Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] wowfx.dll errors

Started by April Davis , Jan 14 2008 04:08 PM

  • This topic is locked This topic is locked
9 replies to this topic

#1 April Davis

April Davis

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 14 January 2008 - 04:08 PM

I am about to pull my hair out trying to remedy all the wowfx.dll and bad image messages I am getting on my laptop nonstop. I also see a little yellow triangle in the bottom right corner that will constantly pop up that I have been infected and need to clean up my system. It appears windows is sending me this message, but whenever this balloon is clicked on, several different sites will pop up advertising how they are going to scan my system and clean them right up. I have noticed the majority of the sites are coming from avsystemcare or avsyscare. I can usually navigate and figure out what is going on with my system, but this spyware/malware, .dll, trojan virus stuff is just beyond me. I really need help from someone that can guide me step by step on how to clean up my system. I have run ad-aware and spybot and after running spybot, the little yellow triangle will disappear for a little while, but then it will appear again. The main problem is the bad image message-check against system installation disk messages are the ones that are popping up on me. Sometimes I can't run add/rem programs or other options in control panel. Please help! I will provide whatever information you need me to give you if someone will be kind enough to help me out with this. Thank you in advance, April Davis

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 January 2008 - 04:25 PM

Hello and welcome to the forum. Sorry about the delay in responding :( If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread. Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 April Davis

April Davis

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 20 January 2008 - 07:07 PM

Thank you for your response. I ran HJT and this logfile came up in notepad. I assume this is what you are wanting to see? Thank you so much for your help. I am still getting popups about every 12 seconds for different kinds of software that will clean up my computer, etc. The yellow triangle is still in the taskbar on the lower right saying Windows antivirus and that Windows has detected spyware infection. As of right now, I'm not getting the .dll messages but that doesn't mean they won't be back!! Thanks again! April


THE LOGFILE THAT CAME UP IN NOTEPAD IS AS FOLLOWS:

Logfile of HijackThis v1.99.1
Scan saved at 6:56:11 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Common Files\AOL\1200717662\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\APRILD~1\LOCALS~1\Temp\sv16.exe
C:\DOCUME~1\APRILD~1\LOCALS~1\Temp\sys16.exe
C:\DOCUME~1\APRILD~1\LOCALS~1\Temp\syn16.exe
C:\DOCUME~1\APRILD~1\LOCALS~1\Temp\6432.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\April Davis\Application Data\printer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://browser.cdn.a...om/welcome.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: (no name) - {18ACF5E8-132B-19AB-2175-39B60E3FF3BA} - C:\WINDOWS\system32\hrotfrns.dll (file missing)
O2 - BHO: (no name) - {35F67D63-9AA5-C525-F14D-EA2B58E18DB2} - C:\WINDOWS\system32\mfkl.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E19D5AD-6560-38E4-6321-4C71B20697EF} - C:\WINDOWS\system32\fpyo.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll (file missing)
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1200717662\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: findfast.exe
O4 - Startup: palmOne Registration.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: autorun.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk.disabled
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll,-115 - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: ImageShack Toolbar - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163568176015
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast....ostClientIE.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...28.9/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai...l/installer.exe
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.2.1.cab
O18 - Filter: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: __c004642F - C:\WINDOWS\system32\__c004642F.dat
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)


THIS IS THE COPY OF WHAT THE HJT SCAN PICKED UP. I didn't select or try to fix anything because I wasn't sure whato get rid of. Just let me know where I need to go from here. Thanks! April

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 January 2008 - 07:09 PM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 April Davis

April Davis

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 20 January 2008 - 09:41 PM

I am posting the combo.txt log file for your review along wiht the new HJT log file. Do I need to go change the settings back that you had me change under My Computer regarding the viewing of hidden folders and files, etc.?

LOG FILE FOR COMBO.TXT
ComboFix 08-01-20.1 - April Davis 2008-01-20 20:52:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.521 [GMT -6:00]
Running from: C:\Documents and Settings\April Davis\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3.tmp
C:\4.tmp
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\April Davis\Application Data.\Ultimate Cleaner
C:\Documents and Settings\April Davis\Application Data.\Ultimate Cleaner\settings.dat
C:\Documents and Settings\April Davis\Application Data\CROSOF~1
C:\Documents and Settings\April Davis\Application Data\FNTS~1
C:\Documents and Settings\April Davis\Application Data\macromedia\Flash Player\#SharedObjects\DL84ERMC\www.broadcaster.com
C:\Documents and Settings\April Davis\Application Data\macromedia\Flash Player\#SharedObjects\DL84ERMC\www.broadcaster.com\played_list.sol
C:\Documents and Settings\April Davis\Application Data\macromedia\Flash Player\#SharedObjects\DL84ERMC\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\April Davis\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\April Davis\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\April Davis\Application Data\printer.exe
C:\Documents and Settings\April Davis\Application Data\SSTEM3~1
C:\Documents and Settings\April Davis\Application Data\Ultimate Cleaner\settings.dat
C:\Documents and Settings\April Davis\Desktop\Find Spyware Remover.lnk
C:\Documents and Settings\April Davis\Desktop\Free Online Dating.lnk
C:\Documents and Settings\April Davis\Desktop\Go to Casino.lnk
C:\Documents and Settings\April Davis\My Documents\CURITY~1
C:\Documents and Settings\April Davis\My Documents\MANTEC~1
C:\Documents and Settings\April Davis\My Documents\MCROSO~1
C:\Documents and Settings\April Davis\My Documents\PPATCH~1
C:\Documents and Settings\April Davis\My Documents\YSTEM3~1
C:\Documents and Settings\April Davis\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\April Davis\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\April Davis\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\April Davis\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\asks~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Helper
C:\Program Files\ISM2
C:\Program Files\ISM2\cringupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM2\ISMPack8.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\kernel
C:\Program Files\Movie Maker\rterememyk.html
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\racle~1
C:\Program Files\smss.exe
C:\Program Files\spoolsv.exe
C:\Program Files\sstem3~1
C:\Program Files\Temporary
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\temp\tn3
C:\WINDOWS\avp.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~1\?dobe\
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\icroso~1.net
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\mgrs.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\__c004642F.dat
C:\WINDOWS\system32\__c00CFF04.dat
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\suspend.exe
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\ymbols~1
C:\wsusupd.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-20 20:51 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 20:46 . 2008-01-20 20:47 50,688 --a------ C:\ATF-Cleaner.exe
2008-01-20 20:12 . 2008-01-20 20:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-20 20:12 . 2008-01-20 20:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 22:15 . 2008-01-18 22:17 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-18 22:08 . 2007-10-10 17:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-18 22:08 . 2007-06-30 21:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-18 22:08 . 2007-06-30 21:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-18 22:08 . 2007-10-10 17:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-18 22:08 . 2007-10-10 17:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-18 22:08 . 2007-10-10 17:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-18 22:08 . 2007-10-10 17:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-18 22:08 . 2007-10-10 17:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-18 22:08 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-18 22:08 . 2007-10-10 04:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-13 18:52 . 2005-12-27 17:56 18,944 --a------ C:\WINDOWS\system32\wowfxoldd.dll
2008-01-13 18:52 . 2005-12-23 17:17 18,944 --a------ C:\WINDOWS\system32\wowfxold.dll
2008-01-12 15:19 . 2008-01-12 15:59 1,910,649 ---hs---- C:\WINDOWS\system32\40FFC00c__.ini2
2008-01-12 14:46 . 2008-01-12 14:46 1,910,649 ---hs---- C:\WINDOWS\system32\40FFC00c__.tmp
2008-01-11 23:45 . 2008-01-12 15:40 <DIR> d-------- C:\Program Files\Symantec
2008-01-11 23:45 . 2008-01-12 15:43 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-11 23:25 . 2008-01-11 23:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-11 23:24 . 2008-01-11 23:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-11 23:20 . 2008-01-12 14:46 1,910,589 ---hs---- C:\WINDOWS\system32\40FFC00c__.ini
2008-01-10 19:15 . 2008-01-18 17:24 80 --a------ C:\WINDOWS\system32\suspend.bin
2008-01-10 18:39 . 2008-01-10 18:39 88 --a------ C:\Documents and Settings\April Davis\del.bat
2008-01-09 18:51 . 2008-01-09 18:51 0 --a------ C:\WINDOWS\system32\REN11.tmp
2008-01-09 18:51 . 2008-01-09 18:51 0 --a------ C:\WINDOWS\system32\REN10.tmp
2008-01-09 00:06 . 2008-01-09 11:57 <DIR> d-------- C:\Program Files\Ares
2008-01-08 17:56 . 2008-01-08 17:56 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-08 16:54 . 2008-01-11 23:14 1,073,624 ---hs---- C:\WINDOWS\system32\10E5C00c__.ini
2008-01-08 00:23 . 2008-01-08 00:23 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2008-01-08 00:23 . 2008-01-08 00:23 <DIR> d-------- C:\Documents and Settings\April Davis\Application Data\Intuit
2008-01-08 00:23 . 2007-07-26 17:13 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
2008-01-08 00:23 . 2007-07-26 17:13 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
2008-01-08 00:22 . 2008-01-08 00:29 <DIR> d-------- C:\Program Files\Quicken
2008-01-08 00:22 . 2008-01-08 00:22 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software
2008-01-08 00:22 . 2008-01-08 00:22 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-01-08 00:22 . 2008-01-08 00:23 120 --a------ C:\WINDOWS\QUICKEN.INI
2008-01-08 00:21 . 2008-01-08 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-01-05 18:15 . 2008-01-05 18:15 0 --a------ C:\53.tmp
2008-01-05 18:14 . 2008-01-05 18:14 0 --a------ C:\40.tmp
2008-01-05 18:14 . 2008-01-05 18:14 0 --a------ C:\3D.tmp
2008-01-05 18:13 . 2008-01-05 18:13 0 --a------ C:\30.tmp
2008-01-05 18:13 . 2008-01-05 18:13 0 --a------ C:\20.tmp
2008-01-05 18:12 . 2008-01-05 18:12 286,288 --a------ C:\19.tmp
2008-01-05 18:12 . 2008-01-05 18:12 0 --a------ C:\1A.tmp
2008-01-05 18:11 . 2008-01-05 18:11 186,608 --a------ C:\13.tmp
2007-12-28 21:30 . 2007-12-28 21:30 0 --a------ C:\WINDOWS\iPlayer.INI
2007-12-28 21:29 . 2007-12-28 21:29 <DIR> d-------- C:\Program Files\InterActual
2007-12-28 00:58 . 2007-12-28 00:58 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-27 09:42 . 2007-12-27 09:42 <DIR> d-------- C:\Program Files\iPod
2007-12-27 09:42 . 2007-12-27 09:42 <DIR> d-------- C:\Documents and Settings\April Davis\Application Data\Apple Computer
2007-12-27 09:41 . 2008-01-08 02:03 <DIR> d-------- C:\Program Files\iTunes
2007-12-27 09:40 . 2008-01-08 02:03 <DIR> d-------- C:\Program Files\QuickTime
2007-12-27 09:40 . 2007-12-27 09:40 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-27 09:40 . 2007-12-27 09:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-27 09:40 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-27 09:39 . 2007-12-27 09:39 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-27 09:39 . 2007-12-27 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-24 18:33 . 2007-12-29 09:09 <DIR> d-------- C:\Program Files\FrostWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 04:41 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-19 04:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-16 07:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-01-16 07:43 --------- d-----w C:\Program Files\Yahoo!
2008-01-16 07:43 --------- d-----w C:\Program Files\Viewpoint
2008-01-16 07:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-16 07:39 --------- d-----w C:\Program Files\palmOne
2008-01-12 21:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-12 05:25 --------- d-----w C:\Documents and Settings\April Davis\Application Data\Lavasoft
2008-01-12 04:32 --------- d-----w C:\Program Files\Google
2008-01-11 00:39 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-01-10 00:51 --------- d-----w C:\Program Files\Java
2008-01-08 08:03 --------- d-----w C:\Program Files\NoAds
2008-01-08 06:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 00:34 --------- d-----w C:\Documents and Settings\April Davis\Application Data\FrostWire
2007-12-23 01:47 --------- d-----w C:\Program Files\Dl_cats
2007-12-08 16:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\HotSync
2007-12-08 16:38 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-12-08 16:38 --------- d-----w C:\Documents and Settings\April Davis\Application Data\HotSync
2007-12-01 15:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-11-30 01:18 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-30 01:18 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-11-27 21:43 --------- d-----w C:\Program Files\Shutterfly
2007-11-27 21:42 --------- d-----w C:\Documents and Settings\April Davis\Application Data\Shutterfly
2007-01-25 00:25 181,729 ----a-w C:\Documents and Settings\April Davis\el_font_gohtic.zip
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2006-12-08 02:27 56 --sh--r C:\WINDOWS\system32\9230BF42B8.sys
2007-09-10 07:16 88 --sh--r C:\WINDOWS\system32\B842BF3092.sys
2007-09-10 08:07 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18ACF5E8-132B-19AB-2175-39B60E3FF3BA}]
C:\WINDOWS\system32\hrotfrns.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35F67D63-9AA5-C525-F14D-EA2B58E18DB2}]
C:\WINDOWS\system32\mfkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E19D5AD-6560-38E4-6321-4C71B20697EF}]
C:\WINDOWS\system32\fpyo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
C:\Program Files\ISM\BndDrive6.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [ ]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [2006-11-22 00:25 207360]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1200717662\ee\AOLSoftware.exe" [2006-04-13 14:36 50792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 04:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\April Davis\Start Menu\Programs\Startup\
palmOne Registration.lnk.disabled [2008-01-05 17:41:04 803]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2006-07-12 20:20:43 1918]
HOTSYNCSHORTCUTNAME.lnk.disabled [2007-12-08 10:39:32 1556]
Windows Desktop Search.lnk.disabled [2006-04-28 22:43:39 2169]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c004642F]
C:\WINDOWS\system32\__c004642F.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, , , , , , , , , ,

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ModemOnHold"=C:\Program Files\NetWaiting\netWaiting.exe
"Nmtjrlom"="C:\Documents and Settings\April Davis\My Documents\??pPatch\m?config.exe"
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"NoAds"="C:\Program Files\NoAds\NoAds.exe"
"ISMModule6"="C:\Program Files\ISM\ISMModule6.exe"
"ISMPack5"="C:\Program Files\ISM2\ISMPack5.exe"
"WinAble"=C:\Program Files\WinAble\winable.exe
"Uaol"="C:\WINDOWS\DOBE~1\rundll.exe" -vt ndrv
"ares"="C:\Program Files\Ares\Ares.exe" -h
"A00F8677D.exe"=C:\DOCUME~1\APRILD~1\LOCALS~1\Temp\_A00F8677D.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"kernel"=C:\Program Files\kernel\kernel.exe
"Kfakqj"=C:\WINDOWS\system32\?racle\??xplore.exe
"QdrModule11"="C:\Program Files\QdrModule\QdrModule11.exe"
"QdrPack11"="C:\Program Files\QdrPack\QdrPack11.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
"ehTray"=C:\WINDOWS\ehome\ehtray.exe
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"MyWebSearch Email Plugin"=C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
"My Web Search Bar"=rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"ShareSearcher"=c:\AILT.exe
"Printer"=C:\WINDOWS\system32\printer.exe
"lsass"=C:\WINDOWS\lsass.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"DLCCCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"68e3ad9d"=rundll32.exe "C:\WINDOWS\system32\__c00CFF04.dat",b

