Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91627 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Vundo Removal Help


  • Please log in to reply
36 replies to this topic

#1 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 07 May 2008 - 09:24 AM

I apparently have Vundo on my daughter's computer. Having tried unsuccesfully to remove it I need you wonderful fellows to give me a hand. Here is my HijackThis file, and thanks !!

As a note I followed McAffe recomendations to no avail and have also run vundofix, virtumonoebegobe and fixit from symantec to no avail.

Logfile of HijackThis v1.99.1
Scan saved at 11:16:35 AM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
f:\PROGRA~1\mcafee.com\vso\OasClnt.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
f:\program files\mcafee.com\vso\mcvsshld.exe
F:\WINDOWS\System32\hkcmd.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\PROGRA~1\QUICKT~1\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Verizon\VSP\VerizonServicepoint.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\AIM6\aim6.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\AIM6\aolsoftware.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eihs.eischools.org/home.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {0A6F29BE-3471-4C70-855B-8D04DAC044ED} - F:\WINDOWS\system32\cbXoPFXq.dll (file missing)
O2 - BHO: (no name) - {33FC22E2-3683-4701-9607-CC52DB2DF66F} - (no file)
O2 - BHO: (no name) - {36C4671D-C266-4552-A37E-C90485B9D87C} - (no file)
O2 - BHO: (no name) - {39D9831A-862D-450D-8097-541459450C52} - F:\WINDOWS\system32\khfCrPGy.dll (file missing)
O2 - BHO: (no name) - {3AD0DE36-D3BD-40A3-A19D-6ECC908A8AE6} - (no file)
O2 - BHO: (no name) - {45EA9988-8619-4E2A-89E8-0447F986E070} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63F7460B-C831-4142-A4AA-5EC303EC4343} - (no file)
O2 - BHO: (no name) - {69709C25-DE35-4993-80AC-332399DA5360} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {811E2DE6-5045-49E1-B73D-8365DE8B374F} - (no file)
O2 - BHO: (no name) - {872E2001-5F8A-44B9-871B-0CC4E83B2F6B} - (no file)
O2 - BHO: (no name) - {8C31491B-CC1B-4F18-9E5B-D0654B8EFBF6} - (no file)
O2 - BHO: (no name) - {945BD018-E78E-4F47-BFE2-52EC69E5CB9B} - (no file)
O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - (no file)
O2 - BHO: (no name) - {B5DAAF2B-DE0E-40F0-BBCD-253212EF47F4} - (no file)
O2 - BHO: (no name) - {C0BDC333-0F38-4A83-940B-43515473FF28} - F:\WINDOWS\system32\yayaaARI.dll
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockots64.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [gxgjavkt] regsvr32 /u "F:\Documents and Settings\All Users\Application Data\gxgjavkt.dll"
O4 - HKLM\..\Run: [ntuser] F:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] F:\Documents and Settings\Owner\cftmon.exe
O4 - HKLM\..\Run: [BMcf339d83] Rundll32.exe "F:\WINDOWS\system32\lqgarhcw.dll",s
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [pyznpxpw] F:\WINDOWS\system32\vwzqtyls.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mcwkqhba] F:\WINDOWS\system32\uryhahwd.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [qwfckqme] F:\WINDOWS\system32\gpevqpyj.exe
O4 - HKCU\..\Run: [BMcf339d83] Rundll32.exe "F:\WINDOWS\system32\lqgarhcw.dll",s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khFuVpNf - F:\WINDOWS\
O20 - Winlogon Notify: ljJAroPf - ljJAroPf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WLCtrl32 - F:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - F:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

Edited by sagiter, 07 May 2008 - 10:31 AM.

    Advertisements

Register to Remove


#2 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 07 May 2008 - 04:01 PM

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingc...to-use-combofix
  • Please Note: This tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.
Also, run HJT and click on Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.

Death to the salad eaters!

#3 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 07 May 2008 - 05:31 PM

OK here goes:

Thanks for all this btw... :notworthy:

My McAfee no longer tells me about a vundo trojan it can't fix. I get several run dll errors when I boot. Aside frim that all seems well.

ComboFix 08-05-01.3 - Owner 2008-05-07 19:07:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.144 [GMT -4:00]
Running from: F:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
F:\Documents and Settings\All Users\Application Data\Rabio
F:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\B6SBRY5K\www.broadcaster.com
F:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
F:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
F:\Program Files\Temporary
F:\WINDOWS\cookies.ini
F:\WINDOWS\PerfInfo
F:\WINDOWS\pskt.ini
F:\WINDOWS\system32\amrwhxwm.ini
F:\WINDOWS\system32\asks~1
F:\WINDOWS\system32\asks~1\?asks\
F:\WINDOWS\system32\bublbnsl.ini
F:\WINDOWS\system32\cdptomrc.ini
F:\WINDOWS\system32\cxmdawci.ini
f:\windows\system32\Drivers\Inr62.sys
F:\WINDOWS\system32\hmlvmnqp.ini
F:\WINDOWS\system32\ikpxkder.ini
F:\WINDOWS\system32\IRAaayay.ini
F:\WINDOWS\system32\IRAaayay.ini2
F:\WINDOWS\system32\oioqxjwh.ini
F:\WINDOWS\system32\pac.txt
F:\WINDOWS\system32\ploekaty.ini
F:\WINDOWS\system32\qXFPoXbc.ini
F:\WINDOWS\system32\qXFPoXbc.ini2
F:\WINDOWS\system32\sft.res
F:\WINDOWS\system32\vifhqomj.ini
F:\WINDOWS\system32\wfataxig.ini
F:\WINDOWS\system32\WLCtrl32.dl_
F:\WINDOWS\system32\WLCtrl32.dll
F:\WINDOWS\system32\yayaaARI.dll
F:\WINDOWS\system32\yGPrCfhk.ini
F:\WINDOWS\system32\yGPrCfhk.ini2
F:\WINDOWS\Web\def.htm

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_INR62
-------\Service_Inr62


((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-01 23:01 . 2008-05-01 23:01 24,576 --a------ F:\WINDOWS\system32\VundoFixSVC.exe
2008-05-01 21:57 . 2008-05-01 21:57 8 --a------ F:\WINDOWS\system32\0000fdec
2008-04-26 11:41 . 2008-04-26 11:41 <DIR> d-------- F:\Documents and Settings\Owner\Application Data\Motive
2008-04-26 11:35 . 2008-04-26 11:35 <DIR> d-------- F:\WINDOWS\system32\LogFiles
2008-04-26 08:46 . 2008-04-26 08:46 <DIR> d-------- F:\Program Files\Svconr
2008-04-26 08:33 . 2003-07-16 16:24 4,224 --a------ F:\WINDOWS\system32\beep.sys
2008-04-26 08:31 . 2008-04-26 08:31 <DIR> d-------- F:\WINDOWS\system32\xcsDd06
2008-04-26 08:31 . 2008-04-27 14:10 578 --a------ F:\WINDOWS\index.html
2008-04-24 17:12 . 2008-02-22 02:33 69,632 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-04-24 15:43 . 2007-09-06 00:22 289,144 --a------ F:\WINDOWS\system32\VCCLSID.exe
2008-04-24 15:43 . 2006-04-27 17:49 288,417 --a------ F:\WINDOWS\system32\SrchSTS.exe
2008-04-24 15:43 . 2008-04-24 08:10 86,528 --a------ F:\WINDOWS\system32\VACFix.exe
2008-04-24 15:43 . 2008-04-23 22:14 82,944 --a------ F:\WINDOWS\system32\IEDFix.exe
2008-04-24 15:43 . 2008-04-23 22:14 82,944 --a------ F:\WINDOWS\system32\404Fix.exe
2008-04-24 15:43 . 2004-07-31 18:50 51,200 --a------ F:\WINDOWS\system32\dumphive.exe
2008-04-24 15:43 . 2007-10-04 00:36 25,600 --a------ F:\WINDOWS\system32\WS2Fix.exe
2008-04-24 15:40 . 2008-04-24 15:40 3,798 --a------ F:\WINDOWS\system32\tmp.reg
2008-04-24 15:23 . 2008-04-24 15:23 <DIR> d-------- F:\Documents and Settings\Administrator
2008-04-24 15:23 . 2008-05-07 19:07 1,024 --ah----- F:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 19:15 . 2008-05-06 09:50 <DIR> d-------- F:\VundoFix Backups
2008-04-23 14:04 . 2008-04-23 14:04 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-04-21 01:25 . 2008-05-03 08:38 109,738 --a------ F:\WINDOWS\BMcf339d83.xml
2008-04-20 14:36 . 2008-03-01 09:06 6,066,176 -----c--- F:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-20 14:36 . 2007-06-30 23:31 2,455,488 -----c--- F:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-20 14:36 . 2007-06-30 23:36 991,232 -----c--- F:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-20 14:36 . 2008-03-01 09:06 459,264 -----c--- F:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-20 14:36 . 2008-03-01 09:06 383,488 -----c--- F:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-20 14:36 . 2008-03-01 09:06 267,776 -----c--- F:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-20 14:36 . 2008-03-01 09:06 63,488 -----c--- F:\WINDOWS\system32\dllcache\icardie.dll
2008-04-20 14:36 . 2008-03-01 09:06 52,224 -----c--- F:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-20 14:36 . 2008-02-22 06:00 13,824 -----c--- F:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 14:32 . 2007-08-13 18:54 33,792 --a--c--- F:\WINDOWS\system32\dllcache\custsat.dll
2008-04-20 13:09 . 2008-05-06 16:59 1,061 --a------ F:\WINDOWS\wininit.ini
2008-04-20 12:14 . 2008-04-20 12:13 691,545 --a------ F:\WINDOWS\unins000.exe
2008-04-20 12:14 . 2008-04-20 12:14 2,542 --a------ F:\WINDOWS\unins000.dat
2008-04-20 11:11 . 2008-04-20 11:11 <DIR> d-------- F:\WINDOWS\mgwwgmke
2008-04-20 11:11 . 2008-04-23 20:48 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\rezgdwhm
2008-04-20 11:11 . 2008-04-20 11:11 192,512 --a------ F:\WINDOWS\qxkxgbgh.dll
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE5C0.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE504.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE3BC.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE310.tmp
2008-04-16 17:55 . 2004-08-04 03:56 159,232 --a------ F:\WINDOWS\system32\ptpusd.dll
2008-04-16 17:55 . 2004-08-04 01:58 15,104 --a------ F:\WINDOWS\system32\drivers\usbscan.sys
2008-04-16 17:55 . 2004-08-04 01:58 15,104 --a--c--- F:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-16 17:55 . 2001-08-17 22:36 5,632 --a------ F:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 23:04 --------- d-----w F:\Documents and Settings\Owner\Application Data\SlimBrowser
2008-05-06 12:51 --------- d-----w F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-06 12:50 9,344 ----a-w F:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-06 12:50 8,320 ----a-w F:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-06 11:06 --------- d-----w F:\Program Files\AIMTunes
2008-04-28 01:31 61,328 ----a-w F:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-27 17:28 --------- d-----w F:\Documents and Settings\All Users\Application Data\Motive
2008-04-24 21:12 --------- d-----w F:\Program Files\Java
2008-04-20 17:14 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 16:42 --------- d-----w F:\Program Files\Spybot - Search & Destroy
2008-04-05 14:40 --------- d-----w F:\Documents and Settings\LocalService\Application Data\SlimBrowser
2008-03-22 17:38 --------- d-----w F:\Documents and Settings\Owner\Application Data\Apple Computer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A6F29BE-3471-4C70-855B-8D04DAC044ED}]
F:\WINDOWS\system32\cbXoPFXq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33FC22E2-3683-4701-9607-CC52DB2DF66F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36C4671D-C266-4552-A37E-C90485B9D87C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D9831A-862D-450D-8097-541459450C52}]
F:\WINDOWS\system32\khfCrPGy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AD0DE36-D3BD-40A3-A19D-6ECC908A8AE6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45EA9988-8619-4E2A-89E8-0447F986E070}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69709C25-DE35-4993-80AC-332399DA5360}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{811E2DE6-5045-49E1-B73D-8365DE8B374F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872E2001-5F8A-44B9-871B-0CC4E83B2F6B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C31491B-CC1B-4F18-9E5B-D0654B8EFBF6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{945BD018-E78E-4F47-BFE2-52EC69E5CB9B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8EEB996-62AA-4E48-995D-EADDCAC47476}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5DAAF2B-DE0E-40F0-BBCD-253212EF47F4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0BDC333-0F38-4A83-940B-43515473FF28}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="F:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Aim6"="F:\Program Files\AIM6\aim6.exe" [2007-09-29 16:22 50528]
"pyznpxpw"="F:\WINDOWS\system32\vwzqtyls.exe" [ ]
"SpybotSD TeaTimer"="F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"mcwkqhba"="F:\WINDOWS\system32\uryhahwd.exe" [ ]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"qwfckqme"="F:\WINDOWS\system32\gpevqpyj.exe" [ ]
"BMcf339d83"="F:\WINDOWS\system32\lqgarhcw.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="F:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="F:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"PDUiP6000DMon"="F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 13:26 57344]
"PDUiP6000DTskbr"="F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe" [2004-05-28 09:29 69632]
"Microsoft Works Update Detection"="F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21 28672]
"QuickTime Task"="F:\PROGRA~1\QUICKT~1\qttask.exe" [2006-09-01 15:57 282624]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Verizon_McciTrayApp"="F:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"VerizonServicepoint.exe"="F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 16:20 2061816]
"BMcf339d83"="F:\WINDOWS\system32\lqgarhcw.dll" [ ]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"JB1IBJB1IB"= F:\Documents and Settings\All Users\Application Data\rezgdwhm\hmlelqbs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khFuVpNf]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJAroPf]
ljJAroPf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Inr62.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\AIM\\aim.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=
"F:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"F:\\Program Files\\AIM6\\aim6.exe"=
"F:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"F:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockots64.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-04-20 13:15:23 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 19:15:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


F:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
F:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
F:\WINDOWS\system32\clb.dll 10752 bytes executable
F:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
F:\WINDOWS\system32\clbcfg.dat 1695 bytes

scan completed successfully
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\McAfee.com\Agent\Mcdetect.exe
F:\PROGRA~1\McAfee.com\VSO\McShield.exe
F:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
F:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\PROGRA~1\McAfee.com\VSO\mcvsftsn.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-07 19:20:24 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-07 23:20:20

Pre-Run: 65,854,607,360 bytes free
Post-Run: 67,255,820,288 bytes free

237 --- E O F --- 2008-04-21 07:01:15



Logfile of HijackThis v1.99.1
Scan saved at 7:24:47 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
f:\PROGRA~1\mcafee.com\vso\OasClnt.exe
f:\program files\mcafee.com\vso\mcvsshld.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\WINDOWS\System32\hkcmd.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\PROGRA~1\QUICKT~1\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Verizon\VSP\VerizonServicepoint.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\AIM6\aim6.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\AIM6\aolsoftware.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eihs.eischools.org/home.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {0A6F29BE-3471-4C70-855B-8D04DAC044ED} - F:\WINDOWS\system32\cbXoPFXq.dll (file missing)
O2 - BHO: (no name) - {39D9831A-862D-450D-8097-541459450C52} - F:\WINDOWS\system32\khfCrPGy.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockots64.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [BMcf339d83] Rundll32.exe "F:\WINDOWS\system32\lqgarhcw.dll",s
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [pyznpxpw] F:\WINDOWS\system32\vwzqtyls.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mcwkqhba] F:\WINDOWS\system32\uryhahwd.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [qwfckqme] F:\WINDOWS\system32\gpevqpyj.exe
O4 - HKCU\..\Run: [BMcf339d83] Rundll32.exe "F:\WINDOWS\system32\lqgarhcw.dll",s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khFuVpNf - F:\WINDOWS\
O20 - Winlogon Notify: ljJAroPf - ljJAroPf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

Uninstall List:

Ad-Aware 2007
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
Adobe Shockwave Player
AIM 6
AIMTunes (remove only)
AOL Instant Messenger
Apple Software Update
Canon PhotoRecord
Canon PIXMA iP6000D
Canon PIXMA iP6000D Memory Card Utility
Canon Utilities Easy-PhotoPrint
Dell ResourceCD
Easy-WebPrint
Fish Tycoon 1.0
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
igLoader
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
iTunes
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 5
McAfee SecurityCenter
McAfee VirusScan
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Picture It! Photo 7.0
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
SlimBrowser (remove only)
SoundMAX
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Verizon Online Help and Support
Verizon Servicepoint 1.5.12
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

Edited by sagiter, 07 May 2008 - 05:37 PM.


#4 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 08 May 2008 - 02:21 PM

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

Download Malwarebytes' Anti-Malware from here and save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to Update Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the little window has closed, the program is up to date and this bit is done.
2) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

3) Log off from the internet and disconnect your modem cable for the duration of the fix.

4) You will need to disable Spybot's Tea Timer function, if it is running, as it may interfere with this fix. - this is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labelled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {0A6F29BE-3471-4C70-855B-8D04DAC044ED} - F:\WINDOWS\system32\cbXoPFXq.dll (file missing)
O2 - BHO: (no name) - {39D9831A-862D-450D-8097-541459450C52} - F:\WINDOWS\system32\khfCrPGy.dll (file missing)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockots64.dll (file missing)

O4 - HKCU\..\Run: [pyznpxpw] F:\WINDOWS\system32\vwzqtyls.exe
O4 - HKCU\..\Run: [mcwkqhba] F:\WINDOWS\system32\uryhahwd.exe
O4 - HKCU\..\Run: [qwfckqme] F:\WINDOWS\system32\gpevqpyj.exe
O4 - HKCU\..\Run: [BMcf339d83] Rundll32.exe "F:\WINDOWS\system32\lqgarhcw.dll",s

O20 - Winlogon Notify: khFuVpNf - F:\WINDOWS\
O20 - Winlogon Notify: ljJAroPf - ljJAroPf.dll (file missing)


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Reboot your computer into Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.

4) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

5) Go to Start > Control Panel > Internet Options.

For I.E. 6 - under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

For I.E. 7 - under Browsing History, click delete...
Under Temporary Internet Files, click Delete files...

6) Remove any/all of the following files/folders that you can find:

Files

F:\WINDOWS\system32\vwzqtyls.exe
F:\WINDOWS\system32\uryhahwd.exe
F:\WINDOWS\system32\gpevqpyj.exe
F:\WINDOWS\system32\lqgarhcw.dll


As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


7) Boot into Normal Mode.

8) Run MBAM - either via the shortcut on your Desktop or Start > All Programs.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post a new HJT log, the MBAM log AND a description of how your PC is running.
Death to the salad eaters!

#5 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 09 May 2008 - 10:16 AM

The computer seems to be working fine at this moment and booted clean, no error messages, etc.

Malwarebytes' Anti-Malware 1.12
Database version: 736

Scan type: Full Scan (F:\|)
Objects scanned: 74038
Time elapsed: 24 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
F:\Program Files\Svconr (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
F:\QooBox\Quarantine\F\WINDOWS\system32\yayaaARI.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{1E913726-22BB-4A5E-BA5D-64A7D3D83EB3}\RP2\A0000026.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\VundoFix Backups\hwqmkhuu.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


Logfile of HijackThis v1.99.1
Scan saved at 11:55:26 AM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\hkcmd.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee.com\VSO\mcvsshld.exe
F:\Program Files\McAfee.com\VSO\oasclnt.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\PROGRA~1\QUICKT~1\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Verizon\VSP\VerizonServicepoint.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\AIM6\aim6.exe
F:\WINDOWS\system32\ctfmon.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eihs.eischools.org/home.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

#6 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 09 May 2008 - 01:40 PM

I'd like one more log to look at - i'm just a glutton for punishment!

Download gmer.zip from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


Double click gmer.exe to begin:
  • If you get a message about "system modification", click Yes and work through the rest of the instructions.
  • Ensure that the Rootkit Tab at the top is selected.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click the Scan button on the right.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Copy button underneath - this will save the report to your Clipboard.
  • Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
  • Click the >>> Tab at the top and select the Autostart Tab.
  • Click the Scan button on the right - this one should only take seconds to complete.
  • Save the log as before.
Copy and paste both reports into your next reply - you may need to post them separately.
The Preview option may show the whole logs being posted, but they sometimes get cut down when the actual post is made, so check the post once it is completed.
Death to the salad eaters!

#7 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 09 May 2008 - 02:40 PM

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-09 16:37:17
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.14 ----

.text F:\Program Files\AIM6\aolsoftware.exe[1096] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 f:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text F:\WINDOWS\Explorer.EXE[1504] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 f:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text F:\WINDOWS\System32\hkcmd.exe[1700] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00AB3E00 f:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text F:\PROGRA~1\mcafee.com\agent\mcagent.exe[1708] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00FF3E00 f:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text F:\Program Files\McAfee.com\VSO\mcvsshld.exe[1724] WS2_32.dll!connect 71AB406A 5 Bytes JMP 012C3E00 f:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text ...

---- User IAT/EAT - GMER 1.0.14 ----

IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aolsoftware.exe[1096] @ F:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT F:\Program Files\AIM6\aim6.exe[1844] @ F:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] F:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)

---- EOF - GMER 1.0.14 ----

#8 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 09 May 2008 - 02:42 PM

GMER 1.0.14.14205 - http://www.gmer.net
Autostart scan 2008-05-09 16:38:28
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = F:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice@ = "F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
McDetect.exe@ = f:\program files\mcafee.com\agent\mcdetect.exe
McShield@ = f:\PROGRA~1\mcafee.com\vso\mcshield.exe
McTskshd.exe@ = f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
PDUiP6000DMemCrdMgr@ = F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Viewpoint Manager Service@ = "F:\Program Files\Viewpoint\Common\ViewpointService.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IgfxTrayF:\WINDOWS\System32\igfxtray.exe = F:\WINDOWS\System32\igfxtray.exe
@HotKeysCmdsF:\WINDOWS\System32\hkcmd.exe = F:\WINDOWS\System32\hkcmd.exe
@MCAgentExef:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe = f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
@MCUpdateExeF:\PROGRA~1\mcafee.com\agent\McUpdate.exe = F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
@VirusScan OnlineF:\Program Files\McAfee.com\VSO\mcvsshld.exe = F:\Program Files\McAfee.com\VSO\mcvsshld.exe
@VSOCheckTask"F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask = "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
@OASClntF:\Program Files\McAfee.com\VSO\oasclnt.exe = F:\Program Files\McAfee.com\VSO\oasclnt.exe
@PDUiP6000DMonF:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe = F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
@PDUiP6000DTskbrF:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe = F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
@Microsoft Works Update DetectionF:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe = F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
@QuickTime Task"F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime = "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
@iTunesHelper"F:\Program Files\iTunes\iTunesHelper.exe" = "F:\Program Files\iTunes\iTunesHelper.exe"
@SunJavaUpdateSched"F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" = "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
@Verizon_McciTrayAppF:\Program Files\Verizon\McciTrayApp.exe = F:\Program Files\Verizon\McciTrayApp.exe
@VerizonServicepoint.exe"F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN = "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@JB1IBJB1IB = F:\Documents and Settings\All Users\Application Data\rezgdwhm\hmlelqbs.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Aim6"F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp = "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
@ctfmon.exeF:\WINDOWS\system32\ctfmon.exe = F:\WINDOWS\system32\ctfmon.exe
@SpybotSD TeaTimerF:\Program Files\Spybot - Search & Destroy\TeaTimer.exe = F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

HKLM\Software\Classes\.scr@ = "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/F:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = F:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/F:\Program Files\Microsoft Office\Office10\msohev.dll = F:\Program Files\Microsoft Office\Office10\msohev.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/F:\Program Files\iTunes\iTunesMiniPlayer.dll = F:\Program Files\iTunes\iTunesMiniPlayer.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/F:\WINDOWS\System32\twext.dll = F:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/F:\WINDOWS\System32\twext.dll = F:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/F:\WINDOWS\system32\extmgr.dll = F:\WINDOWS\system32\extmgr.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{CFC7205E-2792-4378-9591-3879CC6C9022} = f:\progra~1\mcafee.com\vso\mcvsshl.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = F:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{CFC7205E-2792-4378-9591-3879CC6C9022} = f:\progra~1\mcafee.com\vso\mcvsshl.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{53707962-6F74-2D53-2644-206D7942484F}F:\PROGRA~1\SPYBOT~1\SDHelper.dll = F:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll = F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://eihs.eischools.org/home.aspx = http://eihs.eischools.org/home.aspx
@Local PageF:\WINDOWS\system32\blank.htm = F:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = F:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = F:\WINDOWS\system32\msvidctl.dll
its@CLSID = F:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = F:\WINDOWS\System32\itss.dll
tv@CLSID = F:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = F:\WINDOWS\System32\wiascr.dll

F:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.14 ----

#9 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 10 May 2008 - 01:34 PM

I've seen some difference of opinion over how to deal with the remnants of the nasty that you picked up, so i'd like you to do the following to see exactly what, if anything, got left behind:

Go here and click the Kaspersky Online Scanner button - I.E. is required for this scan.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded click Next.
  • Click Scan Settings and check the "Scan using the following antivirus database" is set to extended, not standard, and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log, run in Normal Mode, and a description of how your PC is behaving.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Death to the salad eaters!

#10 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 10 May 2008 - 07:47 PM

Hi,

Here are the requested scans. The computer seems to be operating normally, no problems that we can see.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 10, 2008 9:42:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/05/2008
Kaspersky Anti-Virus database records: 754953
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 51368
Number of viruses found: 7
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 00:40:51

Infected Object Name / Virus Name / Last Action
F:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Owner\Application Data\acccore\nss\cert8.db Object is locked skipped
F:\Documents and Settings\Owner\Application Data\acccore\nss\key3.db Object is locked skipped
F:\Documents and Settings\Owner\Application Data\Verizon\VSP\client_gateway.log Object is locked skipped
F:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Owner\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
F:\Documents and Settings\Owner\Local Settings\Application Data\AOL OCP\AIM\Storage\data\faceysfunny\localStorage\common.cls Object is locked skipped
F:\Documents and Settings\Owner\Local Settings\Application Data\AOL OCP\AIM\Storage\data\francesfersure\localStorage\common.cls Object is locked skipped
F:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
F:\Program Files\AIMTunes\music Object is locked skipped
F:\QooBox\Quarantine\catchme2008-05-07_191342.51.zip/Inr62.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped
F:\QooBox\Quarantine\catchme2008-05-07_191342.51.zip/yayaaARI.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qqw skipped
F:\QooBox\Quarantine\catchme2008-05-07_191342.51.zip ZIP: infected - 2 skipped
F:\QooBox\Quarantine\F\WINDOWS\system32\WLCtrl32.dll.vir Infected: Trojan-Downloader.Win32.Agent.nxs skipped
F:\QooBox\Quarantine\F\WINDOWS\system32\WLCtrl32.dl_.vir Infected: Trojan-Downloader.Win32.Agent.nxs skipped
F:\QooBox\Quarantine\F\WINDOWS\Web\def.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{1E913726-22BB-4A5E-BA5D-64A7D3D83EB3}\RP1\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Agent.nxs skipped
F:\System Volume Information\_restore{1E913726-22BB-4A5E-BA5D-64A7D3D83EB3}\RP2\A0000008.dll Infected: Trojan-Downloader.Win32.Agent.nxs skipped
F:\System Volume Information\_restore{1E913726-22BB-4A5E-BA5D-64A7D3D83EB3}\RP2\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Agent.nxs skipped
F:\System Volume Information\_restore{1E913726-22BB-4A5E-BA5D-64A7D3D83EB3}\RP3\A0000247.dll Infected: Trojan.Win32.Obfuscated.gx skipped
F:\System Volume Information\_restore{1E913726-22BB-4A5E-BA5D-64A7D3D83EB3}\RP4\change.log Object is locked skipped
F:\VundoFix Backups\000070.exe.bad Infected: Trojan.Win32.Monder.gen skipped
F:\VundoFix Backups\pbyrenvg.dll.bad Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\system32\BIT108.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT1C1.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT3BF.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT3E7.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT423.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT50E.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT572.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT5A9.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT5B8.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT64E.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT707.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT833.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BIT8A6.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BITB26.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BITB7C.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BITBBD.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BITC71.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BITD39.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\BITEE7.tmp Infected: Trojan.Win32.Monder.gen skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\Internet.evt Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W5UZCPYJ\1[1].exe Infected: not-a-virus:FraudTool.Win32.AntiSpySpider.c skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 9:43:08 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
f:\PROGRA~1\mcafee.com\vso\OasClnt.exe
F:\WINDOWS\System32\hkcmd.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee.com\VSO\mcvsshld.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\PROGRA~1\QUICKT~1\qttask.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Verizon\VSP\VerizonServicepoint.exe
F:\Program Files\AIM6\aim6.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eihs.eischools.org/home.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {0A6F29BE-3471-4C70-855B-8D04DAC044ED} - (no file)
O2 - BHO: (no name) - {39D9831A-862D-450D-8097-541459450C52} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khFuVpNf - F:\WINDOWS\
O20 - Winlogon Notify: ljJAroPf - F:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

    Advertisements

Register to Remove


#11 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 11 May 2008 - 08:53 AM

As of this morning we have McAfee telling us that a program called Spyware-Webhancer.dr is an unwanted program that can't be deleted. A file called whinstaller.exe that can't be cleaned and some pups and trojans. There is so much stuff popping up I can't even get the screen clear at this point. I also have multiple Internet explorer windows trying to open.

Edited by sagiter, 11 May 2008 - 09:30 AM.


#12 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 11 May 2008 - 09:42 AM

Here's a new Hijack This log done in safe mode with networking:

Logfile of HijackThis v1.99.1
Scan saved at 11:38:58 AM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
O2 - BHO: (no name) - {0A6F29BE-3471-4C70-855B-8D04DAC044ED} - (no file)
O2 - BHO: (no name) - {39D9831A-862D-450D-8097-541459450C52} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54858FDA-094E-4806-8D94-C8C6E1D5874D} - F:\WINDOWS\system32\nnnnNGVp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - F:\WINDOWS\system32\ljJbBSIy.dll
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [000000af] rundll32.exe "F:\WINDOWS\system32\smuqsuiw.dll",b
O4 - HKLM\..\Run: [BMcf339d83] Rundll32.exe "F:\WINDOWS\system32\lvxjuonp.dll",s
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khFuVpNf - F:\WINDOWS\
O20 - Winlogon Notify: ljJAroPf - F:\WINDOWS\
O20 - Winlogon Notify: ljJbBSIy - F:\WINDOWS\SYSTEM32\ljJbBSIy.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - F:\WINDOWS\b2new.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

#13 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 11 May 2008 - 11:40 AM

This should see the last of it, all being well:

1) You will need to disable Spybot's Tea Timer function, if it is running, as it may interfere with this fix. - this is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labelled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
2) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {0A6F29BE-3471-4C70-855B-8D04DAC044ED} - (no file)
O2 - BHO: (no name) - {39D9831A-862D-450D-8097-541459450C52} - (no file)
O2 - BHO: (no name) - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - (no file)

O20 - Winlogon Notify: khFuVpNf - F:\WINDOWS\
O20 - Winlogon Notify: ljJAroPf - F:\WINDOWS\


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

3) Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

File::
F:\WINDOWS\system32\BIT108.tmp
F:\WINDOWS\system32\BIT1C1.tmp
F:\WINDOWS\system32\BIT3BF.tmp
F:\WINDOWS\system32\BIT3E7.tmp
F:\WINDOWS\system32\BIT423.tmp
F:\WINDOWS\system32\BIT50E.tmp
F:\WINDOWS\system32\BIT572.tmp
F:\WINDOWS\system32\BIT5A9.tmp
F:\WINDOWS\system32\BIT5B8.tmp
F:\WINDOWS\system32\BIT64E.tmp
F:\WINDOWS\system32\BIT707.tmp
F:\WINDOWS\system32\BIT833.tmp
F:\WINDOWS\system32\BIT8A6.tmp
F:\WINDOWS\system32\BITB26.tmp
F:\WINDOWS\system32\BITB7C.tmp
F:\WINDOWS\system32\BITBBD.tmp
F:\WINDOWS\system32\BITC71.tmp
F:\WINDOWS\system32\BITD39.tmp
F:\WINDOWS\system32\BITEE7.tmp
F:\WINDOWS\system32\clbcfg.dat


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before, as well as a fresh HJT log and tell me if the PC is still behaving itself.
Death to the salad eaters!

#14 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 11 May 2008 - 12:48 PM

At the moment the computer seems OK but apparently that can be deceiving :pullhair:

Here are the logs you requested.

ComboFix 08-05-01.3 - Owner 2008-05-11 14:37:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.194 [GMT -4:00]
Running from: F:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
F:\WINDOWS\system32\BIT108.tmp
F:\WINDOWS\system32\BIT1C1.tmp
F:\WINDOWS\system32\BIT3BF.tmp
F:\WINDOWS\system32\BIT3E7.tmp
F:\WINDOWS\system32\BIT423.tmp
F:\WINDOWS\system32\BIT50E.tmp
F:\WINDOWS\system32\BIT572.tmp
F:\WINDOWS\system32\BIT5A9.tmp
F:\WINDOWS\system32\BIT5B8.tmp
F:\WINDOWS\system32\BIT64E.tmp
F:\WINDOWS\system32\BIT707.tmp
F:\WINDOWS\system32\BIT833.tmp
F:\WINDOWS\system32\BIT8A6.tmp
F:\WINDOWS\system32\BITB26.tmp
F:\WINDOWS\system32\BITB7C.tmp
F:\WINDOWS\system32\BITBBD.tmp
F:\WINDOWS\system32\BITC71.tmp
F:\WINDOWS\system32\BITD39.tmp
F:\WINDOWS\system32\BITEE7.tmp
F:\WINDOWS\system32\clbcfg.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-11 14:22 . 2008-05-11 14:26 354 ---hs---- F:\WINDOWS\system32\wiusqums.ini
2008-05-11 14:06 . 2008-05-11 14:06 90,208 --a------ F:\WINDOWS\system32\egpqgarc.dll
2008-05-11 14:05 . 2008-05-11 14:05 316,464 --a------ F:\WINDOWS\system32\efcDVpMg.dll
2008-05-11 10:57 . 2008-05-11 10:57 83,024 --a------ F:\WINDOWS\system32\smuqsuiw.dll
2008-05-11 10:48 . 2008-05-11 10:48 98,912 --a------ F:\WINDOWS\system32\mtkbudex.dll
2008-05-11 10:46 . 2008-05-11 10:46 90,208 --a------ F:\WINDOWS\system32\lvxjuonp.dll
2008-05-11 10:45 . 2008-05-11 10:45 316,464 --a------ F:\WINDOWS\system32\nnnnNGVp.dll
2008-05-11 10:41 . 2008-05-11 10:41 32,768 --a------ F:\WINDOWS\system32\sockins32.dll
2008-05-11 10:40 . 2008-05-11 10:40 41,724 ---hs---- F:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-11 10:40 . 2008-05-11 10:40 25,728 --a------ F:\WINDOWS\system32\ljJbBSIy.dll
2008-05-11 10:40 . 2008-05-11 10:40 25,600 --a------ F:\WINDOWS\b2new.exe
2008-05-10 23:28 . 2008-05-10 23:28 54,156 --ah----- F:\WINDOWS\QTFont.qfn
2008-05-10 23:28 . 2008-05-10 23:28 1,409 --a------ F:\WINDOWS\QTFont.for
2008-05-10 20:34 . 2008-05-10 20:34 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2008-05-10 20:34 . 2008-05-10 20:34 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-09 16:14 . 2008-05-09 16:14 250 --a------ F:\WINDOWS\gmer.ini
2008-05-09 09:22 . 2008-05-09 09:22 <DIR> d-------- F:\Program Files\Malwarebytes' Anti-Malware
2008-05-09 09:22 . 2008-05-09 09:22 <DIR> d-------- F:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-09 09:22 . 2008-05-09 09:22 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-09 09:22 . 2008-05-05 20:46 27,048 --a------ F:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-09 09:22 . 2008-05-05 20:46 15,864 --a------ F:\WINDOWS\system32\drivers\mbam.sys
2008-05-01 23:01 . 2008-05-01 23:01 24,576 --a------ F:\WINDOWS\system32\VundoFixSVC.exe
2008-05-01 21:57 . 2008-05-01 21:57 8 --a------ F:\WINDOWS\system32\0000fdec
2008-04-26 11:41 . 2008-04-26 11:41 <DIR> d-------- F:\Documents and Settings\Owner\Application Data\Motive
2008-04-26 11:35 . 2008-04-26 11:35 <DIR> d-------- F:\WINDOWS\system32\LogFiles
2008-04-26 08:33 . 2003-07-16 16:24 4,224 --a------ F:\WINDOWS\system32\beep.sys
2008-04-26 08:31 . 2008-04-26 08:31 <DIR> d-------- F:\WINDOWS\system32\xcsDd06
2008-04-26 08:31 . 2008-05-11 10:54 1,906 --a------ F:\WINDOWS\index.html
2008-04-24 17:12 . 2008-02-22 02:33 69,632 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-04-24 15:43 . 2007-09-06 00:22 289,144 --a------ F:\WINDOWS\system32\VCCLSID.exe
2008-04-24 15:43 . 2006-04-27 17:49 288,417 --a------ F:\WINDOWS\system32\SrchSTS.exe
2008-04-24 15:43 . 2008-04-24 08:10 86,528 --a------ F:\WINDOWS\system32\VACFix.exe
2008-04-24 15:43 . 2008-04-23 22:14 82,944 --a------ F:\WINDOWS\system32\IEDFix.exe
2008-04-24 15:43 . 2008-04-23 22:14 82,944 --a------ F:\WINDOWS\system32\404Fix.exe
2008-04-24 15:43 . 2004-07-31 18:50 51,200 --a------ F:\WINDOWS\system32\dumphive.exe
2008-04-24 15:43 . 2007-10-04 00:36 25,600 --a------ F:\WINDOWS\system32\WS2Fix.exe
2008-04-24 15:40 . 2008-04-24 15:40 3,798 --a------ F:\WINDOWS\system32\tmp.reg
2008-04-24 15:23 . 2008-04-24 15:23 <DIR> d-------- F:\Documents and Settings\Administrator
2008-04-24 15:23 . 2008-05-11 14:05 1,024 --ah----- F:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 19:15 . 2008-05-09 11:54 <DIR> d-------- F:\VundoFix Backups
2008-04-23 14:04 . 2008-04-23 14:04 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-04-21 01:25 . 2008-05-11 14:26 109,709 --a------ F:\WINDOWS\BMcf339d83.xml
2008-04-20 14:36 . 2008-03-01 09:06 6,066,176 -----c--- F:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-20 14:36 . 2007-06-30 23:31 2,455,488 -----c--- F:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-20 14:36 . 2007-06-30 23:36 991,232 -----c--- F:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-20 14:36 . 2008-03-01 09:06 459,264 -----c--- F:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-20 14:36 . 2008-03-01 09:06 383,488 -----c--- F:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-20 14:36 . 2008-03-01 09:06 267,776 -----c--- F:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-20 14:36 . 2008-03-01 09:06 63,488 -----c--- F:\WINDOWS\system32\dllcache\icardie.dll
2008-04-20 14:36 . 2008-03-01 09:06 52,224 -----c--- F:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-20 14:36 . 2008-02-22 06:00 13,824 -----c--- F:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 14:32 . 2007-08-13 18:54 33,792 --a--c--- F:\WINDOWS\system32\dllcache\custsat.dll
2008-04-20 13:09 . 2008-05-06 16:59 1,061 --a------ F:\WINDOWS\wininit.ini
2008-04-20 12:14 . 2008-04-20 12:13 691,545 --a------ F:\WINDOWS\unins000.exe
2008-04-20 12:14 . 2008-04-20 12:14 2,542 --a------ F:\WINDOWS\unins000.dat
2008-04-20 11:11 . 2008-04-20 11:11 <DIR> d-------- F:\WINDOWS\mgwwgmke
2008-04-20 11:11 . 2008-04-23 20:48 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\rezgdwhm
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE5C0.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE504.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE3BC.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE310.tmp
2008-04-16 17:55 . 2004-08-04 03:56 159,232 --a------ F:\WINDOWS\system32\ptpusd.dll
2008-04-16 17:55 . 2004-08-04 01:58 15,104 --a------ F:\WINDOWS\system32\drivers\usbscan.sys
2008-04-16 17:55 . 2004-08-04 01:58 15,104 --a--c--- F:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-16 17:55 . 2001-08-17 22:36 5,632 --a------ F:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 18:03 --------- d-----w F:\Documents and Settings\Owner\Application Data\SlimBrowser
2008-05-11 14:54 2,048 ----a-w F:\WINDOWS\system32\pdfostrl.exe
2008-05-06 12:51 --------- d-----w F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-06 12:50 9,344 ----a-w F:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-06 12:50 8,320 ----a-w F:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-06 12:50 12,632 ----a-w F:\WINDOWS\system32\lsdelete.exe
2008-05-06 11:06 --------- d-----w F:\Program Files\AIMTunes
2008-04-28 01:31 61,328 ----a-w F:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-27 17:28 --------- d-----w F:\Documents and Settings\All Users\Application Data\Motive
2008-04-24 21:12 --------- d-----w F:\Program Files\Java
2008-04-20 17:14 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 16:42 --------- d-----w F:\Program Files\Spybot - Search & Destroy
2008-04-05 14:40 --------- d-----w F:\Documents and Settings\LocalService\Application Data\SlimBrowser
2008-03-22 17:38 --------- d-----w F:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-19 09:47 1,845,248 ----a-w F:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w F:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w F:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w F:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-07_19.20.06.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-26 04:39:43 110,080 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2GDR\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2GDR\clbcatq.dll
+ 2005-07-26 04:20:23 110,080 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2005-07-26 04:30:38 110,080 -c----w F:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll
+ 2005-07-26 04:30:41 497,152 -c----w F:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll
+ 2004-08-04 07:56:41 110,080 -c----w F:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
+ 2004-08-04 07:56:41 501,248 -c----w F:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
+ 2003-07-16 20:25:27 100,864 -c----w F:\WINDOWS\$NtUninstallKB902400_0$\clbcatex.dll
+ 2003-07-16 20:25:28 468,480 -c----w F:\WINDOWS\$NtUninstallKB902400_0$\clbcatq.dll
- 2008-05-07 23:15:08 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-05-11 18:19:28 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-05-09 20:14:16 819,200 ----a-w F:\WINDOWS\gmer.dll
+ 2008-05-09 20:14:01 761,856 ----a-w F:\WINDOWS\gmer.exe
+ 2004-08-04 07:56:41 110,080 ------w F:\WINDOWS\ServicePackFiles\i386\clbcatex.dll
+ 2004-08-04 07:56:41 501,248 ------w F:\WINDOWS\ServicePackFiles\i386\clbcatq.dll
+ 2003-07-16 20:25:27 10,752 ----a-w F:\WINDOWS\system32\clb.dll
+ 2005-07-26 04:39:43 110,080 ----a-w F:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w F:\WINDOWS\system32\clbcatq.dll
+ 2003-07-16 20:25:27 10,752 -c--a-w F:\WINDOWS\system32\dllcache\clb.dll
+ 2008-05-09 20:14:16 86,097 ----a-w F:\WINDOWS\system32\drivers\gmer.sys
+ 2005-05-24 16:27:16 213,048 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-05-11 18:26:06 16,384 --sha-w F:\WINDOWS\TEMP\Cookies\index.dat
+ 2008-05-11 18:26:06 16,384 --sha-w F:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-05-11 18:26:06 32,768 --sha-w F:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B76361C5-6BE9-4109-83A2-BB095E69ADCF}]
2008-05-11 14:05 316464 --a------ F:\WINDOWS\system32\efcDVpMg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-11 10:40 25728 --a------ F:\WINDOWS\system32\ljJbBSIy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB4CDFCB-7F35-454A-B1F9-91991E9B552F}]
2008-05-11 10:45 316464 --a------ F:\WINDOWS\system32\nnnnNGVp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="F:\Program Files\AIM6\aim6.exe" [2007-09-29 16:22 50528]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="F:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="F:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"PDUiP6000DMon"="F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 13:26 57344]
"PDUiP6000DTskbr"="F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe" [2004-05-28 09:29 69632]
"Microsoft Works Update Detection"="F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21 28672]
"QuickTime Task"="F:\PROGRA~1\QUICKT~1\qttask.exe" [2006-09-01 15:57 282624]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Verizon_McciTrayApp"="F:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"VerizonServicepoint.exe"="F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 16:20 2061816]
"000000af"="F:\WINDOWS\system32\smuqsuiw.dll" [2008-05-11 10:57 83024]
"BMcf339d83"="F:\WINDOWS\system32\egpqgarc.dll" [2008-05-11 14:06 90208]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"JB1IBJB1IB"= F:\Documents and Settings\All Users\Application Data\rezgdwhm\hmlelqbs.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= F:\WINDOWS\system32\ljJbBSIy.dll [2008-05-11 10:40 25728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJbBSIy]
ljJbBSIy.dll 2008-05-11 10:40 25728 F:\WINDOWS\system32\ljJbBSIy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Inr62.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\AIM\\aim.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=
"F:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"F:\\Program Files\\AIM6\\aim6.exe"=
"F:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"F:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 13:14:00 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 14:39:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: F:\WINDOWS\system32\winlogon.exe
-> F:\WINDOWS\system32\ljJbBSIy.dll
.
Completion time: 2008-05-11 14:42:11
ComboFix-quarantined-files.txt 2008-05-11 18:41:43
ComboFix2.txt 2008-05-11 18:26:02
ComboFix3.txt 2008-05-07 23:20:26

