINDOWS\System32\ljuawcdc.dll [2007-06-13 20:45]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:33]
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 17:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" []
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"Motive SmartBridge"="C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43]
"{ZN}"="C:\Documents and Settings\ari\Local Settings\Temp\thinksnet.exe" [2007-06-13 21:04]
"WinTouch"="C:\Program Files\WinTouch\WinTouch.exe" [2007-06-06 09:32]
"Salestart"="C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-03-29 18:28]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-26 21:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnklkj]
pmnklkj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-15 13:04:20
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-15 13:06:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-15 13:05

--- E O F ---

#5 triplec

Authentic Member

Authentic Member
52 posts

Posted 15 June 2007 - 02:49 PM

Here is the AWF log Find AWF report by noahdfear ©2006 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\MESSEN~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\MSNMES~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 06/06/2003 11:27 AM 282,624 qttask.exe 1 File(s) 282,624 bytes Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK 02/24/2004 10:10 PM 335,872 atiptaxx.exe 1 File(s) 335,872 bytes Directory of C:\PROGRA~1\SBCLIG~1\SMARTB~1\BAK 12/10/2003 04:52 AM 380,928 MotiveSB.exe 1 File(s) 380,928 bytes Directory of C:\PROGRA~1\YAHOO!\BROWSER\BAK 12/09/2003 02:02 PM 57,344 ybrwicon.exe 1 File(s) 57,344 bytes Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK 08/15/2005 03:24 PM 3,092,480 ypager.exe 1 File(s) 3,092,480 bytes Directory of C:\PROGRA~1\COMMON~1\NETWOR~1\TALKBACK\BAK 10/07/2003 10:48 AM 147,514 TBMon.exe 1 File(s) 147,514 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 05/17/2003 06:00 AM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK 03/04/2005 03:36 AM 36,975 jusched.exe 1 File(s) 36,975 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 282624 Jun 6 2003 "C:\Program Files\QuickTime\bak\qttask.exe" 335872 Feb 24 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" 380928 Dec 10 2003 "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak\MotiveSB.exe" 380928 May 17 2003 "C:\Program Files\SBC LightSpeed Self Support Tool\vendors\SBC\wwwcache\wt\default\private\content\driven_dev\bin\MotiveSB.exe" 129536 Jul 21 2006 "C:\Program Files\Yahoo!\browser\ybrwicon.exe" 57344 Dec 9 2003 "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe" 3092480 Aug 15 2005 "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe" 147514 Oct 7 2003 "C:\Program Files\Common Files\Network Associates\TalkBack\bak\TBMon.exe" 180269 May 17 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" 36975 Mar 4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\bak\jusched.exe" end of report

#6 Markka

Advanced Member

Banned
784 posts

Posted 17 June 2007 - 07:06 AM

Hello

You don't have a firewall on your computer. Here are free and good firewalls: (Install only one)

Comodo
OutPost
Kerio
Sygate
ZoneAlarm
_______________________________________________________________

Open Notepad
-> copy the following lines into a new document:

@echo off
Move /Y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
Move /Y "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" "C:\Program Files\ATI Technologies\ATI Control Panel"
Move /Y "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak\MotiveSB.exe" "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge"
Move /Y "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe" "C:\Program Files\Yahoo!\browser"
Move /Y "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe" "C:\Program Files\Yahoo!\Messenger"
Move /Y "C:\Program Files\Common Files\Network Associates\TalkBack\bak\TBMon.exe" "C:\Program Files\Common Files\Network Associates\TalkBack"
Move /Y "C:\Program Files\Java\jre1.5.0_02\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_02\bin"
Move /Y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB"
exit

Save the document to your desktop as Fix.bat and filetype: All Files
___________________________________________
Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

_____________________________________________
Go to your desktop and run the file Fix.bat and answer yes to any questions.

Reboot in normal mode! Re-run with FindAWF.

Post:
- A fresh HijackThis log
- Logfile of FindAWF

#7 triplec

Authentic Member

Authentic Member
52 posts

Posted 17 June 2007 - 12:54 PM

Thank You for your response... i will work on the firewall... but the other things that need to be done in safe mode, i dont know if I will be able to do... Like I said in a previous response, in safe mode my account is not one of the accounts I can log into. There is only the Administrator Account(Which I dont know the password to) and the previous owners account which is named ARI(I can log into this but the programs i need to run are not on this account) ... What should I do? Is there a way I can Delete the ARI account completely and delete all of the programs and files from my laptop?

