Reagan72
-
Posts
88 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by Reagan72
-
thanks, I have. I will let you know how things went
-
SOrry for not getting back at you sooner.(it wasnt possible) I've decided to come up with 5 more discs, run the recovery cd creator and try a full system recovery.
-
I was actually thinking do a full restore-I was going to use the recovery cd creator,but I need 5 more discs. if we can try to continue to fix the problem I'd rather do that p.s. what you suggested in your 2nd to last post- I could'nt do it
-
nvm I found it, i didnt think it'd be so dayum expensive though-this has been a somewhat depressing day
-
what would i look for at newegg.com, I put in windows xp in the search and a whole bunch of other stuff came up?
-
okay retail xp i guess-compaq presario s3000nx
-
Sometimes not even 5 minutes, other times, maybe 20-30 minutes. Sometimes it wont come on for hours or not at all. No unfortunately i do not have the windows xp cd. Is that something I can obtain online? Oh, task manager still doesnt work and 2 new apps are still present in c:\ "8u1e5q9s9y8.exe" and "i4p5a1y7a7s7.exe"
-
dayum computer keeps restarting-wont give me a chance to reply all in one post. It keeps restarting with that NT authority/system message. I took a pic so I now have the message in front of me. It reads: This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM Time before shutdown: (i think it starts at 59, when i took the picture I captured it at 15 seconds) Message The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code 0. The system will now shutdown and restart. Anyways... I ran into a few problems when I attempted to follow your instructions. Lets see if I can remember them now... In hijackthis, when I went to fix what you told me to, O4 - HKLM\..\Run: [lsass.exe] C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe O4 - HKLM\..\Run: [FmMgr.exe] C:\WINDOWS\system32\drivers\FmMgr.exe were both gone. I did however 'fix' the rest without any problems.(at least to my knowledge, I think so) Then when I went to do Avenger, when it wanted to reboot, it started to and got stuck at 'closing network connections' longer than I've ever seen the machine stuck at that part after any kind of scan or whatever Avenger does. So i held the power button 'til it shut off. I turned it back on and a logfile came up. To me it seemed like it deleted everything successfully, though I do recall seeing the word "failed" a few times here and there. Anyways, I went to run MBAM and when it wanted to reboot, it got stuck at 'closing network connections' again. So I just held the button again until it shut off. When It booted up again. I ran MBAM again just in case, and it found nothing. As you can see I posted both logs. I did however not find the first avenger log, the really detailed one. I ran Avenger again and the results are showed in the log I posted.
-
Malwarebytes' Anti-Malware 1.28 Database version: 1226 Windows 5.1.2600 Service Pack 1 10/3/2008 5:27:40 PM mbam-log-2008-10-03 (17-27-40).txt Scan type: Quick Scan Objects scanned: 54525 Time elapsed: 7 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 4 Registry Keys Infected: 11 Registry Values Infected: 4 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 19 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot. C:\Program Files\Messenger\msgmr.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\7ADC2AB1.dll (Spyware.OnlineGames) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-293d48b2ae99} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{7adc2ab1-5c6a-4178-82da-94863354af7c} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\msnmsg (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7adc2ab1-5c6a-4178-82da-94863354af7c} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HBService32 (Trojan.Agent) -> Delete on reboot. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot. C:\Program Files\Messenger\msgmr.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\7ADC2AB1.dll (Spyware.OnlineGames) -> Delete on reboot. C:\Documents and Settings\Owner\Local Settings\Temp\15.cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8DYZW52N\05[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8DYZW52N\17[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8DYZW52N\19[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8DYZW52N\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GD2DESJ8\15[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GD2DESJ8\99[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QNE9INM5\13[2].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QNE9INM5\14[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QNE9INM5\18[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QNE9INM5\20[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VMGX3KOX\16[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\drivers\HBKernel32.sys (Backdoor.Bot) -> Delete on reboot. C:\WINDOWS\Photo_14301.zip (Backdoor.Bot) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.28 Database version: 1226 Windows 5.1.2600 Service Pack 1 10/3/2008 5:48:32 PM mbam-log-2008-10-03 (17-48-32).txt Scan type: Quick Scan Objects scanned: 54298 Time elapsed: 7 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
-
Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. Hidden driver "nvmini" found! DisplayName: NVIDIA Compatible Windows Miniport Driver ImagePath: system32\DRIVERS\nvmini.sys Start Type: 2 (Automatic) Rootkit scan completed. Error: file "c:\8b4l8r9h1v9.exe" not found! Deletion of file "c:\8b4l8r9h1v9.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "C:\WINDOWS\system32\drivers\etc\hosts" deleted successfully. Error: file "c:\windows\system32\drivers\PrdMgr.exe" not found! Deletion of file "c:\windows\system32\drivers\PrdMgr.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBmhly.dll" not found! Deletion of file "c:\windows\system32\HBmhly.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HB1000Y.dll" not found! Deletion of file "c:\windows\system32\HB1000Y.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBXY2.dll" not found! Deletion of file "c:\windows\system32\HBXY2.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBSO2.dll" not found! Deletion of file "c:\windows\system32\HBSO2.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBFY.dll" not found! Deletion of file "c:\windows\system32\HBFY.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBFY.dll" not found! Deletion of file "c:\windows\system32\HBFY.