Pre-Run: 67,455,037,440 bytes free
Post-Run: 67,449,749,504 bytes free

238 --- E O F --- 2008-04-21 07:01:15


Logfile of HijackThis v1.99.1
Scan saved at 2:43:55 PM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
f:\PROGRA~1\mcafee.com\vso\OasClnt.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
f:\program files\mcafee.com\vso\mcvsshld.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\System32\hkcmd.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\PROGRA~1\QUICKT~1\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Verizon\VSP\VerizonServicepoint.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Program Files\AIM6\aim6.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {B76361C5-6BE9-4109-83A2-BB095E69ADCF} - F:\WINDOWS\system32\efcDVpMg.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - F:\WINDOWS\system32\ljJbBSIy.dll
O2 - BHO: (no name) - {FB4CDFCB-7F35-454A-B1F9-91991E9B552F} - F:\WINDOWS\system32\nnnnNGVp.dll
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [000000af] rundll32.exe "F:\WINDOWS\system32\smuqsuiw.dll",b
O4 - HKLM\..\Run: [BMcf339d83] Rundll32.exe "F:\WINDOWS\system32\egpqgarc.dll",s
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ljJbBSIy - F:\WINDOWS\SYSTEM32\ljJbBSIy.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

#15 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 12 May 2008 - 02:00 PM

Owing to the fact that you're being helped by a cabbage, this still seems to be an ongoing malware problem - I may just get it right this time!

Disable Spybot as before and then save the following in Notepad and then drop it on your Copy of ConmboFix as before - saved as CFScript again:

File::
F:\WINDOWS\system32\smuqsuiw.dll
F:\WINDOWS\system32\egpqgarc.dll
F:\WINDOWS\SYSTEM32\ljJbBSIy.dll
F:\WINDOWS\system32\efcDVpMg.dll
F:\WINDOWS\system32\ljJbBSIy.dll
F:\WINDOWS\system32\nnnnNGVp.dll
F:\WINDOWS\system32\wiusqums.ini
F:\WINDOWS\system32\egpqgarc.dll
F:\WINDOWS\system32\efcDVpMg.dll
F:\WINDOWS\system32\smuqsuiw.dll
F:\WINDOWS\system32\mtkbudex.dll
F:\WINDOWS\system32\lvxjuonp.dll
F:\WINDOWS\system32\nnnnNGVp.dll
F:\WINDOWS\system32\sockins32.dll
F:\WINDOWS\b2new.exe

Folder::
F:\Documents and Settings\All Users\Application Data\rezgdwhm

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Inr62.sys]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJbBSIy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"JB1IBJB1IB"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000000af"="-
"BMcf339d83"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B76361C5-6BE9-4109-83A2-BB095E69ADCF}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB4CDFCB-7F35-454A-B1F9-91991E9B552F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]


I'll have the CF log and fresh HJT log as before and tell me things are OK this time!
Death to the salad eaters!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users