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 15:40:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-21 00:40:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 20:57:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 21:02:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 03:02:43
.
2008-01-21 02:06:00 --- E O F ---



HJT NEW LOG FILE AFTER RUNNING COMBOTXTLogfile of HijackThis v1.99.1
Scan saved at 9:21:42 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1200717662\ee\AOLSoftware.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\program files\common files\aol\1200717662\ee\aexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://browser.cdn.a...om/welcome.html
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
O2 - BHO: (no name) - {18ACF5E8-132B-19AB-2175-39B60E3FF3BA} - C:\WINDOWS\system32\hrotfrns.dll (file missing)
O2 - BHO: (no name) - {35F67D63-9AA5-C525-F14D-EA2B58E18DB2} - C:\WINDOWS\system32\mfkl.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E19D5AD-6560-38E4-6321-4C71B20697EF} - C:\WINDOWS\system32\fpyo.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1200717662\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: palmOne Registration.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk.disabled
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll,-115 - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: ImageShack Toolbar - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163568176015
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast....ostClientIE.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...28.9/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai...l/installer.exe
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.2.1.cab
O20 - Winlogon Notify: __c004642F - C:\WINDOWS\system32\__c004642F.dat (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 January 2008 - 10:09 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\wowfxoldd.dll
C:\WINDOWS\system32\wowfxold.dll
C:\WINDOWS\system32\40FFC00c__.ini2
C:\WINDOWS\system32\40FFC00c__.tmp
C:\WINDOWS\system32\40FFC00c__.ini
C:\Documents and Settings\April Davis\del.bat
C:\WINDOWS\system32\REN11.tmp
C:\WINDOWS\system32\REN10.tmp
C:\WINDOWS\system32\10E5C00c__.ini
C:\53.tmp
C:\40.tmp
C:\3D.tmp
C:\30.tmp
C:\20.tmp
C:\19.tmp
C:\1A.tmp
C:\13.tmp
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\9230BF42B8.sys
C:\WINDOWS\system32\B842BF3092.sys
C:\WINDOWS\system32\hrotfrns.dll
C:\WINDOWS\system32\mfkl.dll
C:\WINDOWS\system32\fpyo.dll
C:\Program Files\ISM\BndDrive6.dll
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
C:\WINDOWS\system32\__c004642F.dat
C:\Documents and Settings\April Davis\My Documents\??pPatch\m?config.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\ISM2\ISMPack5.exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\DOBE~1\rundll.exe" -vt ndrv
C:\WINDOWS\system32\?racle\??xplore.exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\WINDOWS\system32\__c00CFF04.dat",b

Folder::
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\AskSBar
C:\Program Files\WinAble
C:\Program Files\QdrModule
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\lsass.exe

Driver::
beep

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18ACF5E8-132B-19AB-2175-39B60E3FF3BA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35F67D63-9AA5-C525-F14D-EA2B58E18DB2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E19D5AD-6560-38E4-6321-4C71B20697EF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"]
[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c004642F]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Nmtjrlom"=-
"ISMModule6"=-
"ISMPack5"=-
"WinAble"=-
"Uaol"=-
"Kfakqj"=-
"QdrModule11"=-
"QdrPack11"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Printer"=-
"lsass"=-
"68e3ad9d"=-


Save this as Save this as "CFScript"


drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 30 January 2008 - 03:22 PM

Do you still need help with this?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#8 April Davis

April Davis

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 31 January 2008 - 12:10 AM

Hello, I'm sorry in the delay in getting back to you. I had gotten on the site to post and tell you things were ok and then i think my kids interrupted me and I didn't send the reply. Whatever you told me to do with the exception of the last thing you said has totally fixed everything on my system and it's running beautifully! I did have a question. If I do have problems in the future, is the combofix software a utility you can run like spybot to clean up your system. Or should I be running this regularly anyway? Again, thanks for your help. I really appreciate it. What is your name anyway? Thanks! April

#9 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 31 January 2008 - 03:41 PM

Did you run the combofix fix I posted? If not you need to. Combofix has a shelf life of about 30 days, but gets updated almost daily. I really suggest you follow what I posted.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 04 February 2008 - 05:46 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·