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBKDXY.dll" not found! Deletion of file "c:\windows\system32\HBKDXY.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBZHUXIAN.dll" not found! Deletion of file "c:\windows\system32\HBZHUXIAN.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBBO.dll" not found! Deletion of file "c:\windows\system32\HBBO.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBCONQUER.dll" not found! Deletion of file "c:\windows\system32\HBCONQUER.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBSOUL.dll" not found! Deletion of file "c:\windows\system32\HBSOUL.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBCHIBI.dll" not found! Deletion of file "c:\windows\system32\HBCHIBI.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBCT.dll" not found! Deletion of file "c:\windows\system32\HBCT.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBQQSG.dll" not found! Deletion of file "c:\windows\system32\HBQQSG.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\HBQQFFO.dll" not found! Deletion of file "c:\windows\system32\HBQQFFO.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\drivers\regvcs.exe" not found! Deletion of file "C:\WINDOWS\system32\drivers\regvcs.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\547661CQWZ.exe" not found! Deletion of file "C:\WINDOWS\547661CQWZ.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe" not found! Deletion of file "C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\drivers\FmMgr.exe" not found! Deletion of file "C:\WINDOWS\system32\drivers\FmMgr.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:03:50 PM, on 10/3/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\drivers\LBTWiz.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\pchealth\helpctr\binaries\VTskMgr.exe c:\i4p5a1y7a7s7.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\LBTWiz.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [LBTWiz.exe] C:\WINDOWS\system32\drivers\LBTWiz.exe O4 - HKLM\..\Run: [VTskMgr.exe] C:\WINDOWS\pchealth\helpctr\binaries\VTskMgr.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 3448 bytes
-
My apologies AS and thank you for your patience. As you might have read in earlier posts, there was someone who wouldnt cooperate with staying off the machine while I was trying to fix it. Waiting for my probation to end seemed like my best bet-with what me wanting to express how I felt about the situation to that person(and that seeming to be the only solution to get cooperation). Serious consequences would've been handed down to me by the law had I not waited and violated probation. Probation was up Friday, did what I had to do-you can imagine I got into a little trouble. Anyways, sorry for the inconvenience-there shall be no more interuptions.(hopefully) While I was away, mom was using the computer. 4 new apps appeared in c:\, and task manager doesnt work. Other than that, everything is fine Im not quite sure if you understood what I was trying to tell you in my last post so I just went and did MBAM(let it reboot) and ran hijackthis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:07:33 PM, on 10/2/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\drivers\PrdMgr.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe C:\WINDOWS\system32\drivers\FmMgr.exe c:\8b4l8r9h1v9.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\PrdMgr.exe O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn O1 - Hosts: 127.1 61.134.37.12 O1 - Hosts: 127.1 ko.ssa387.cn O1 - Hosts: 127.1 www.ndxrr.cn O1 - Hosts: 127.1 12345.ssa387.cn O1 - Hosts: 127.1 lihai88.com O1 - Hosts: 127.1 wwwwhf.cn O1 - Hosts: 127.1 a89369093.sq.u9idc.com O1 - Hosts: 127.1 www.mmd178.cn O1 - Hosts: 127.1 www.178mmd.cn O1 - Hosts: 127.1 www.wenzhuoyyy.cn O1 - Hosts: 127.1 tw.lovechina.tw.cn O1 - Hosts: 127.1 222.189.238.151 O1 - Hosts: 127.1 222.179.185.78 O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 593ffcey.cn O1 - Hosts: 127.1 set.yay520.cn O1 - Hosts: 127.1 tenmoc999.cn O1 - Hosts: 127.1 lihai88.com O1 - Hosts: 127.1 121.kcuf-01.com O1 - Hosts: 127.1 www.ew1q.cn O1 - Hosts: 127.1 www.b3sk.cn O1 - Hosts: 127.1 up.bizmd.cn O1 - Hosts: 127.1 www.ms2a.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 www.fgetchr.cn O1 - Hosts: 127.1 www.e6zx.cn O1 - Hosts: 127.1 hai067.com O1 - Hosts: 127.1 hai088.com O1 - Hosts: 127.1 778899.jd8j.cn O1 - Hosts: 127.1 sql.78-11.net O1 - Hosts: 127.1 www.bbbirdy.com O1 - Hosts: 127.1 www.s1na1.com.cn O1 - Hosts: 127.1 www.dianyinjzd.cn O1 - Hosts: 127.1 www.dj5201314dj.com O1 - Hosts: 127.1 max-2.cn O1 - Hosts: 127.1 a.asp-o.cn O1 - Hosts: 127.1 b.asp-o.cn O1 - Hosts: 127.1 c.asp-o.cn O1 - Hosts: 127.1 x.kprobb.cn O1 - Hosts: 127.1 js.php-k.cn O1 - Hosts: 127.1 max-1.cn O1 - Hosts: 127.1 max-3.cn O1 - Hosts: 127.1 max-4.cn O1 - Hosts: 127.1 max-5.cn O1 - Hosts: 127.1 max-6.cn O1 - Hosts: 127.1 max-7.cn O1 - Hosts: 127.1 max-8.cn O1 - Hosts: 127.1 max-9.cn O1 - Hosts: 127.1 max-10.cn O1 - Hosts: 127.1 max-11.cn O1 - Hosts: 127.1 max-12.cn O1 - Hosts: 127.1 twocannon250.com.cn O1 - Hosts: 127.1 www.133mm.cn O1 - Hosts: 127.1 www.51vmm.cn O1 - Hosts: 127.1 www.7mmoo.cn O1 - Hosts: 127.1 www.99mmm.org.cn O1 - Hosts: 127.1 www.hdec.cn O1 - Hosts: 127.1 www.picc18.com O1 - Hosts: 127.1 www.kissdh.com O1 - Hosts: 127.1 www.x7v.cn O1 - Hosts: 127.1 biqulu.cn O1 - Hosts: 127.1 2008.qq2006.com.cn O1 - Hosts: 127.1 giaitrisex.com O1 - Hosts: 127.1 www.giaitrisex.com O1 - Hosts: 127.1 www.giaitrituoitre.net O1 - Hosts: 127.1 mekiep.com O1 - Hosts: 127.1 www.1sex1day.com O1 - Hosts: 127.1 a.9ymm.com O1 - Hosts: 127.1 bobo.7wyt.com O1 - Hosts: 127.1 www.591caobi.cn O1 - Hosts: 127.1 www.hrz008.cn O1 - Hosts: 127.1 asp-15.cn O1 - Hosts: 127.1 asp-12.cn O1 - Hosts: 127.1 www.jb88.net O1 - Hosts: 127.1 6.a88a.com O1 - Hosts: 127.1 w.b2c3.cn O1 - Hosts: 127.1 m.c5x8.com O1 - Hosts: 127.1 www.518sfw.cn O1 - Hosts: 127.1 www.jjyyzmj.cn O1 - Hosts: 127.1 u.cnmrx.net O1 - Hosts: 127.1 duowan.czm.cn O1 - Hosts: 127.1 xccxcxcxcxcx.cn O1 - Hosts: 127.1 google-yahoo.org.cn O1 - Hosts: 127.1 tudou-net.org.cn O1 - Hosts: 127.1 downloads.zango.com O1 - Hosts: 127.1 ftp.surfnet.nl O1 - Hosts: 127.1 bis.180solutions.com O1 - Hosts: 127.1 installs.hotbar.com O1 - Hosts: 127.1 www.hbdownloads.com O1 - Hosts: 127.1 static.zangocash.com O1 - Hosts: 127.1 www.qq-songli.cn O1 - Hosts: 127.1 aa.9234.net O1 - Hosts: 127.1 www.97love.info O1 - Hosts: 127.1 97love.info O1 - Hosts: 127.1 www.zyzhuiku.cn O1 - Hosts: 127.1 zyzhuiku.cn O1 - Hosts: 127.1 www.lang18.com O1 - Hosts: 127.1 lang18.com O1 - Hosts: 127.1 sao6666.com O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe O4 - HKLM\..\Run: [WinWZSys] C:\WINDOWS\547661CQWZ.exe O4 - HKLM\..\Run: [lsass.exe] C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe O4 - HKLM\..\Run: [FmMgr.exe] C:\WINDOWS\system32\drivers\FmMgr.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBSO2.dll,HBFY.dll,HBKDXY.dll,HBZHUXIAN.dll,HBB O.dll,HBCONQUER.dll,HBSOUL.dll,HBCHIBI.dll,HBCT.dll,HBQQSG.dll,HBQQFFO.dll O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7250 bytes
-
Thanks AS, [problem] In etc, I tried to delete the host file but it didnt look like I was successful. I right-clicked on it and clicked on delete then the message: the file 'hosts' is a system file. If you remove it, your computer, or one of your programs may no longer work correctly. Are you sure you want to move it to the recycling bin?" came up. I said yes and then the message disappeared but the hosts file never left. I did this again and went to the recycling bin to see what was there. Sure enough there were two identical copies of the hosts file so I deleted them from the bin. I clicked back on the etc folder and the hosts file was still there. My new hosts file I created in notepad is there too, with a .txt extension. Read-only in properties too. The newly creatd hosts file's icon is like that of anyother file created in notepad. The old hosts file however has that paper with the fold in the corner and the little window on it icon. I also didnt reboot right after I hikacked this because you never said to and you were pretty thorough. MBAM: alwarebytes' Anti-Malware 1.28 Database version: 1209 Windows 5.1.2600 Service Pack 1 9/26/2008 7:46:14 AM mbam-log-2008-09-26 (07-46-14).txt Scan type: Quick Scan Objects scanned: 53995 Time elapsed: 8 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 5 Registry Keys Infected: 11 Registry Values Infected: 6 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 17 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot. C:\WINDOWS\sysocmgr.dll (Spyware.OnlineGames) -> Delete on reboot. C:\Program Files\Messenger\msgmr.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-293d48b2ae99} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\msnmsg (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HBService32 (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsysw (Spyware.OnlineGames) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot. C:\WINDOWS\sysocmgr.dll (Spyware.OnlineGames) -> Delete on reboot. C:\Program Files\Messenger\msgmr.dll (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2HSTGFW7\20[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2VOH61EP\22[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2VOH61EP\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EB4JE9A9\18[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EB4JE9A9\21[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HJJXZLRG\05[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HJJXZLRG\19[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\drivers\HBKernel32.sys (Backdoor.Bot) -> Delete on reboot. C:\WINDOWS\547661L.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\E.tmp (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot. HIJACKTHIS: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:51:14 AM, on 9/26/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\drivers\regvcs.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\svchost.exe c:\3j5r5e3j6c2.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\regvcs.exe O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn O1 - Hosts: 127.1 61.134.37.12 O1 - Hosts: 127.1 ko.ssa387.cn O1 - Hosts: 127.1 www.ndxrr.cn O1 - Hosts: 127.1 12345.ssa387.cn O1 - Hosts: 127.1 lihai88.com O1 - Hosts: 127.1 wwwwhf.cn O1 - Hosts: 127.1 a89369093.sq.u9idc.com O1 - Hosts: 127.1 www.mmd178.cn O1 - Hosts: 127.1 www.178mmd.cn O1 - Hosts: 127.1 www.wenzhuoyyy.cn O1 - Hosts: 127.1 tw.lovechina.tw.cn O1 - Hosts: 127.1 222.189.238.151 O1 - Hosts: 127.1 222.179.185.78 O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 593ffcey.cn O1 - Hosts: 127.1 set.yay520.cn O1 - Hosts: 127.1 tenmoc999.cn O1 - Hosts: 127.1 lihai88.com O1 - Hosts: 127.1 121.kcuf-01.com O1 - Hosts: 127.1 www.ew1q.cn O1 - Hosts: 127.1 www.b3sk.cn O1 - Hosts: 127.1 up.bizmd.cn O1 - Hosts: 127.1 www.ms2a.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 www.fgetchr.cn O1 - Hosts: 127.1 www.e6zx.cn O1 - Hosts: 127.1 hai067.com O1 - Hosts: 127.1 hai088.com O1 - Hosts: 127.1 778899.jd8j.cn O1 - Hosts: 127.1 sql.78-11.net O1 - Hosts: 127.1 www.bbbirdy.com O1 - Hosts: 127.1 www.s1na1.com.cn O1 - Hosts: 127.1 www.dianyinjzd.cn O1 - Hosts: 127.1 www.dj5201314dj.com O1 - Hosts: 127.1 max-2.cn O1 - Hosts: 127.1 a.asp-o.cn O1 - Hosts: 127.1 b.asp-o.cn O1 - Hosts: 127.1 c.asp-o.cn O1 - Hosts: 127.1 x.kprobb.cn O1 - Hosts: 127.1 js.php-k.cn O1 - Hosts: 127.1 max-1.cn O1 - Hosts: 127.1 max-3.cn O1 - Hosts: 127.1 max-4.cn O1 - Hosts: 127.1 max-5.cn O1 - Hosts: 127.1 max-6.cn O1 - Hosts: 127.1 max-7.cn O1 - Hosts: 127.1 max-8.cn O1 - Hosts: 127.1 max-9.cn O1 - Hosts: 127.1 max-10.cn O1 - Hosts: 127.1 max-11.cn O1 - Hosts: 127.1 max-12.cn O1 - Hosts: 127.1 twocannon250.com.cn O1 - Hosts: 127.1 www.133mm.cn O1 - Hosts: 127.1 www.51vmm.cn O1 - Hosts: 127.1 www.7mmoo.cn O1 - Hosts: 127.1 www.99mmm.org.cn O1 - Hosts: 127.1 www.hdec.cn O1 - Hosts: 127.1 www.picc18.com O1 - Hosts: 127.1 www.kissdh.com O1 - Hosts: 127.1 www.x7v.cn O1 - Hosts: 127.1 biqulu.cn O1 - Hosts: 127.1 2008.qq2006.com.cn O1 - Hosts: 127.1 giaitrisex.com O1 - Hosts: 127.1 www.giaitrisex.com O1 - Hosts: 127.1 www.giaitrituoitre.net O1 - Hosts: 127.1 mekiep.com O1 - Hosts: 127.1 www.1sex1day.com O1 - Hosts: 127.1 a.9ymm.com O1 - Hosts: 127.1 bobo.7wyt.com O1 - Hosts: 127.1 www.591caobi.cn O1 - Hosts: 127.1 www.hrz008.cn O1 - Hosts: 127.1 asp-15.cn O1 - Hosts: 127.1 asp-12.cn O1 - Hosts: 127.1 www.jb88.net O1 - Hosts: 127.1 6.a88a.com O1 - Hosts: 127.1 w.b2c3.cn O1 - Hosts: 127.1 m.c5x8.com O1 - Hosts: 127.1 www.518sfw.cn O1 - Hosts: 127.1 www.jjyyzmj.cn O1 - Hosts: 127.1 u.cnmrx.net O1 - Hosts: 127.1 duowan.czm.cn O1 - Hosts: 127.1 xccxcxcxcxcx.cn O1 - Hosts: 127.1 google-yahoo.org.cn O1 - Hosts: 127.1 tudou-net.org.cn O1 - Hosts: 127.1 downloads.zango.com O1 - Hosts: 127.1 ftp.surfnet.nl O1 - Hosts: 127.1 bis.180solutions.com O1 - Hosts: 127.1 installs.hotbar.com O1 - Hosts: 127.1 www.hbdownloads.com O1 - Hosts: 127.1 static.zangocash.com O1 - Hosts: 127.1 www.qq-songli.cn O1 - Hosts: 127.1 aa.9234.net O1 - Hosts: 127.1 www.97love.info O1 - Hosts: 127.1 97love.info O1 - Hosts: 127.1 www.zyzhuiku.cn O1 - Hosts: 127.1 zyzhuiku.cn O1 - Hosts: 127.1 www.lang18.com O1 - Hosts: 127.1 lang18.com O1 - Hosts: 127.1 sao6666.com O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe O4 - HKLM\..\Run: [WinWZSys] C:\WINDOWS\547661CQWZ.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBSO2.dll,HBFY.dll,HBCONQUER.dll,HBSOUL.dll,HBC HIBI.dll,HBCT.dll,HBQQSG.dll,HBQQFFO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 6797 bytes task manager still isnt working but pc is running ok, just a little slow getting to this page
-
Thanks Raid, my heart goes out to you and your family. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:59:35 PM, on 9/25/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\drivers\regvcs.exe C:\WINDOWS\system32\spoolsv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\wanmpsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\regvcs.exe O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn O1 - Hosts: 127.1 61.134.37.12 O1 - Hosts: 127.1 ko.ssa387.cn O1 - Hosts: 127.1 www.ndxrr.cn O1 - Hosts: 127.1 12345.ssa387.cn O1 - Hosts: 127.1 lihai88.com O1 - Hosts: 127.1 wwwwhf.cn O1 - Hosts: 127.1 a89369093.sq.u9idc.com O1 - Hosts: 127.1 www.mmd178.cn O1 - Hosts: 127.1 www.178mmd.cn O1 - Hosts: 127.1 www.wenzhuoyyy.cn O1 - Hosts: 127.1 tw.lovechina.tw.cn O1 - Hosts: 127.1 222.189.238.151 O1 - Hosts: 127.1 222.179.185.78 O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 593ffcey.cn O1 - Hosts: 127.1 set.yay520.cn O1 - Hosts: 127.1 tenmoc999.cn O1 - Hosts: 127.1 lihai88.com O1 - Hosts: 127.1 121.kcuf-01.com O1 - Hosts: 127.1 www.ew1q.cn O1 - Hosts: 127.1 www.b3sk.cn O1 - Hosts: 127.1 up.bizmd.cn O1 - Hosts: 127.1 www.ms2a.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 www.fgetchr.cn O1 - Hosts: 127.1 www.e6zx.cn O1 - Hosts: 127.1 hai067.com O1 - Hosts: 127.1 hai088.com O1 - Hosts: 127.1 778899.jd8j.cn O1 - Hosts: 127.1 sql.78-11.net O1 - Hosts: 127.1 www.bbbirdy.com O1 - Hosts: 127.1 www.s1na1.com.cn O1 - Hosts: 127.1 www.dianyinjzd.cn O1 - Hosts: 127.1 www.dj5201314dj.com O1 - Hosts: 127.1 max-2.cn O1 - Hosts: 127.1 a.asp-o.cn O1 - Hosts: 127.1 b.asp-o.cn O1 - Hosts: 127.1 c.asp-o.cn O1 - Hosts: 127.1 x.kprobb.cn O1 - Hosts: 127.1 js.php-k.cn O1 - Hosts: 127.1 max-1.cn O1 - Hosts: 127.1 max-3.cn O1 - Hosts: 127.1 max-4.cn O1 - Hosts: 127.1 max-5.cn O1 - Hosts: 127.1 max-6.cn O1 - Hosts: 127.1 max-7.cn O1 - Hosts: 127.1 max-8.cn O1 - Hosts: 127.1 max-9.cn O1 - Hosts: 127.1 max-10.cn O1 - Hosts: 127.1 max-11.cn O1 - Hosts: 127.1 max-12.cn O1 - Hosts: 127.1 twocannon250.com.cn O1 - Hosts: 127.1 www.133mm.cn O1 - Hosts: 127.1 www.51vmm.cn O1 - Hosts: 127.1 www.7mmoo.cn O1 - Hosts: 127.1 www.99mmm.org.cn O1 - Hosts: 127.1 www.hdec.cn O1 - Hosts: 127.1 www.picc18.com O1 - Hosts: 127.1 www.kissdh.com O1 - Hosts: 127.1 www.x7v.cn O1 - Hosts: 127.1 biqulu.cn O1 - Hosts: 127.1 2008.qq2006.com.cn O1 - Hosts: 127.1 giaitrisex.com O1 - Hosts: 127.1 www.giaitrisex.com O1 - Hosts: 127.1 www.giaitrituoitre.net O1 - Hosts: 127.1 mekiep.com O1 - Hosts: 127.1 www.1sex1day.com O1 - Hosts: 127.1 a.9ymm.com O1 - Hosts: 127.1 bobo.7wyt.com O1 - Hosts: 127.1 www.591caobi.cn O1 - Hosts: 127.1 www.hrz008.cn O1 - Hosts: 127.1 asp-15.cn O1 - Hosts: 127.1 asp-12.cn O1 - Hosts: 127.1 www.jb88.net O1 - Hosts: 127.1 6.a88a.com O1 - Hosts: 127.1 w.b2c3.cn O1 - Hosts: 127.1 m.c5x8.com O1 - Hosts: 127.1 www.518sfw.cn O1 - Hosts: 127.1 www.jjyyzmj.cn O1 - Hosts: 127.1 u.cnmrx.net O1 - Hosts: 127.1 duowan.czm.cn O1 - Hosts: 127.1 xccxcxcxcxcx.cn O1 - Hosts: 127.1 google-yahoo.org.cn O1 - Hosts: 127.1 tudou-net.org.cn O1 - Hosts: 127.1 downloads.zango.com O1 - Hosts: 127.1 ftp.surfnet.nl O1 - Hosts: 127.1 bis.180solutions.com O1 - Hosts: 127.1 installs.hotbar.com O1 - Hosts: 127.1 www.hbdownloads.com O1 - Hosts: 127.1 static.zangocash.com O1 - Hosts: 127.1 www.qq-songli.cn O1 - Hosts: 127.1 aa.9234.net O1 - Hosts: 127.1 www.97love.info O1 - Hosts: 127.1 97love.info O1 - Hosts: 127.1 www.zyzhuiku.cn O1 - Hosts: 127.1 zyzhuiku.cn O1 - Hosts: 127.1 www.lang18.com O1 - Hosts: 127.1 lang18.com O1 - Hosts: 127.1 sao6666.com O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe O4 - HKLM\..\Run: [WinWZSys] C:\WINDOWS\547661CQWZ.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBFY.dll,HBCONQUER.dll,HBSOUL.dll,HBCT.dll,HBQQ SG.dll,HBQQFFO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7129 bytes pc is running a little better, task manager is running this time around, there is a new app in c:, I believe I mentioned it in the above post and I already uploaded it to the site
-
I dont think so Raid... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:51:33 PM, on 9/22/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\system32\drivers\regvcs.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\mduaeyk.exe c:\3j5r5e3j6c2.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\regvcs.exe O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 vt0r48p760.cn O1 - Hosts: 127.1 www.1txx.com O1 - Hosts: 127.1 www.myovec.cn O1 - Hosts: 127.1 po.uc-us.cn O1 - Hosts: 127.1 219.139.83.20 O1 - Hosts: 127.1 www.msj007.cn O1 - Hosts: 127.1 www.wyf009.cn O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 59.34.148.68 O1 - Hosts: 127.1 208.43.165.86 O1 - Hosts: 127.1 208.43.166.171 O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 61.164.140.39 O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn O1 - Hosts: 127.1 cwk1237.3322.org O1 - Hosts: 127.1 www.woaigan.com O1 - Hosts: 127.1 munchkin.marketo.net O1 - Hosts: 127.1 post.marketo.net O1 - Hosts: 127.1 www.mv2z.cn O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 facaizhifuok.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 a.woaigan.com O1 - Hosts: 127.1 b.woaigan.com O1 - Hosts: 127.1 xxx.usxx.info O1 - Hosts: 127.1 alenxya.1122mb.com O1 - Hosts: 127.1 www.972se.com O1 - Hosts: 127.1 972se.com O1 - Hosts: 127.1 pic.03wyt.com O1 - Hosts: 127.1 d.03wyt.com O1 - Hosts: 127.1 xs.03wyt.com O1 - Hosts: 127.1 www.8jse.net O1 - Hosts: 127.1 8jse.net O1 - Hosts: 127.1 www.bmwtvb.cn O1 - Hosts: 127.1 www.kcuf-09.cn O1 - Hosts: 127.1 www.dvgdfg4650.com O1 - Hosts: 127.1 www.kcuf-08.cn O1 - Hosts: 127.1 www.kcuf-11.cn O1 - Hosts: 127.1 www.kcuf-12.cn O1 - Hosts: 127.1 1aa1aa.com O1 - Hosts: 127.1 xx.avno3.com O1 - Hosts: 127.1 xxx.avno5.com O1 - Hosts: 127.1 www.avno7.com O1 - Hosts: 127.1 avno7.com O1 - Hosts: 127.1 ok.avno4.com O1 - Hosts: 127.1 ok.avno5.com O1 - Hosts: 127.1 ok.avno6.com O1 - Hosts: 127.1 ok.avno7.com O1 - Hosts: 127.1 ok.avno9.com O1 - Hosts: 127.1 avno1.com O1 - Hosts: 127.1 avno3.com O1 - Hosts: 127.1 avno4.com O1 - Hosts: 127.1 aikanav.com O1 - Hosts: 127.1 link.selink.org O1 - Hosts: 127.1 www.avno6.com O1 - Hosts: 127.1 avno6.com O1 - Hosts: 127.1 4.chibbs.info O1 - Hosts: 127.1 bbs.chibbs.info O1 - Hosts: 127.1 aa.ss99.biz O1 - Hosts: 127.1 se.ss99.biz O1 - Hosts: 127.1 aa.sxlk.net O1 - Hosts: 127.1 se.sxlk99.com O1 - Hosts: 127.1 www.88xj.net O1 - Hosts: 127.1 88xj.net O1 - Hosts: 127.1 www.99xj.net O1 - Hosts: 127.1 99xj.net O1 - Hosts: 127.1 www.91semi.com O1 - Hosts: 127.1 91semi.com O1 - Hosts: 127.1 haobaidu.1122mb.com O1 - Hosts: 127.1 xiao777.za.pl O1 - Hosts: 127.1 ccavo6.avno6.com O1 - Hosts: 127.1 a.sxlk99.com O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.qq08w12.cn O1 - Hosts: 127.1 www.21xx.info O1 - Hosts: 127.1 php-1.cn O1 - Hosts: 127.1 www.v232.com O1 - Hosts: 127.1 php-2.cn O1 - Hosts: 127.1 php-3.cn O1 - Hosts: 127.1 php-4.cn O1 - Hosts: 127.1 php-5.cn O1 - Hosts: 127.1 php-6.cn O1 - Hosts: 127.1 php-7.cn O1 - Hosts: 127.1 php-8.cn O1 - Hosts: 127.1 php-9.cn O1 - Hosts: 127.1 php-10.cn O1 - Hosts: 127.1 php-11.cn O1 - Hosts: 127.1 k.5x2x.com O1 - Hosts: 127.1 a.5x2x.com O1 - Hosts: 127.1 202.108.23.205 O1 - Hosts: 127.1 60.190.218.21 O1 - Hosts: 127.1 121.14.154.195 O1 - Hosts: 127.1 218.30.82.201 O1 - Hosts: 127.1 59.34.198.48 O1 - Hosts: 127.1 121.14.154.216 O1 - Hosts: 127.1 219.152.120.237 O1 - Hosts: 127.1 121.14.154.184 O1 - Hosts: 127.1 125.67.67.201 O1 - Hosts: 127.1 222.168.102.12 O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe O4 - HKLM\..\Run: [WinSysM] C:\WINDOWS\547661M.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: mduaey.dll zosdof.dll micsus.dll stepps.dll lensch.dll comboaus.dll jolndyo.dll aotoppt.dll pewire.dll catower.dll wllame.dll O21 - SSODL: nauqskuc.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\fdnxdfix.dll O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll O21 - SSODL: xvoxwesl.dll - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} - C:\WINDOWS\System32\xvoxwesl.dll O21 - SSODL: dsccuodg.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\irapqlzk.dll O21 - SSODL: gcxpmpwr.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\gcxpmpwr.dll O21 - SSODL: nptaqjhn.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\fwjraiqh.dll O21 - SSODL: tcpstksq.dll - {D1CC9DC6-F0BC-40fc-9552-E497B05E05B8} - C:\WINDOWS\System32\sornmfcq.dll O21 - SSODL: axmdemdl.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\fdnxdfix.dll O21 - SSODL: dzgqomvw.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\jnpdngai.dll O21 - SSODL: qhytdhjn.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\cieyfdzc.dll O21 - SSODL: trbzviby.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\fsyexdrn.dll O21 - SSODL: uyefqglo.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\zqrnrexc.dll O21 - SSODL: nttbhksi.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\mugdddmy.dll O21 - SSODL: qdvgadkt.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\qdvgadkt.dll O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll O21 - SSODL: irapqlzk.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\irapqlzk.dll O21 - SSODL: sornmfcq.dll - {D1CC9DC6-F0BC-40fc-9552-E497B05E05B8} - C:\WINDOWS\System32\sornmfcq.dll O21 - SSODL: fwjraiqh.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\fwjraiqh.dll O21 - SSODL: zqrnrexc.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\zqrnrexc.dll O21 - SSODL: fdnxdfix.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\fdnxdfix.dll O21 - SSODL: jnpdngai.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\jnpdngai.dll O21 - SSODL: cieyfdzc.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\cieyfdzc.dll O21 - SSODL: fsyexdrn.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\fsyexdrn.dll O21 - SSODL: mugdddmy.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\mugdddmy.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 10232 bytes this is all thanks to "my next charge"! Someone's been busy while I've been away 1.)Task manager doesnt work2.)internet/overall performance is slower3.)new app has been created in c: Thanks for everything Raid, really, but unless this can be fixed tonight, this has all been a waste. I might get at you when I get out though since the pc still wont be clean. Pray for me bro
-
Here they go... MBAM: Malwarebytes' Anti-Malware 1.28 Database version: 1185 Windows 5.1.2600 Service Pack 1 9/21/2008 11:21:09 AM mbam-log-2008-09-21 (11-21-09).txt Scan type: Quick Scan Objects scanned: 49960 Time elapsed: 6 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 10 Registry Keys Infected: 15 Registry Values Infected: 18 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 30 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot. C:\WINDOWS\system32\flutjbcw.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\avicapwm.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\voedogzi.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\mncshawz.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\twnxpxba.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\gpuubunj.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\jkltrxoe.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{6b9fead7-4319-4312-ab05-d8c9cd255bfe} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{71a78cd4-e470-4a18-8457-e0e0283dd507} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2cb77746-8ecc-40ca-8217-10ca8be5efc8} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d3112b69-a745-4805-874e-abd480ea1299} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f0930a2f-d971-4828-8209-b7dfd266ed44} (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\flutjbcw.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6b9fead7-4319-4312-ab05-d8c9cd255bfe} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\avicapwm.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\voedogzi.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{71a78cd4-e470-4a18-8457-e0e0283dd507} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mncshawz.dll (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2cb77746-8ecc-40ca-8217-10ca8be5efc8} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\twnxpxba.dll (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{d3112b69-a745-4805-874e-abd480ea1299} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gpuubunj.dll (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f0930a2f-d971-4828-8209-b7dfd266ed44} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\jkltrxoe.dll (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot. C:\WINDOWS\sysocmgr.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\AppPatch\DesktopWin.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\flutjbcw.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\avicapwm.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\voedogzi.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\mncshawz.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\twnxpxba.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\gpuubunj.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\jkltrxoe.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\system32\wllame.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IJIFYLEL\24[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IJIFYLEL\28[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\1b[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\26[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\d[1].gif (Virus.Alman) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PW7UHY51\10[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PW7UHY51\25[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PW7UHY51\29[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\23[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\27[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\b[1].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully. C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot. HIJACKTHIS: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:24:56 AM, on 9/21/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 vt0r48p760.cn O1 - Hosts: 127.1 www.1txx.com O1 - Hosts: 127.1 www.myovec.cn O1 - Hosts: 127.1 po.uc-us.cn O1 - Hosts: 127.1 219.139.83.20 O1 - Hosts: 127.1 www.msj007.cn O1 - Hosts: 127.1 www.wyf009.cn O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 59.34.148.68 O1 - Hosts: 127.1 208.43.165.86 O1 - Hosts: 127.1 208.43.166.171 O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 61.164.140.39 O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn O1 - Hosts: 127.1 cwk1237.3322.org O1 - Hosts: 127.1 www.woaigan.com O1 - Hosts: 127.1 munchkin.marketo.net O1 - Hosts: 127.1 post.marketo.net O1 - Hosts: 127.1 www.mv2z.cn O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 facaizhifuok.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 a.woaigan.com O1 - Hosts: 127.1 b.woaigan.com O1 - Hosts: 127.1 xxx.usxx.info O1 - Hosts: 127.1 alenxya.1122mb.com O1 - Hosts: 127.1 www.972se.com O1 - Hosts: 127.1 972se.com O1 - Hosts: 127.1 pic.03wyt.com O1 - Hosts: 127.1 d.03wyt.com O1 - Hosts: 127.1 xs.03wyt.com O1 - Hosts: 127.1 www.8jse.net O1 - Hosts: 127.1 8jse.net O1 - Hosts: 127.1 www.bmwtvb.cn O1 - Hosts: 127.1 www.kcuf-09.cn O1 - Hosts: 127.1 www.dvgdfg4650.com O1 - Hosts: 127.1 www.kcuf-08.cn O1 - Hosts: 127.1 www.kcuf-11.cn O1 - Hosts: 127.1 www.kcuf-12.cn O1 - Hosts: 127.1 1aa1aa.com O1 - Hosts: 127.1 xx.avno3.com O1 - Hosts: 127.1 xxx.avno5.com O1 - Hosts: 127.1 www.avno7.com O1 - Hosts: 127.1 avno7.com O1 - Hosts: 127.1 ok.avno4.com O1 - Hosts: 127.1 ok.avno5.com O1 - Hosts: 127.1 ok.avno6.com O1 - Hosts: 127.1 ok.avno7.com O1 - Hosts: 127.1 ok.avno9.com O1 - Hosts: 127.1 avno1.com O1 - Hosts: 127.1 avno3.com O1 - Hosts: 127.1 avno4.com O1 - Hosts: 127.1 aikanav.com O1 - Hosts: 127.1 link.selink.org O1 - Hosts: 127.1 www.avno6.com O1 - Hosts: 127.1 avno6.com O1 - Hosts: 127.1 4.chibbs.info O1 - Hosts: 127.1 bbs.chibbs.info O1 - Hosts: 127.1 aa.ss99.biz O1 - Hosts: 127.1 se.ss99.biz O1 - Hosts: 127.1 aa.sxlk.net O1 - Hosts: 127.1 se.sxlk99.com O1 - Hosts: 127.1 www.88xj.net O1 - Hosts: 127.1 88xj.net O1 - Hosts: 127.1 www.99xj.net O1 - Hosts: 127.1 99xj.net O1 - Hosts: 127.1 www.91semi.com O1 - Hosts: 127.1 91semi.com O1 - Hosts: 127.1 haobaidu.1122mb.com O1 - Hosts: 127.1 xiao777.za.pl O1 - Hosts: 127.1 ccavo6.avno6.com O1 - Hosts: 127.1 a.sxlk99.com O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.qq08w12.cn O1 - Hosts: 127.1 www.21xx.info O1 - Hosts: 127.1 php-1.cn O1 - Hosts: 127.1 www.v232.com O1 - Hosts: 127.1 php-2.cn O1 - Hosts: 127.1 php-3.cn O1 - Hosts: 127.1 php-4.cn O1 - Hosts: 127.1 php-5.cn O1 - Hosts: 127.1 php-6.cn O1 - Hosts: 127.1 php-7.cn O1 - Hosts: 127.1 php-8.cn O1 - Hosts: 127.1 php-9.cn O1 - Hosts: 127.1 php-10.cn O1 - Hosts: 127.1 php-11.cn O1 - Hosts: 127.1 k.5x2x.com O1 - Hosts: 127.1 a.5x2x.com O1 - Hosts: 127.1 202.108.23.205 O1 - Hosts: 127.1 60.190.218.21 O1 - Hosts: 127.1 121.14.154.195 O1 - Hosts: 127.1 218.30.82.201 O1 - Hosts: 127.1 59.34.198.48 O1 - Hosts: 127.1 121.14.154.216 O1 - Hosts: 127.1 219.152.120.237 O1 - Hosts: 127.1 121.14.154.184 O1 - Hosts: 127.1 125.67.67.201 O1 - Hosts: 127.1 222.168.102.12 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wrm32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wrm32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: mduaey.dll eskisl.dll lensch.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll comboaus.dll catower.dll wllame.dll,HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBFY.dll,HBCONQUER.dll,HBSOUL.dll,HB CT.dll,HBQQSG.dll,HBQQFFO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7245 bytes more files keep poppin up in that "avenger" folder in c:, and wont be deleted. Computer's still running fine though
-
I'm sorry Raid. I need clarification... "I need a fresh hijackthislog After you ran mbam and reboot." -did you mean "run mbam and reboot" or "ran mbam and rebooted"? if you want me to run mbam again, let it reboot and then scan with hijackthis and provide the [new hijackthis] log with the log of mbam after i scanned and hit 'show results' but before I rebooted then sure, I will asap. But did you mean that you wanted the hijackthis log from the scan I did with hijackthis after the last time I ran mbam and let it reboot the computer, just like you told me to do in your second to last post, I thought thats what I showed you. What would make you think differently? please clarify what you want me to do. Edit: I apologize. I remember after I ran mbam and it told me to delete certain things it needed to restart. I'm pretty sure I told it to do so but i left the room right after that. When I came back I found the screen at the desktop which made me think that it had restarted, though thats the same way it looked when I left it. And I do remember thinking to myself"that was a damn fast restart". Are you saying that it never actually restarted and I just went and did a hijackthis scan without knowing that?
-
I didnt think real people actually said blasted, I only heard that in movies... MBAM: Malwarebytes' Anti-Malware 1.28 Database version: 1182 Windows 5.1.2600 Service Pack 1 9/20/2008 6:57:06 PM mbam-log-2008-09-20 (18-57-06).txt Scan type: Quick Scan Objects scanned: 49586 Time elapsed: 5 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 7 Registry Keys Infected: 14 Registry Values Infected: 11 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 29 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot. C:\WINDOWS\system32\tvxlrqso.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\bpoyvbfz.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\hultwmtu.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d3112b69-a745-4805-874e-abd480ea1299} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel (Rootkit.OnlineGames) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel (Rootkit.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel (Rootkit.OnlineGames) -> Delete on reboot. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tvxlrqso.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mabsowpl.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bpoyvbfz.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{d3112b69-a745-4805-874e-abd480ea1299} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\hultwmtu.dll (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot. C:\WINDOWS\sysocmgr.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tvxlrqso.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\bpoyvbfz.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\hultwmtu.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\system32\wllame.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IJIFYLEL\28[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IJIFYLEL\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IJIFYLEL\b[2].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\1b[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\26[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PW7UHY51\29[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PW7UHY51\d[1].gif (Virus.Alman) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\10[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\27[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\b[1].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully. C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\comuidsg.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\drivers\HBKernel.sys (Rootkit.OnlineGames) -> Delete on reboot. HIJACKTHIS: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:00:25 PM, on 9/20/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 vt0r48p760.cn O1 - Hosts: 127.1 www.1txx.com O1 - Hosts: 127.1 www.myovec.cn O1 - Hosts: 127.1 po.uc-us.cn O1 - Hosts: 127.1 219.139.83.20 O1 - Hosts: 127.1 www.msj007.cn O1 - Hosts: 127.1 www.wyf009.cn O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 59.34.148.68 O1 - Hosts: 127.1 208.43.165.86 O1 - Hosts: 127.1 208.43.166.171 O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 61.164.140.39 O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn O1 - Hosts: 127.1 cwk1237.3322.org O1 - Hosts: 127.1 www.woaigan.com O1 - Hosts: 127.1 munchkin.marketo.net O1 - Hosts: 127.1 post.marketo.net O1 - Hosts: 127.1 www.mv2z.cn O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 facaizhifuok.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 a.woaigan.com O1 - Hosts: 127.1 b.woaigan.com O1 - Hosts: 127.1 xxx.usxx.info O1 - Hosts: 127.1 alenxya.1122mb.com O1 - Hosts: 127.1 www.972se.com O1 - Hosts: 127.1 972se.com O1 - Hosts: 127.1 pic.03wyt.com O1 - Hosts: 127.1 d.03wyt.com O1 - Hosts: 127.1 xs.03wyt.com O1 - Hosts: 127.1 www.8jse.net O1 - Hosts: 127.1 8jse.net O1 - Hosts: 127.1 www.bmwtvb.cn O1 - Hosts: 127.1 www.kcuf-09.cn O1 - Hosts: 127.1 www.dvgdfg4650.com O1 - Hosts: 127.1 www.kcuf-08.cn O1 - Hosts: 127.1 www.kcuf-11.cn O1 - Hosts: 127.1 www.kcuf-12.cn O1 - Hosts: 127.1 1aa1aa.com O1 - Hosts: 127.1 xx.avno3.com O1 - Hosts: 127.1 xxx.avno5.com O1 - Hosts: 127.1 www.avno7.com O1 - Hosts: 127.1 avno7.com O1 - Hosts: 127.1 ok.avno4.com O1 - Hosts: 127.1 ok.avno5.com O1 - Hosts: 127.1 ok.avno6.com O1 - Hosts: 127.1 ok.avno7.com O1 - Hosts: 127.1 ok.avno9.com O1 - Hosts: 127.1 avno1.com O1 - Hosts: 127.1 avno3.com O1 - Hosts: 127.1 avno4.com O1 - Hosts: 127.1 aikanav.com O1 - Hosts: 127.1 link.selink.org O1 - Hosts: 127.1 www.avno6.com O1 - Hosts: 127.1 avno6.com O1 - Hosts: 127.1 4.chibbs.info O1 - Hosts: 127.1 bbs.chibbs.info O1 - Hosts: 127.1 aa.ss99.biz O1 - Hosts: 127.1 se.ss99.biz O1 - Hosts: 127.1 aa.sxlk.net O1 - Hosts: 127.1 se.sxlk99.com O1 - Hosts: 127.1 www.88xj.net O1 - Hosts: 127.1 88xj.net O1 - Hosts: 127.1 www.99xj.net O1 - Hosts: 127.1 99xj.net O1 - Hosts: 127.1 www.91semi.com O1 - Hosts: 127.1 91semi.com O1 - Hosts: 127.1 haobaidu.1122mb.com O1 - Hosts: 127.1 xiao777.za.pl O1 - Hosts: 127.1 ccavo6.avno6.com O1 - Hosts: 127.1 a.sxlk99.com O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.qq08w12.cn O1 - Hosts: 127.1 www.21xx.info O1 - Hosts: 127.1 php-1.cn O1 - Hosts: 127.1 www.v232.com O1 - Hosts: 127.1 php-2.cn O1 - Hosts: 127.1 php-3.cn O1 - Hosts: 127.1 php-4.cn O1 - Hosts: 127.1 php-5.cn O1 - Hosts: 127.1 php-6.cn O1 - Hosts: 127.1 php-7.cn O1 - Hosts: 127.1 php-8.cn O1 - Hosts: 127.1 php-9.cn O1 - Hosts: 127.1 php-10.cn O1 - Hosts: 127.1 php-11.cn O1 - Hosts: 127.1 k.5x2x.com O1 - Hosts: 127.1 a.5x2x.com O1 - Hosts: 127.1 202.108.23.205 O1 - Hosts: 127.1 60.190.218.21 O1 - Hosts: 127.1 121.14.154.195 O1 - Hosts: 127.1 218.30.82.201 O1 - Hosts: 127.1 59.34.198.48 O1 - Hosts: 127.1 121.14.154.216 O1 - Hosts: 127.1 219.152.120.237 O1 - Hosts: 127.1 121.14.154.184 O1 - Hosts: 127.1 125.67.67.201 O1 - Hosts: 127.1 222.168.102.12 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKLM\..\Run: [HBService] explore.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: mduaey.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 6929 bytes task manager is still working, everythings running smoothly except the internet is a little slow on startup. That nt authority system message that shuts down the computer hasn't popped up in days
-