#8 Markka

Advanced Member

Banned
784 posts

Posted 18 June 2007 - 11:42 AM

Hello

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
_____________________________________________

Create a new folder here: C:\HJT and move HijackThis.exe into the HJT folder.

Open HijackThis, Click Do a system scan only, checkmark these. Then close all others windows except HijackThis and press fix checked.

O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: 0 - {452F8784-8D81-4DDD-B3B6-D20DFA77B8A9} - C:\Program Files\MSN Messenger\labutunef.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\System32\ljuawcdc.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\ari\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pmnklkj - pmnklkj.dll (file missing)
___________________________________________________

Make your hidden files visible:

Click start
Click my computer
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.

___________________________________________

Please Download Killbox by Option^Explicit and save it to your desktop.

Note: This is the latest version of Killbox, if you have already killbox delete it and use this version.

Unzip the killbox.zip file
Double-click on killbox.exe to run it.
Choose these options:
- Delete on reboot
- After that click on all files button
Copy the complete text in quote box below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\System32\ljuawcdc.dll
C:\WINDOWS\system32\ljuawcdc.dll
C:\WINDOWS\system32\twbwuenp.exe
C:\WINDOWS\bokja.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\system32\satmat.exe
C:\WINDOWS\system32\Bi.dll
C:\WINDOWS\system32\Biprep.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\system32\updatetc.exe
C:\WINDOWS\system32\salm.exe
C:\WINDOWS\system32\msdn_lib.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\voiceip.dll
C:\WINDOWS\2020search.dll
C:\WINDOWS\7search.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\SUSP.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\system32\180ax.exe
C:\sysafce.exe
C:\WINDOWS\system32\SpOrder.dll
C:\WINDOWS\system32\mfc71.dll
C:\WINDOWS\ihvuxyi.exe
C:\WINDOWS\system32\omskildd.exe
C:\WINDOWS\system32\icowcqwc.exe
C:\WINDOWS\system32\lnfslryf.exe
C:\WINDOWS\system32\ffwwuqrb.exe
Go to the File menu of Killbox, and choose Paste from Clipboard.
Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt.
Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.
__________________________________________________

Delete these folders:
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\Documents and settings\All users\Application Data\WinAntiVirus Pro 2007
__________________________________________

Please download ATF-cleaner and save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

_____________________________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

____________________________________________________
Open Notepad
-> copy the following lines into a new document:

@echo off
Move /Y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
Move /Y "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" "C:\Program Files\ATI Technologies\ATI Control Panel"
Move /Y "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak\MotiveSB.exe" "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge"
Move /Y "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe" "C:\Program Files\Yahoo!\browser"
Move /Y "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe" "C:\Program Files\Yahoo!\Messenger"
Move /Y "C:\Program Files\Common Files\Network Associates\TalkBack\bak\TBMon.exe" "C:\Program Files\Common Files\Network Associates\TalkBack"
Move /Y "C:\Program Files\Java\jre1.5.0_02\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_02\bin"
Move /Y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB"
exit

Save the document to your desktop as Fix.bat and filetype: All Files
Go to your desktop and run the file Fix.bat and answer yes to any questions.
_____________________________________________

Re-run with FindAWF!

Post:
- A fresh HijackThis log
- AVG Anti-spyware's report
- Logfile of FindAWF

#9 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 25 June 2007 - 07:38 AM

triplec. Are you still needed help?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#10 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 26 June 2007 - 08:00 AM

Your post has been Moved, Closed or Edited for one of the following reasons:

1.) You posted multiple topics and only one is required

2.) You are spamming links to other places without approval

3.) You have posted your hijackthis log to the wrong forum:
( http://forums.tomcoy...hp?showforum=27 ) <--- correct forum for HijackThis Logs

4.) Abusive language or other problems in your text

5.) Your log is too old (20 days or more) and no replies from you after a volunteer tried to help you

If you came here for help, and you have not posted a Hijackthis log to the proper forum, then you may do so now, if you came here to spam or abuse, you will be dealt with harsher on your next offense

This is a family oriented forum to help those that need help.

==============================

Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme