Jump to content
Sign in to follow this  
NascarFan19

HJT Log

Recommended Posts

Logfile of HijackThis v1.99.1

Scan saved at 12:38:30 AM, on 4/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Common Files\AOL\ACS\acsd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HJT Log\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.pcpitstop.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [soundService] rundll32.exe "C:\WINDOWS\system32\gdqtakgt.dll",setvm

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159655123764

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

NascarFan19, rename HijackThis.exe to NascarFan.exe....it will still be HJT. Run the program again and post a new log.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 6:44:50 PM, on 4/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Common Files\AOL\ACS\acsd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HJT Log\Nascarfan.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.pcpitstop.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {6E45F391-5AEC-4A9D-86BE-6183BB7CACBf} - C:\WINDOWS\system32\qqjjqvpy.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {D5324462-C090-40EE-9A8C-9F80DBB8507F} - C:\WINDOWS\system32\pmkhf.dll

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159655123764

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

***Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Share this post


Link to post
Share on other sites

VundoFix V6.3.18

 

Checking Java version...

 

Java version is 1.5.0.3

Old versions of java are exploitable and should be removed.

 

Java version is 1.5.0.11

 

Scan started at 10:24:17 PM 4/1/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\fhkmp.bak1

C:\WINDOWS\system32\fhkmp.bak2

C:\WINDOWS\system32\fhkmp.ini

C:\WINDOWS\system32\gdqtakgt.dll

C:\WINDOWS\system32\jklenkxw.dll

C:\WINDOWS\system32\pmkhf.dll

C:\WINDOWS\system32\qfpbbuju.dll

C:\WINDOWS\system32\qomkhge.dll

C:\WINDOWS\system32\qrigelft.ini

C:\WINDOWS\system32\ssqroll.dll

C:\WINDOWS\system32\tflegirq.dll

C:\WINDOWS\system32\tuvwuts.dll

C:\WINDOWS\system32\vrurbacg.exe

C:\WINDOWS\system32\wxknelkj.ini

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\fhkmp.bak1

C:\WINDOWS\system32\fhkmp.bak1 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\fhkmp.bak2

C:\WINDOWS\system32\fhkmp.bak2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\fhkmp.ini

C:\WINDOWS\system32\fhkmp.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\gdqtakgt.dll

C:\WINDOWS\system32\gdqtakgt.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\jklenkxw.dll

C:\WINDOWS\system32\jklenkxw.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pmkhf.dll

C:\WINDOWS\system32\pmkhf.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\qfpbbuju.dll

C:\WINDOWS\system32\qfpbbuju.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\qomkhge.dll

C:\WINDOWS\system32\qomkhge.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\qrigelft.ini

C:\WINDOWS\system32\qrigelft.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\ssqroll.dll

C:\WINDOWS\system32\ssqroll.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\tflegirq.dll

C:\WINDOWS\system32\tflegirq.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\tuvwuts.dll

C:\WINDOWS\system32\tuvwuts.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\vrurbacg.exe

C:\WINDOWS\system32\vrurbacg.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\wxknelkj.ini

C:\WINDOWS\system32\wxknelkj.ini Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.3.19

 

Checking Java version...

 

Java version is 1.5.0.3

Old versions of java are exploitable and should be removed.

 

Java version is 1.5.0.11

 

Scan started at 8:15:01 PM 4/2/2007

 

Listing files found while scanning....

 

 

VundoFix V6.3.19

 

Checking Java version...

 

Java version is 1.5.0.3

Old versions of java are exploitable and should be removed.

 

Java version is 1.5.0.11

 

Scan started at 9:15:33 PM 4/3/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\btediwkh.dll

 

Beginning removal...

 

Performing Repairs to the registry.

Done!

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 9:51:30 PM, on 4/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\HJT Log\Nascarfan.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.pcpitstop.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {6E45F391-5AEC-4A9D-86BE-6183BB7CACBf} - C:\WINDOWS\system32\qqjjqvpy.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {D5324462-C090-40EE-9A8C-9F80DBB8507F} - C:\WINDOWS\system32\pmkhf.dll (file missing)

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159655123764

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Disable WinPatrol as it may want to interfere with this fix.

 

Rescan with HJT, check these items:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

 

O2 - BHO: (no name) - {6E45F391-5AEC-4A9D-86BE-6183BB7CACBf} - C:\WINDOWS\system32\qqjjqvpy.dll (file missing)

O2 - BHO: (no name) - {D5324462-C090-40EE-9A8C-9F80DBB8507F} - C:\WINDOWS\system32\pmkhf.dll (file missing)

 

 

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

If this version is paid for, then leave this item alone

 

O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

 

Close all windows except HJT, then click 'fix checked'. Exit HJT

 

Go to Add/Remove programs and uninstall (if found):

SoundService

WeatherBug ** if not the paid for version.

 

Reboot/restart your computer normally.

 

Next update your Java to

Java Runtime Environment (JRE) 6

  • Go to Start > Control Panel double-click on the

    Software icon > add/remove programs.

  • Search in the list for all previous installed versions of Java.

    (J2SE Runtime Environment.... )

     

    It should have this icon next to it:

    Posted Image

    Select it and click Remove.

  • Then Download and install (offline) the newest version from

    here:

    http://java.sun.com/javase/downloads/index.jsp

Reboot once again and

1. Download this file - combofix.exe

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

2. Double click on combofix.exe & follow the prompts.

 

Do NOT click on the window while the fix is running, because that will cause

your system to hang and the fix to stall.

 

3. When finished, it will produce a log for you. Post that log in your next

reply along with a new HJT log

Share this post


Link to post
Share on other sites

"Cecil" - 07-04-04 22:20:38 Service Pack 2

ComboFix 07-04-04.5 - Running from: "C:\Documents and Settings\Cecil\Desktop"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\Cecil\Desktop.\internet explorer.lnk

C:\Program Files\Common Files\{38C26~1

C:\Program Files\Common Files\{48C26~1

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-04 to 2007-04-04 ))))))))))))))))))))))))))))))))))

 

 

2007-04-01 22:24 <DIR> d-------- C:\VundoFix Backups

2007-04-01 00:37 <DIR> d-------- C:\HJT Log

2007-03-27 23:16 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Free

2007-03-27 23:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll

2007-03-27 23:05 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll

2007-03-27 21:16 0 --a------ C:\WINDOWS\system32\taskkill.exe

2007-03-27 20:37 31,844 --------- C:\WINDOWS\system32\mljjg.exe

2007-03-25 22:05 98,304 --a------ C:\WINDOWS\system32\WinFlyer32.dll

2007-03-25 22:04 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\.wyzo

2007-03-25 20:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-03-25 20:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-03-16 20:00 <DIR> d-------- C:\e4d93996ebf690fc2a909c5a7c

2007-03-15 22:09 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys

2007-03-15 22:09 <DIR> d-------- C:\My Music

2007-03-15 22:08 <DIR> d-------- C:\Program Files\Real

2007-03-12 23:37 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\Real

2007-03-12 23:32 <DIR> d-------- C:\My Downloads

2007-03-11 13:28 <DIR> dr------- C:\2006 Tax Returns

2007-03-11 12:24 <DIR> d-------- C:\help

2007-03-04 02:52 <DIR> d-------- C:\Program Files\NCH Swift Sound

2007-03-04 02:52 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\NCH Swift Sound

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-04-04 22:14 -------- d-------- C:\Program Files\java

2007-04-04 21:51 -------- d-------- C:\DOCUME~1\Cecil\APPLIC~1\weatherbug

2007-04-02 20:30 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-03-31 22:00 -------- d-------- C:\Program Files\spywareblaster

2007-03-28 22:30 -------- d-------- C:\Program Files\pcpitstop

2007-03-22 00:16 -------- d-------- C:\Program Files\partygaming.net

2007-03-15 22:09 -------- d-------- C:\Program Files\Common Files\real

2007-03-08 22:18 -------- d-------- C:\Program Files\wavman 11

2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll

2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll

2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll

2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys

2007-02-24 13:25 -------- d-------- C:\Program Files\eusing free registry cleaner

2007-02-17 13:21 -------- d-------- C:\Program Files\gimpshop

2007-02-11 20:13 -------- d-------- C:\Program Files\limewire

2007-02-09 00:14 -------- d-------- C:\DOCUME~1\Cecil\APPLIC~1\viewpoint

2007-02-05 00:10 -------- d-------- C:\Program Files\java(3)

2007-02-05 00:10 -------- d-------- C:\Program Files\Common Files\java(3)

2007-02-05 00:10 -------- d-------- C:\Program Files\Common Files\java(2)

2007-02-04 21:30 -------- d-------- C:\Program Files\java(2)

2007-01-14 19:55 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll

2007-01-14 19:55 118784 --a------ C:\WINDOWS\system32\pdfmona.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{4D7C8A39-430F-4091-B9BF-3173DFA06DA0}"=""

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"LinkResolveIgnoreLinkInfo"=dword:00000000

"NoResolveSearch"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"LinkResolveIgnoreLinkInfo"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

 

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

 

 

********************************************************************

 

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006

http://www.gmer.net

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

********************************************************************

 

Completion time: 07-04-04 22:26:23

C:\ComboFix-quarantined-files.txt ... 07-04-04 22:26

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 10:28:13 PM, on 4/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\HJT Log\Nascarfan.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.pcpitstop.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159655123764

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

It doesn't look like you updated Java. This is really important because leaving the old Java files on your machine, will pick up the Vundo exploits!

Please follow my instructions to delete the old and download Java Runtime Environment (JRE) 6

 

Next,

generate a report of the Add/Remove screen entries,

 

Open Hijackthis, In the lower right corner click the Config...

(Configuration) button.

Once in the Configuration panel, click Misc Tools button.

Then click the Open Uninstall Manager... button.

The Add/Remove Programs Manager panel should appear.

In this panel click the Save list button.

Save the uninstall_list.txt file to your desktop and copy and paste the

contents back in your next reply.

 

Run VundoFix V6.3.19 and Combofix again.

 

Please post all three logs along with a new HJT log.

 

You could also let me know if anything has changed as far as the "weirdness" goes :geezer:

Share this post


Link to post
Share on other sites

Jacee...I indeed deleted 3 versions of Java on Software removal list. I went thru your link and downloaded the Java file. There are 2 versions available. Online and off line. I am on cable, so I am online all the time. Anyway, I followed the prompts and what you see in the scan I posted is what I downloaded.

 

It is acting mUCH better now. I was getting a lot of pop-up pages and crazy stuff before. I DO apprecaite your help. I again deleted all versions of Java and redownloaded it. this makes 2 times now. :angry:

 

Again, thanks for your help

Share this post


Link to post
Share on other sites

Okay, thanks for letting me know. I don't think you're totally clean yet, so let's continue.

 

Download AVG Anti-Spyware 7.5 from

HERE

and save that file to your desktop.

This is a 30 day trial of the program

  • Once you have downloaded AVG anti-spyware, locate the icon on the

    desktop and double-click it to launch the set up program.

  • Once the setup is complete you will need run AVG Anti-Spyware 7.5 and

    update the

    definition files.

  • On the main screen select the icon "Update" then select the

    "Update now" link.

    • Next select the "Start Update" button, the update will start and a

      progress bar will show the updates being installed.

  • Once the update has completed select the "Scanner" icon at the top

    of the screen, then select the "Settings" tab.

  • Once in the Settings screen click on "Recommended actions" and

    then select "Quarantine".

  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware 7.5, Do Not run a scan just yet, we will

shortly.

  • Reboot your computer into SafeMode. You can do this by restarting

    your computer and continually tapping the F8 key until a menu

    appears. Use your up arrow key to highlight SafeMode then hit enter.

    IMPORTANT: Do not open any other windows or

    programs while AVG is scanning, it may interfere with the scanning

    proccess:

  • Lauch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan"

    tab then click on "Complete System Scan".

  • AVG will now begin the scanning process, be patient this may take a

    little time.

    Once the scan is complete do the following:

  • If you have any infections you will prompted, then select "Apply all

    actions

    "
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the

    screen and save it to a text file on your system (make sure to remember

    where you saved that file, this is important).

  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode
Run Combo fix again, following the same instructions as before.

 

Please post

AVG AS report log

New Combofix log

Fresh HJT log

Share this post


Link to post
Share on other sites

Jacee, as a long time member of the Pit Forum, but as a small contributor on computer problems, I must thank you and all the others that understand the methods of cleaning and hopefully rescueing computers in need. Without people like you, the rest of us would be at the mercy of those that wish to harm. Again, I offer my heartfelt thanks to you and those that contribute their time and knowledge to heloing the rest of us. :geezer:

 

 

 

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 2:33:57 AM 4/7/2007

 

+ Scan result:

 

 

 

HKLM\SOFTWARE\Classes\CLSID\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5} -> Adware.Generic : Cleaned with backup (quarantined).

HKLM\SOFTWARE\Classes\CLSID\{d869742a-e5d2-4624-96c7-aae26170665e} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).

HKU\S-1-5-21-3942243025-1647371527-101265881-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D869742A-E5D2-4624-96C7-AAE26170665E} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{2EDE8FBE-CD64-4AC6-BB82-21229910E44C}\RP250\A0084683.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{2EDE8FBE-CD64-4AC6-BB82-21229910E44C}\RP250\A0084685.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\VundoFix Backups\ssqroll.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\VundoFix Backups\tuvwuts.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\Program Executes\Nero\Nero 7.0.1.2 Ultra Edition with Keygen.zip/Nero 7 Keygen from Paradox/Nero7Keygen.exe -> Backdoor.Hupigon : Cleaned with backup (quarantined).

C:\Program Executes\Nero\Nero 7.0.1.2 Ultra Edition with Keygen\Nero 7 Keygen from Paradox\Nero7Keygen.exe -> Backdoor.Hupigon : Cleaned with backup (quarantined).

C:\Program Executes\Nero\Nero7Keygen.exe -> Backdoor.Hupigon : Cleaned with backup (quarantined).

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Cnn : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Mediaplex : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Msn : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][1].txt -> TrackingCookie.Netflame : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Revsci : Cleaned.

C:\Program Executes\WinRAR[1].v3.51.WinALL.Cracked-CORE.ZIP/WinRAR.v3.51.WinALL.Cracked-CORE/crack.exe -> Trojan.Small : Cleaned with backup (quarantined).

 

 

::Report end

 

 

"Cecil" - 07-04-07 15:32:57 Service Pack 2

ComboFix 07-04-04.5 - Running from: "C:\Program Executes"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\Cecil\Desktop.\internet explorer.lnk

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-07 to 2007-04-07 ))))))))))))))))))))))))))))))))))

 

 

2007-04-07 15:16 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\Xdrive

2007-04-06 23:33 4,992 --a------ C:\WINDOWS\system32\drivers\loop.sys

2007-04-06 23:30 <DIR> d-------- C:\Program Files\Common Files\Merge Modules

2007-04-06 23:29 55,808 --a------ C:\WINDOWS\system32\zlib1.dll

2007-04-06 23:29 <DIR> d-------- C:\Program Files\Xdrive

2007-04-06 23:29 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\InstallShield

2007-04-06 21:05 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-04-01 22:24 <DIR> d-------- C:\VundoFix Backups

2007-04-01 00:37 <DIR> d-------- C:\HJT Log

2007-03-27 23:16 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Free

2007-03-27 23:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll

2007-03-27 23:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll

2007-03-27 21:16 0 --a------ C:\WINDOWS\system32\taskkill.exe

2007-03-27 20:37 31,844 --------- C:\WINDOWS\system32\mljjg.exe

2007-03-25 22:05 98,304 --a------ C:\WINDOWS\system32\WinFlyer32.dll

2007-03-25 22:04 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\.wyzo

2007-03-25 20:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-03-25 20:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-03-16 20:00 <DIR> d-------- C:\e4d93996ebf690fc2a909c5a7c

2007-03-15 22:09 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys

2007-03-15 22:09 <DIR> d-------- C:\My Music

2007-03-15 22:08 <DIR> d-------- C:\Program Files\Real

2007-03-12 23:37 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\Real

2007-03-12 23:32 <DIR> d-------- C:\My Downloads

2007-03-11 13:28 <DIR> dr------- C:\2006 Tax Returns

2007-03-11 12:24 <DIR> d-------- C:\help

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-04-06 23:29 -------- d--h----- C:\Program Files\installshield installation information

2007-04-06 21:41 -------- d-------- C:\DOCUME~1\Cecil\APPLIC~1\limewire

2007-04-06 09:54 -------- d-------- C:\DOCUME~1\Cecil\APPLIC~1\weatherbug

2007-04-05 21:34 -------- d-------- C:\Program Files\java

2007-04-02 20:30 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-03-31 22:00 -------- d-------- C:\Program Files\spywareblaster

2007-03-28 22:30 -------- d-------- C:\Program Files\pcpitstop

2007-03-22 00:16 -------- d-------- C:\Program Files\partygaming.net

2007-03-15 22:09 -------- d-------- C:\Program Files\Common Files\real

2007-03-08 22:18 -------- d-------- C:\Program Files\wavman 11

2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll

2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll

2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll

2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys

2007-03-04 02:57 -------- d-------- C:\Program Files\nch swift sound

2007-03-04 02:57 -------- d-------- C:\DOCUME~1\Cecil\APPLIC~1\nch swift sound

2007-02-24 13:25 -------- d-------- C:\Program Files\eusing free registry cleaner

2007-02-17 13:21 -------- d-------- C:\Program Files\gimpshop

2007-02-11 20:13 -------- d-------- C:\Program Files\limewire

2007-02-09 00:14 -------- d-------- C:\DOCUME~1\Cecil\APPLIC~1\viewpoint

2007-01-14 19:55 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll

2007-01-14 19:55 118784 --a------ C:\WINDOWS\system32\pdfmona.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"

"XdriveTrayIcon"="\"C:\\Program Files\\Xdrive\\Xdrive Desktop\\XdriveTray.exe\""

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

"HostManager"="C:\\Program Files\\Common Files\\AOL\\1175916704\\ee\\AOLSoftware.exe"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{4D7C8A39-430F-4091-B9BF-3173DFA06DA0}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"LinkResolveIgnoreLinkInfo"=dword:00000000

"NoResolveSearch"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"LinkResolveIgnoreLinkInfo"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

 

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

C:\WINDOWS\tasks\Xdrive Backup - Backup Set 1.job

 

 

********************************************************************

 

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006

http://www.gmer.net

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

********************************************************************

 

Completion time: 07-04-07 15:40:09

C:\ComboFix-quarantined-files.txt ... 07-04-07 15:40

C:\ComboFix2.txt ... 07-04-04 22:26

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 3:43:43 PM, on 4/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Common Files\AOL\1175916704\ee\AOLSoftware.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Xdrive\Xdrive Desktop\XdrSmb.exe

C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\HJT Log\Nascarfan.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.pcpitstop.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175916704\ee\AOLSoftware.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [XdriveTrayIcon] "C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe"

O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.xdrive.com/downloads/std_install/setup.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159655123764

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: Xdrive Service - Xdrive LLC - C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

Share this post


Link to post
Share on other sites

More to do...looks like you've been busy :pullhair::lol:

 

1. Please go

HERE

to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button

 

A new window will open...click the Check Now button

Enter your Country

Enter your State/Province

Enter your e-mail address and click send

Select either Home User or Company

 

Click the big Scan Now button

 

*If it wants to install an ActiveX component allow it

*It will start downloading the files it requires for the scan (Note: It may

take a couple of minutes)

 

When download is complete, click on My Computer to start the scan

 

*Leave the autoclean checked

 

When the scan completes, if anything malicious is detected, click the See

Report button, then Save Report and save it to a convenient

location (activescan.txt to desktop). Post the contents of the

ActiveScan report

 

 

 

2. Next, download SmitfraudFix (by S!Ri) to your Desktop.

 

Double-click smitfraudfix.exe

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

 

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

IMPORTANT: Do NOT run any other options until you are asked to do so!

 

Post:

ActiveScan report

rapport.txt

Share this post


Link to post
Share on other sites

Incident Status Location

 

Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt

Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\gdqtakgt.dll.bad

Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\jklenkxw.dll.bad

Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\qfpbbuju.dll.bad

Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\qomkhge.dll.bad

Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\tflegirq.dll.bad

Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\vrurbacg.exe.bad

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\WinFlyer32.dll

SmitFraudFix v2.166

 

Scan done at 1:14:52.01, Sun 04/08/2007

Run from C:\Documents and Settings\Cecil\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Common Files\AOL\ACS\acsd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cmd.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Cecil

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Cecil\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Cecil\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

C:\Program Files\MMediaCodec\ FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport

DNS Server Search Order: 24.25.5.150

DNS Server Search Order: 24.25.5.149

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A3CEEB48-05BC-466B-8F9B-959B8BC866D9}: DhcpNameServer=24.25.5.150 24.25.5.149

HKLM\SYSTEM\CS1\Services\Tcpip\..\{A3CEEB48-05BC-466B-8F9B-959B8BC866D9}: DhcpNameServer=24.25.5.150 24.25.5.149

HKLM\SYSTEM\CS3\Services\Tcpip\..\{A3CEEB48-05BC-466B-8F9B-959B8BC866D9}: DhcpNameServer=24.25.5.150 24.25.5.149

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

 

Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

 

Once in Safe Mode, double-click the SmitfraudFix.exe again.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

 

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

______________________________

 

Clean out your Temporary Internet files. Proceed like this:

  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

 

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin

______________________________

Close ALL open Windows / Programs / Folders.

  • While in Safe Mode, Scan with AVG Anti-Spyware as follows:

    1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.

  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.

3. Click "Complete System Scan" to start.

4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

 

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

 

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\

6. Exit AVG Anti-Spyware when done, reboot your system back into Normal Mode.

_____________________________

 

Double-click the SmitfraudFix.exe.

Select option #3 - Delete Trusted zone by typing 3 and press Enter

 

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

______________________________

 

Please post:

  • c:\rapport.txt
  • AVG AS log
  • A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

Jacee, I got no warnings that these logs were too long for space available here. I hope they are in their entirety.

 

 

SmitFraudFix v2.166

 

Scan done at 13:32:57.62, Sun 04/08/2007

Run from C:\Program Executes\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

10.254.254.253 Xdrive

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\Program Files\MMediaCodec\ Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A3CEEB48-05BC-466B-8F9B-959B8BC866D9}: DhcpNameServer=24.25.5.150 24.25.5.149

HKLM\SYSTEM\CS1\Services\Tcpip\..\{A3CEEB48-05BC-466B-8F9B-959B8BC866D9}: DhcpNameServer=24.25.5.150 24.25.5.149

HKLM\SYSTEM\CS3\Services\Tcpip\..\{A3CEEB48-05BC-466B-8F9B-959B8BC866D9}: DhcpNameServer=24.25.5.150 24.25.5.149

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 2:33:57 AM 4/7/2007

 

+ Scan result:

 

 

 

HKLM\SOFTWARE\Classes\CLSID\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5} -> Adware.Generic : Cleaned with backup (quarantined).

HKLM\SOFTWARE\Classes\CLSID\{d869742a-e5d2-4624-96c7-aae26170665e} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).

HKU\S-1-5-21-3942243025-1647371527-101265881-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D869742A-E5D2-4624-96C7-AAE26170665E} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{2EDE8FBE-CD64-4AC6-BB82-21229910E44C}\RP250\A0084683.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{2EDE8FBE-CD64-4AC6-BB82-21229910E44C}\RP250\A0084685.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\VundoFix Backups\ssqroll.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\VundoFix Backups\tuvwuts.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\Program Executes\Nero\Nero 7.0.1.2 Ultra Edition with Keygen.zip/Nero 7 Keygen from Paradox/Nero7Keygen.exe -> Backdoor.Hupigon : Cleaned with backup (quarantined).

C:\Program Executes\Nero\Nero 7.0.1.2 Ultra Edition with Keygen\Nero 7 Keygen from Paradox\Nero7Keygen.exe -> Backdoor.Hupigon : Cleaned with backup (quarantined).

C:\Program Executes\Nero\Nero7Keygen.exe -> Backdoor.Hupigon : Cleaned with backup (quarantined).

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Cnn : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Mediaplex : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Msn : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][1].txt -> TrackingCookie.Netflame : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : Cleaned.

C:\Documents and Settings\Cecil\Cookies\[email protected][2].txt -> TrackingCookie.Revsci : Cleaned.

C:\Program Executes\WinRAR[1].v3.51.WinALL.Cracked-CORE.ZIP/WinRAR.v3.51.WinALL.Cracked-CORE/crack.exe -> Trojan.Small : Cleaned with backup (quarantined).

 

 

::Report end

 

Logfile of HijackThis v1.99.1

Scan saved at 5:55:59 PM, on 4/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\HJT Log\Nascarfan.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.pcpitstop.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.xdrive.com/downloads/std_install/setup.exe

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: Xdrive Service - Xdrive LLC - C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

Edited by NascarFan19

Share this post


Link to post
Share on other sites

That's looking better :)

 

Run Combofix again and post the log. Please tell me how your computer is running now....any more pop-ups or wierdness?

Share this post


Link to post
Share on other sites

It seems to be nuch better now, Jacee. The pop ups are gone. I havent a clue where they came from, since I use a pop up blocker.

 

 

"Cecil" - 07-04-08 18:55:02 Service Pack 2

ComboFix 07-04-04.5 - Running from: "C:\Program Executes"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\Cecil\Desktop.\internet explorer.lnk

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 ))))))))))))))))))))))))))))))))))

 

 

2007-04-08 18:07 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll

2007-04-08 01:15 796 --a------ C:\WINDOWS\system32\tmp.reg

2007-04-08 01:14 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe

2007-04-08 01:14 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-04-08 01:14 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-04-08 01:14 40,960 --a------ C:\WINDOWS\system32\swsc.exe

2007-04-08 01:14 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-04-08 01:14 135,168 --a------ C:\WINDOWS\system32\swreg.exe

2007-04-07 20:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-04-07 16:04 <DIR> d-------- C:\Program Files\MSXML 4.0

2007-04-07 16:04 <DIR> d-------- C:\a9de6da54b6c4e208c48

2007-04-07 15:16 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\Xdrive

2007-04-06 23:33 4,992 --a------ C:\WINDOWS\system32\drivers\loop.sys

2007-04-06 23:30 <DIR> d-------- C:\Program Files\Common Files\Merge Modules

2007-04-06 23:29 55,808 --a------ C:\WINDOWS\system32\zlib1.dll

2007-04-06 23:29 <DIR> d-------- C:\Program Files\Xdrive

2007-04-06 23:29 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\InstallShield

2007-04-06 21:05 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-04-01 22:24 <DIR> d-------- C:\VundoFix Backups

2007-04-01 00:37 <DIR> d-------- C:\HJT Log

2007-03-27 23:16 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Free

2007-03-27 23:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll

2007-03-27 23:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll

2007-03-27 21:16 0 --a------ C:\WINDOWS\system32\taskkill.exe

2007-03-27 20:37 31,844 --------- C:\WINDOWS\system32\mljjg.exe

2007-03-25 22:05 98,304 --a------ C:\WINDOWS\system32\WinFlyer32.dll

2007-03-25 22:04 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\.wyzo

2007-03-25 20:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-03-25 20:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-03-16 20:00 <DIR> d-------- C:\e4d93996ebf690fc2a909c5a7c

2007-03-15 22:09 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys

2007-03-15 22:09 <DIR> d-------- C:\My Music

2007-03-15 22:08 <DIR> d-------- C:\Program Files\Real

2007-03-12 23:37 <DIR> d-------- C:\DOCUME~1\Cecil\APPLIC~1\Real

2007-03-12 23:32 <DIR> d-------- C:\My Downloads

2007-03-11 13:28 <DIR> dr------- C:\2006 Tax Returns

2007-03-11 12:24 <DIR> d-------- C:\help

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-04-08 18:08 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-04-06 23:29 -------- d--h----- C:\Program Files\installshield installation information

2007-04-06 21:41 -------- d-------- C:\DOCUME~1\Cecil\APPLIC~1\limewire

2007-04-06 09:54 -------- d-------- C:\DOCUME~1\Cecil\APPLIC~1\weatherbug

2007-04-05 21:34 -------- d-------- C:\Program Files\java

2007-03-31 22:00 -------- d-------- C:\Program Files\spywareblaster

2007-03-28 22:30 -------- d-------- C:\Program Files\pcpitstop

2007-03-22 00:16 -------- d-------- C:\Program Files\partygaming.net

2007-03-15 22:09 -------- d-------- C:\Program Files\Common Files\real

2007-03-08 22:18 -------- d-------- C:\Program Files\wavman 11

2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll

2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll

2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll

2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys

2007-03-04 02:57 -------- d-------- C:\Program Files\nch swift sound

2007-03-04 02:57 -------- d-------- C:\DOCUME~1\Cecil\APPLIC~1\nch swift sound

2007-02-24 13:25 -------- d-------- C:\Program Files\eusing free registry cleaner

2007-02-17 13:21 -------- d-------- C:\Program Files\gimpshop

2007-02-11 20:13 -------- d-------- C:\Program Files\limewire

2007-02-09 00:14 -------- d-------- C:\DOCUME~1\Cecil\APPLIC~1\viewpoint

2007-01-14 19:55 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll

2007-01-14 19:55 118784 --a------ C:\WINDOWS\system32\pdfmona.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{4D7C8A39-430F-4091-B9BF-3173DFA06DA0}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"LinkResolveIgnoreLinkInfo"=dword:00000000

"NoResolveSearch"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"LinkResolveIgnoreLinkInfo"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

 

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

C:\WINDOWS\tasks\Xdrive Backup - Backup Set 1.job

 

 

********************************************************************

 

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006

http://www.gmer.net

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

********************************************************************

 

Completion time: 07-04-08 19:27:05

C:\ComboFix-quarantined-files.txt ... 07-04-08 19:27

C:\ComboFix2.txt ... 07-04-07 15:40

C:\ComboFix3.txt ... 07-04-04 22:26

Share this post


Link to post
Share on other sites

Please go to Virus Total:

http://www.virustotal.com/flash/index_en.html

 

Click: Browse, and go to

C:\WINDOWS\system32\MFC71.dll

C:\WINDOWS\system32\taskkill.exe

C:\DOCUME~1\Cecil\APPLIC~1\.wyzo

C:\e4d93996ebf690fc2a909c5a7c

 

Upload each of these items and have them scanned. Include the results in your next post.

 

Next:

Download comboscan .. www.techsupportforum.com/sectools/Deckard/comboscan.exe

to your Desktop.

Close all applications and windows.

Double-click on comboscan.exe to run it, and follow the prompts.

When the scan is complete, a text file will open - ComboScan.txt

Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt.

A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.

Please attach Supplementary.txt to your post.

 

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

 

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and

copy and paste the following into the "Upload File from your Computer" box:

 

C:\ComboScan\Supplementary.txt

 

Click Upload.

 

You may need to make several posts to give me all the information :)

Share this post


Link to post
Share on other sites

I know you aint gonna believe this. :pullhair: I scanned and copied to a post and then closed the FREAKING WINDOW!!!!!!!!! :pullhair: I DID look at each as they scanned, and I can assure you, that they all came up clean. If you wish, I will do another scan at VirusTotal and post it. Otherwise, I will post the rest of the scans you requested.

Share this post


Link to post
Share on other sites

I believe you :mrgreen:

 

I know it takes a bit of time to scan, but I do need to see the results myself.

Share this post


Link to post
Share on other sites

Antivirus Version Update Result

AhnLab-V3 2007.4.10.0 04.09.2007 no virus found

AntiVir 7.3.1.48 04.09.2007 no virus found

Authentium 4.93.8 04.09.2007 no virus found

Avast 4.7.936.0 04.08.2007 no virus found

AVG 7.5.0.447 04.10.2007 no virus found

BitDefender 7.2 04.10.2007 no virus found

CAT-QuickHeal 9.00 04.09.2007 no virus found

ClamAV devel-20070312 04.09.2007 no virus found

DrWeb 4.33 04.09.2007 no virus found

eSafe 7.0.15.0 04.09.2007 no virus found

eTrust-Vet 30.7.3556 04.09.2007 no virus found

Ewido 4.0 04.09.2007 no virus found

FileAdvisor 1 04.10.2007 No threat detected

Fortinet 2.85.0.0 04.09.2007 no virus found

F-Prot 4.3.1.45 04.08.2007 no virus found

F-Secure 6.70.13030.0 04.09.2007 no virus found

Ikarus T3.1.1.3 04.09.2007 no virus found

Kaspersky 4.0.2.24 04.10.2007 no virus found

McAfee 5004 04.09.2007 no virus found

Microsoft 1.2405 04.10.2007 no virus found

NOD32v2 2175 04.09.2007 no virus found

Norman 5.80.02 04.09.2007 no virus found

Panda 9.0.0.4 04.09.2007 no virus found

Prevx1 V2 04.10.2007 no virus found

Sophos 4.16.0 04.06.2007 no virus found

Sunbelt 2.2.907.0 04.07.2007 no virus found

Symantec 10 04.10.2007 no virus found

TheHacker 6.1.6.088 04.09.2007 no virus found

VBA32 3.11.3 04.09.2007 no virus found

VirusBuster 4.3.7:9 04.09.2007 no virus found

Webwasher-Gateway 6.0.1 04.09.2007 no virus found

 

 

Aditional Information

File size: 1060864 bytes

MD5: 1fd3f9722119bdf7b8cff0ecd1e84ea6

SHA1: 9a4faa258b375e173feaca91a8bd920baf1091eb

Bit9 info: http://fileadvisor.bit9.com/services/extin...8cff0ecd1e84ea6

 

The following is the scan of Taskill.exe

0 bytes size received / Se ha recibido un archivo vacio

 

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.

 

 

Select file : DistributeSSL

 

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:

News Hot news in the virus/antivirus sector.

Estadisticas Statistics of VirusTotal procesing.

Virustotal More info about Virustotal.

 

 

STATUS: FINISHEDComplete scanning result of "mrtstub.exe", received in VirusTotal at 04.10.2007, 02:26:35 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.4.10.0 04.09.2007 no virus found

AntiVir 7.3.1.48 04.09.2007 no virus found

Authentium 4.93.8 04.09.2007 no virus found

Avast 4.7.936.0 04.08.2007 no virus found

AVG 7.5.0.447 04.10.2007 no virus found

BitDefender 7.2 04.10.2007 no virus found

CAT-QuickHeal 9.00 04.09.2007 no virus found

ClamAV devel-20070312 04.09.2007 no virus found

DrWeb 4.33 04.09.2007 no virus found

eSafe 7.0.15.0 04.09.2007 no virus found

eTrust-Vet 30.7.3556 04.09.2007 no virus found

Ewido 4.0 04.09.2007 no virus found

FileAdvisor 1 04.10.2007 Not analyzed yet

Fortinet 2.85.0.0 04.09.2007 no virus found

F-Prot 4.3.1.45 04.08.2007 no virus found

F-Secure 6.70.13030.0 04.09.2007 no virus found

Ikarus T3.1.1.3 04.09.2007 no virus found

Kaspersky 4.0.2.24 04.10.2007 no virus found

McAfee 5004 04.09.2007 no virus found

Microsoft 1.2405 04.10.2007 no virus found

NOD32v2 2175 04.09.2007 no virus found

Norman 5.80.02 04.09.2007 no virus found

Panda 9.0.0.4 04.09.2007 no virus found

Prevx1 V2 04.10.2007 no virus found

Sophos 4.16.0 04.06.2007 no virus found

Sunbelt 2.2.907.0 04.07.2007 no virus found

Symantec 10 04.10.2007 no virus found

TheHacker 6.1.6.088 04.09.2007 no virus found

VBA32 3.11.3 04.09.2007 no virus found

VirusBuster 4.3.7:9 04.09.2007 no virus found

Webwasher-Gateway 6.0.1 04.09.2007 no virus found

 

 

Aditional Information

File size: 89560 bytes

MD5: 8306dc1ed34f62d7e6abd1b0cdd145fe

SHA1: 6e2da2b664110ddc9e6a259eecde190384abe73b

Bit9 info: http://fileadvisor.bit9.com/services/extin...6abd1b0cdd145fe

 

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

> Go to: Home Contactar En Español

--------------------------------------------------------------------------------

www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail [email protected]

Share this post


Link to post
Share on other sites

ComboScan v20070306.20 run by Cecil on 2007-04-09 at 18:59:50

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

Successfully created ComboScan Restore Point.

 

 

-- Last 5 Restore Point(s) --

15: 2007-04-09 23:00:03 UTC - RP265 - ComboScan Restore Point

14: 2007-04-08 22:35:50 UTC - RP264 - System Checkpoint

13: 2007-04-07 20:03:44 UTC - RP263 - Software Distribution Service 2.0

12: 2007-04-07 03:30:02 UTC - RP262 - Installed Xdrive Desktop

11: 2007-04-07 03:29:29 UTC - RP261 - Installed Xdrive Desktop

 

 

-- First Restore Point --

1: 2007-04-03 03:20:05 UTC - RP251 - System Checkpoint

 

 

Performed disk cleanup.

 

 

-- HijackThis (run as Cecil.exe) -----------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 7:42:02 PM, on 4/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\AOL\ACS\acsd.exe

C:\WINDOWS\explorer.exe

C:\Program Executes\comboscan.exe

C:\HJTLOG~1\Cecil.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.pcpitstop.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.xdrive.com/downloads/std_install/setup.exe

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: Xdrive Service - Xdrive LLC - C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

 

 

-- HijackThis Fixed Entries (C:\HJTLOG~1\backups\) -----------------------------

 

backup-20070404-214711-233 O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

backup-20070404-214711-275 O2 - BHO: (no name) - {6E45F391-5AEC-4A9D-86BE-6183BB7CACBf} - C:\WINDOWS\system32\qqjjqvpy.dll (file missing)

backup-20070404-214711-365 O2 - BHO: (no name) - {D5324462-C090-40EE-9A8C-9F80DBB8507F} - C:\WINDOWS\system32\pmkhf.dll (file missing)

backup-20070404-214711-461 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

backup-20070404-214711-535 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

backup-20070404-214711-564 O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

backup-20070404-214711-755 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

backup-20070404-214711-838 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

backup-20070404-214712-670 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

backup-20070404-214712-986 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

 

-- File Associations -----------------------------------------------------------

 

.bat - batfile - "%1" %*

.chm - chm.file - "C:\WINDOWS\hh.exe" %1

.cmd - cmdfile - "%1" %*

.com - comfile - "%1" %*

.exe - exefile - "%1" %*

.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1

.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1

.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1

.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*

.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}

.pif - piffile - "%1" %*

.reg - regfile - regedit.exe "%1"

.scr - scrfile - "%1" /S

.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1

.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

3R ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2R ASCTRM - C:\WINDOWS\system32\drivers\asctrm.sys

1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys

1R Avg7Core (AVG7 Kernel) - C:\WINDOWS\system32\drivers\avg7core.sys

1R Avg7RsW (AVG7 Wrap Driver) - C:\WINDOWS\system32\drivers\avg7rsw.sys

1R Avg7RsXP (AVG7 Resident Driver XP) - C:\WINDOWS\system32\drivers\avg7rsxp.sys

1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys

1R AvgClean (AVG7 Clean Driver) - C:\WINDOWS\system32\drivers\avgclean.sys

2R AvgTdi (AVG Network Redirector) - C:\WINDOWS\system32\drivers\avgtdi.sys

1R BANTExt (Belarc SMBios Access) - C:\WINDOWS\system32\drivers\BANTExt.sys

3R HSFHWBS2 - C:\WINDOWS\system32\drivers\hsfbs2s2.sys

3R HSF_DP - C:\WINDOWS\system32\drivers\hsfdpsp2.sys

3R ialm - C:\WINDOWS\system32\drivers\ialmnt5.sys

4S InCDFs (InCD File System) - C:\WINDOWS\system32\drivers\InCDFs.sys (not found)

1S InCDPass - C:\WINDOWS\system32\drivers\InCDPass.sys (not found)

1S InCDRm (InCD Reader) - C:\WINDOWS\system32\drivers\InCDRm.sys (not found)

1S intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys

3S L8042Kbd (Logitech SetPoint Keyboard Driver) - C:\WINDOWS\system32\drivers\L8042Kbd.sys

3S L8042mou (SetPoint PS/2 Mouse Filter Driver) - C:\WINDOWS\system32\drivers\L8042mou.Sys

3S LMouKE (SetPoint Mouse Filter Driver) - C:\WINDOWS\system32\drivers\LMouKE.Sys

2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys

3R msloop (Microsoft Loopback Adapter Driver) - C:\WINDOWS\system32\drivers\loop.sys

3R ms_mpu401 (Microsoft MPU-401 MIDI UART Driver) - C:\WINDOWS\system32\drivers\msmpu401.sys

3R ousb2hub (OrangeWare USB 2.0 Root Hub Support) - C:\WINDOWS\system32\drivers\ousb2hub.sys

2R ousbehci (OrangeWare USB Enhanced Host Controller Service) - C:\WINDOWS\system32\drivers\ousbehci.sys

0R PxHelp20 - C:\WINDOWS\system32\drivers\PxHelp20.sys

3R rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - C:\WINDOWS\system32\drivers\rtl8139.sys

3S SABProcEnum - C:\Program Files\Internet Explorer\SABProcEnum.sys (not found)

0R srescan - C:\WINDOWS\system32\ZoneLabs\srescan.sys

3S usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys

3R usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys

1R vsdatant - C:\WINDOWS\system32\vsdatant.sys

3R wanatw (WAN Miniport (ATW)) - C:\WINDOWS\system32\drivers\wanatw4.sys

3S wg111nd5 (NETGEAR WG111 802.11g Wireless USB Adapter Driver) - C:\WINDOWS\system32\drivers\wg111nd5.sys

3R winachsf - C:\WINDOWS\system32\drivers\hsfcxts2.sys

3S WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS\system32\drivers\WudfPf.sys

3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINDOWS\system32\drivers\WudfRd.sys

3R {6080A529-897E-4629-A488-ABA0C29B635E} (Intel® Graphics Platform (SoftBIOS) Driver) - C:\WINDOWS\system32\drivers\ialmsbw.sys

3R {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (Intel® Graphics Chipset (KCH) Driver) - C:\WINDOWS\system32\drivers\ialmkchw.sys

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

4S AOL ACS (AOL Connectivity Service) - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

2R Avg7Alrt (AVG7 Alert Manager Server) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

2R Avg7UpdSvc (AVG7 Update Service) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

2R AVGEMS (AVG E-mail Scanner) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

4S UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe

2R vsmon (TrueVector Internet Monitor) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

2R WANMiniportService (WAN Miniport (ATW) Service) - "C:\WINDOWS\wanmpsvc.exe"

2R Xdrive Service - "C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe"

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2007-04-09 05:00:00 306 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job<SPYBOT~1.JOB>

2007-04-07 15:25:29 548 --a------ C:\WINDOWS\Tasks\Xdrive Backup - Backup Set 1.job<XDRIVE~1.JOB>

 

 

-- Files created between 2007-03-09 and 2007-04-09 -----------------------------

 

2007-04-08 18:07:42 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll

2007-04-08 01:15:06 796 --a------ C:\WINDOWS\system32\tmp.reg

2007-04-08 01:14:31 79360 --a------ C:\WINDOWS\system32\swxcacls.exe

2007-04-08 01:14:30 40960 --a------ C:\WINDOWS\system32\swsc.exe

2007-04-08 01:14:30 135168 --a------ C:\WINDOWS\system32\swreg.exe

2007-04-08 01:14:30 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-04-08 01:14:30 53248 --a------ C:\WINDOWS\system32\Process.exe

2007-04-08 01:14:30 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-04-07 20:55:52 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>

2007-04-07 16:04:21 0 d-------- C:\a9de6da54b6c4e208c48<A9DE6D~1>

2007-04-07 16:04:12 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0>

2007-04-07 15:16:52 0 d-------- C:\Documents and Settings\Cecil\Application Data\Xdrive

2007-04-06 23:33:07 4992 --a------ C:\WINDOWS\system32\drivers\loop.sys

2007-04-06 23:30:04 0 d-------- C:\Program Files\Common Files\Merge Modules<MERGEM~1>

2007-04-06 23:29:39 55808 --a------ C:\WINDOWS\system32\zlib1.dll

2007-04-06 23:29:32 0 d-------- C:\Program Files\Xdrive

2007-04-06 23:29:01 0 d-------- C:\Documents and Settings\Cecil\Application Data\InstallShield<INSTAL~1>

2007-04-06 21:05:53 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-04-01 22:24:17 0 d-------- C:\VundoFix Backups<VUNDOF~1>

2007-04-01 00:37:05 0 d-------- C:\HJT Log<HJTLOG~1>

2007-03-27 23:16:59 0 d-------- C:\Program Files\Common Files\DriveCleaner Free<DRIVEC~1>

2007-03-27 23:05:31 1060864 --a------ C:\WINDOWS\system32\MFC71.dll

2007-03-27 23:05:31 89088 --a------ C:\WINDOWS\system32\atl71.dll

2007-03-27 21:16:02 0 --a------ C:\WINDOWS\system32\taskkill.exe

2007-03-27 20:37:40 31844 -----n--- C:\WINDOWS\system32\mljjg.exe

2007-03-25 22:05:37 98304 --a------ C:\WINDOWS\system32\WinFlyer32.dll<WINFLY~1.DLL>

2007-03-25 22:04:29 0 d-------- C:\Documents and Settings\Cecil\Application Data\.wyzo<WYZO~1>

2007-03-25 20:53:39 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>

2007-03-25 20:53:21 0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>

2007-03-16 20:00:55 0 d-------- C:\e4d93996ebf690fc2a909c5a7c<E4D939~1>

2007-03-15 22:09:14 0 d-------- C:\My Music<MYMUSI~1>

2007-03-15 22:09:12 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys

2007-03-15 22:08:52 0 d-------- C:\Program Files\Real

2007-03-12 23:37:32 0 d-------- C:\Documents and Settings\Cecil\Application Data\Real

2007-03-12 23:32:45 0 d-------- C:\My Downloads<MYDOWN~1>

2007-03-11 13:28:48 0 dr------- C:\2006 Tax Returns<2006TA~1>

2007-03-11 12:24:24 0 d-------- C:\help

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-04-08 18:08:34 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-04-06 23:32:16 0 d-------- C:\Program Files\Common Files\AOL

2007-04-06 23:29:29 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>

2007-04-06 21:41:24 0 d-------- C:\Documents and Settings\Cecil\Application Data\LimeWire

2007-04-06 21:05:47 0 d-------- C:\Program Files\Grisoft

2007-04-06 20:44:41 0 d---s---- C:\Documents and Settings\Cecil\Application Data\Microsoft<MICROS~1>

2007-04-06 09:54:25 0 d-------- C:\Documents and Settings\Cecil\Application Data\WeatherBug<WEATHE~1>

2007-04-05 21:34:57 0 d-------- C:\Program Files\Java

2007-03-31 22:00:01 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>

2007-03-28 22:30:39 0 d-------- C:\Program Files\PCPitstop<PCPITS~1>

2007-03-22 00:16:40 0 d-------- C:\Program Files\PartyGaming.Net<PARTYG~1.NET>

2007-03-15 22:09:12 0 d-------- C:\Program Files\Common Files\Real

2007-03-08 22:18:14 0 d-------- C:\Program Files\WavMan 11<WAVMAN~1>

2007-03-08 11:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll

2007-03-08 11:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll

2007-03-08 11:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll

2007-03-08 09:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys

2007-03-04 02:57:37 0 d-------- C:\Program Files\NCH Swift Sound<NCHSWI~1>

2007-03-04 02:57:36 0 d-------- C:\Documents and Settings\Cecil\Application Data\NCH Swift Sound<NCHSWI~1>

2007-02-26 00:42:09 0 d-------- C:\Program Files\Camtech

2007-02-24 13:25:00 0 d-------- C:\Program Files\Eusing Free Registry Cleaner<EUSING~1>

2007-02-17 13:21:06 0 d-------- C:\Program Files\GIMPshop

2007-02-11 20:13:15 0 d-------- C:\Program Files\LimeWire

2007-02-09 00:14:26 0 d-------- C:\Documents and Settings\Cecil\Application Data\Viewpoint<VIEWPO~1>

2007-01-29 04:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe

2007-01-14 19:55:21 118784 --a------ C:\WINDOWS\system32\pdfmona.dll

2007-01-14 19:55:20 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll<PDF995~1.DLL>

 

 

-- Registry Dump ---------------------------------------------------------------

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{4D7C8A39-430F-4091-B9BF-3173DFA06DA0}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"LinkResolveIgnoreLinkInfo"=dword:00000000

"NoResolveSearch"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"LinkResolveIgnoreLinkInfo"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

 

 

 

-- Hosts -----------------------------------------------------------------------

 

10.254.254.253 Xdrive

 

 

-- End of ComboScan: finished at 2007-04-09 at 19:43:00 ------------------------

 

 

ComboScan v20070306.20 run by Cecil on 2007-04-09 at 18:59:50

Supplementary logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

 

-- System Information ----------------------------------------------------------

 

Microsoft Windows XP Home Edition (build 2600) SP 2.0

Architecture: X86; Language: English

 

CPU 0: Intel® Celeron® CPU 1.80GHz

Percentage of Memory in Use: 74%

Physical Memory (total/avail): 381.98 MiB / 97.99 MiB

Pagefile Memory (total/avail): 920.79 MiB / 645.36 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1999.38 MiB

 

A: is Removable (No Media)

C: is Fixed (NTFS) - 37.27 GiB total, 10.93 GiB free.

D: is CDROM (No Media)

E: is CDROM (No Media)

 

 

-- Security Center -------------------------------------------------------------

 

AUOptions is scheduled to auto-install.

Windows Internal Firewall is disabled.

 

FW: ZoneAlarm Pro Firewall v7.0.337.000 (Check Point, LTD.)

AV: AVG 7.5.446 v7.5.446 (GRISOFT)

 

 

-- Environment Variables -------------------------------------------------------

 

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Cecil\Application Data

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=YOUR-1RNFG39627

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Cecil

LOGONSERVER=\\YOUR-1RNFG39627

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 3, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0103

ProgramFiles=C:\Program Files

PROMPT=$P$G

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Cecil\LOCALS~1\Temp

TMP=C:\DOCUME~1\Cecil\LOCALS~1\Temp

tvdumpflags=8

USERDOMAIN=YOUR-1RNFG39627

USERNAME=Cecil

USERPROFILE=C:\Documents and Settings\Cecil

windir=C:\WINDOWS

 

 

-- User Profiles ---------------------------------------------------------------

 

Owner (admin)

Cecil (admin)

 

 

-- Add/Remove Programs ---------------------------------------------------------

 

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

-->

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"

Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete

Advanced WindowsCare V2 Beta 3.62 --> "C:\Program Files\IObit\Advanced WindowsCare V2\unins000.exe"

America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe

AOL Coach Version 1.0(Build:20030807.3) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe

AusLogics Disk Defrag --> "C:\Program Files\AusLogics Disk Defrag\unins000.exe"

AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe

AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL

BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"

CDCheck --> "C:\Program Files\CDCheck\uninst.exe"

Easy Thumbnails (Remove only) --> "C:\Program Files\Easy Thumbnails\unins000.exe"

EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9

EPSON ESPR220 Reference Guide --> C:\Program Files\epson\guide\spr220_e\uninstall.exe

EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\setup.exe" -l0x9 -SYSTEM

EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R

Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG

Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe

Free Audio Tag --> "C:\Program Files\Free Audio Tag\unins000.exe"

GIMPshop 2.2.8 --> C:\Program Files\GIMPshop\uninst.exe

GoldWave v5.13 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.13" "C:\Program Files\GoldWave\unstall.log"

Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly

Hidden Utilities XP --> MsiExec.exe /I{E4E3B247-9A66-45B0-A624-278A0606B896}

HijackThis 1.99.1 --> C:\HJT Log\HijackThis.exe /uninstall

Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562

Java SE Development Kit 6 Update 1 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160010}

Java SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}

jv16 PowerTools 1.3 --> "C:\Program Files\jv16 PowerTools 2006\unins000.exe"

LimeWire PRO 4.12.3 --> "C:\Program Files\LimeWire\uninstall.exe"

MP3-tag --> "C:\Program Files\MP3-tag\Uninstall.exe" "C:\Program Files\MP3-tag\install.log"

MP3 CD Ripper --> "C:\Program Files\MP3 CD Ripper\unins000.exe"

Nero 6 Ultra Edition -->

NeroVision Express 2 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL

Netscape 6 (6.2.1) --> C:\WINDOWS\N6Uninst.exe /ua "6.2.1 (en)"

Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan

PartyPokerNet --> "C:\Program Files\PartyGaming.Net\PartyPokerNet\Uninstall.exe" "C:\Program Files\PartyGaming.Net\PartyPokerNet\install.log"

PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall

RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0

Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE

Road Runner Medic 5.4 --> "C:\WINDOWS\unins000.exe"

Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"

Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"

Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"

SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"

TaxCut Premium 2006 --> C:\TaxCut06\Program\removetc.exe

Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u

WavMan 11.x --> C:\PROGRA~1\WAVMAN~1\UNWISE.EXE C:\PROGRA~1\WAVMAN~1\INSTALL.LOG

WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG

WebFldrs XP -->

Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}

WinFlyer --> "rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,UnInstall

WinPatrol --> C:\WINDOWS\uninst.exe -f"C:\Program Files\BillP Studios\WinPatrol\DeIsL1.isu" -c"C:\Program Files\BillP Studios\WinPatrol\_ISREG32.DLL"

Xdrive Desktop --> C:\Program Files\InstallShield Installation Information\{3FFE825D-777C-4786-855C-C61DFB5591AF}\setup.exe -runfromtemp -l0x0009 -removeonly

Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

ZoneAlarm Pro --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

 

 

-- End of ComboScan: finished at 2007-04-09 at 19:43:00 ------------------------

Share this post


Link to post
Share on other sites

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.

 

 

Select file : DistributeSSL

 

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:

News Hot news in the virus/antivirus sector.

Estadisticas Statistics of VirusTotal procesing.

Virustotal More info about Virustotal.

 

 

STATUS: FINISHEDComplete scanning result of "MFC71.dll", received in VirusTotal at 04.10.2007, 05:13:43 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.4.10.0 04.09.2007 no virus found

AntiVir 7.3.1.48 04.09.2007 no virus found

Authentium 4.93.8 04.09.2007 no virus found

Avast 4.7.936.0 04.08.2007 no virus found

AVG 7.5.0.447 04.10.2007 no virus found

BitDefender 7.2 04.10.2007 no virus found

CAT-QuickHeal 9.00 04.09.2007 no virus found

ClamAV devel-20070312 04.09.2007 no virus found

DrWeb 4.33 04.09.2007 no virus found

eSafe 7.0.15.0 04.09.2007 no virus found

eTrust-Vet 30.7.3556 04.09.2007 no virus found

Ewido 4.0 04.09.2007 no virus found

FileAdvisor 1 04.10.2007 No threat detected

Fortinet 2.85.0.0 04.10.2007 no virus found

F-Prot 4.3.1.45 04.08.2007 no virus found

F-Secure 6.70.13030.0 04.09.2007 no virus found

Ikarus T3.1.1.3 04.09.2007 no virus found

Kaspersky 4.0.2.24 04.10.2007 no virus found

McAfee 5004 04.09.2007 no virus found

Microsoft 1.2405 04.10.2007 no virus found

NOD32v2 2175 04.09.2007 no virus found

Norman 5.80.02 04.09.2007 no virus found

Panda 9.0.0.4 04.09.2007 no virus found

Prevx1 V2 04.10.2007 no virus found

Sophos 4.16.0 04.06.2007 no virus found

Sunbelt 2.2.907.0 04.07.2007 no virus found

Symantec 10 04.10.2007 no virus found

TheHacker 6.1.6.088 04.09.2007 no virus found

VBA32 3.11.3 04.09.2007 no virus found

VirusBuster 4.3.7:9 04.09.2007 no virus found

Webwasher-Gateway 6.0.1 04.10.2007 no virus found

 

 

Aditional Information

File size: 1060864 bytes

MD5: 1fd3f9722119bdf7b8cff0ecd1e84ea6

SHA1: 9a4faa258b375e173feaca91a8bd920baf1091eb

Bit9 info: http://fileadvisor.bit9.com/services/extin...8cff0ecd1e84ea6

 

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

> Go to: Home Contactar En Español

--------------------------------------------------------------------------------

www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail [email protected]

Share this post


Link to post
Share on other sites

NascarFan19, download the OTMoveIt from here:

http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

     

    C:\WINDOWS\system32\mljjg.exe

    C:\WINDOWS\system32\WinFlyer32.dll

    C:\DOCUME~1\Cecil\APPLIC~1\.wyzo

     

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...