OTListIt Extras logfile created on: 9/20/2008 1:02:35 PM - Run Owner OTListIt by OldTimer - Version 1.0.4.0 Folder = C:\Documents and Settings\Owner\My Documents Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2800.1106) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 223.48 Mb Total Physical Memory | 80.60 Mb Available Physical Memory | 36.06% Memory free 547.12 Mb Paging File | 417.17 Mb Available in Paging File | 76.25% Paging File free Paging file location(s): C:\pagefile.sys 336 672; %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 33.40 Gb Total Space | 11.80 Gb Free Space | 35.32% Space Free | Partition Type: NTFS Drive D: | 3.89 Gb Total Space | 0.74 Gb Free Space | 18.93% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: YOUR-N3TY7ATHD5 Current User Name: Owner Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Whitelist: On Files within: 30 Days ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "UpdatesDisableNotify" = 1 "AntiVirusDisableNotify" = 1 "FirewallDisableNotify" = 1 "AntiVirusOverride" = 1 "FirewallOverride" = 1 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{01F9D88C-3C86-4E82-840A-101A3221F67A}" = Microsoft Money 2003 "{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}" = Microsoft Money 2003 System Pack "{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = RecordNow Update Manager "{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo "{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR "{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0 "{7CF31609-270B-11D6-9445-000102308676}" = Java 2 Runtime Environment, SE v1.4.0_01 "{8214CC02-6271-4DC8-B8DD-779933450264}" = RecordNow "{865917D2-33F4-4223-BDCD-C7DA958C216C}" = Dark Orbit "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver Software "{8D5D99B8-DFA2-4018-ADE9-A6B83E655C65}" = "{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English) v1.0.3705 "{BDE90251-93EB-4F6A-89D8-086E2D91DC56}" = Coloreal "{EEF397AC-DAEF-4C04-90A9-5B2BD31875DC}" = Simple Installer - Multilanguage Version "{F61F2821-694C-475F-99AB-6AF2EFDF40FD}" = Quicken 2003 New User Edition "ActiveScan 2.0" = Panda ActiveScan 2.0 "Adobe Acrobat 5.0" = Adobe Acrobat 5.0 "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX "America Online us" = America Online "AolCoach" = AOL Coach Version 1.0(Build:20011028.1) "CompuServe us" = CompuServe "ERUNT_is1" = ERUNT 1.1j "HijackThis" = HijackThis 2.0.2 "Inactive HP Printer Drivers (Remove only)" = Inactive HP Printer Drivers (Remove only) "InstallShield_{F61F2821-694C-475F-99AB-6AF2EFDF40FD}" = Quicken 2003 New User Edition "Java Web Start" = Java Web Start "JRE 1.3.1_02" = Java 2 Runtime Environment Standard Edition v1.3.1_02 "KBD" = KBD "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705 "Netscape (7.0)" = Netscape (7.0) "NVIDIA" = NVIDIA Windows 2000/XP Display Drivers "PS2" = PS2 "Python 2.2 combined Win32 extensions" = Python 2.2 combined Win32 extensions "Q327979" = Windows XP Hotfix (SP2) Q327979 "q330638" = Windows XP Hotfix (SP2) [see q330638 for more information] "Q331958" = Windows XP Hotfix (SP2) Q331958 "RealPlayer 6.0" = RealOne Player "S3Display" = S3Display "S3Gamma2" = S3Gamma2 "S3Info2" = S3Info2 "S3Overlay" = S3Overlay "ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only) "WildTangentDDC" = WildTangent Channel Manager ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 9/14/2008 9:16:38 AM | Computer Name = YOUR-N3TY7ATHD5 | Source = Winlogon | ID = 1015 Description = A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine must now be restarted. Error - 9/14/2008 9:52:57 AM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000 Description = Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000. Error - 9/14/2008 3:39:23 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Winlogon | ID = 1015 Description = A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine must now be restarted. Error - 9/15/2008 12:26:58 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Hang | ID = 1002 Description = Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module shlwapi.dll, version 6.0.2800.1106, hang address 0x00022277. Error - 9/16/2008 1:39:38 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000 Description = Faulting application iexplore.exe, version 6.0.2800.1106, faulting module , version 0.0.0.0, fault address 0x00000000. Error - 9/16/2008 3:17:02 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000 Description = Faulting application gfdmga.exe, version 5.1.2600.0, faulting module gfdmga.exe, version 5.1.2600.0, fault address 0x00028728. Error - 9/16/2008 4:36:25 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000 Description = Faulting application phqghu.exe, version 5.1.2600.0, faulting module phqghu.exe, version 5.1.2600.0, fault address 0x00028728. Error - 9/16/2008 6:44:16 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000 Description = Faulting application rpnrvy.exe, version 5.1.2600.0, faulting module rpnrvy.exe, version 5.1.2600.0, fault address 0x00028728. Error - 9/16/2008 9:55:16 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000 Description = Faulting application phqghu.exe, version 5.1.2600.0, faulting module phqghu.exe, version 5.1.2600.0, fault address 0x00028728. Error - 9/17/2008 4:28:37 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000 Description = Faulting application phqghu.exe, version 5.1.2600.0, faulting module phqghu.exe, version 5.1.2600.0, fault address 0x00028728. [ System Events ] Error - 9/19/2008 5:03:50 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7000 Description = The mrtRate service failed to start due to the following error: %%2 Error - 9/19/2008 5:03:50 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: Beep Error - 9/19/2008 6:27:34 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7000 Description = The mrtRate service failed to start due to the following error: %%2 Error - 9/19/2008 6:27:34 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: Beep Error - 9/19/2008 7:26:23 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7000 Description = The mrtRate service failed to start due to the following error: %%2 Error - 9/19/2008 7:26:23 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: Beep Error - 9/19/2008 9:22:36 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7000 Description = The mrtRate service failed to start due to the following error: %%2 Error - 9/19/2008 9:22:36 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: Beep Error - 9/20/2008 10:19:28 AM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7000 Description = The mrtRate service failed to start due to the following error: %%2 Error - 9/20/2008 10:19:28 AM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: Beep < End of report >
-
OTListIt logfile created on: 9/20/2008 1:02:35 PM - Run 1 OTListIt by OldTimer - Version 1.0.4.0 Folder = C:\Documents and Settings\Owner\My Documents Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2800.1106) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 223.48 Mb Total Physical Memory | 80.60 Mb Available Physical Memory | 36.06% Memory free 547.12 Mb Paging File | 417.17 Mb Available in Paging File | 76.25% Paging File free Paging file location(s): C:\pagefile.sys 336 672; %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 33.40 Gb Total Space | 11.80 Gb Free Space | 35.32% Space Free | Partition Type: NTFS Drive D: | 3.89 Gb Total Space | 0.74 Gb Free Space | 18.93% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: YOUR-N3TY7ATHD5 Current User Name: Owner Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Whitelist: On Files within: 30 Days ========== Processes - Non-Microsoft Only ========== [2008/09/20 10:23:21 | 00,003,584 | ---- | M] () -- C:\WINDOWS\system32\explore.exe ========== Win32 Services - Non-Microsoft Only ========== [2008/09/20 13:01:33 | R--D | M] -- . -- (Microsoft Agent [Disabled | Stopped]) [2008/09/20 13:01:33 | R--D | M] -- . -- (nservice [Disabled | Stopped]) ========== Driver Services - Non-Microsoft Only ========== File not found -- C:\WINDOWS\System32\drivers\orvhgp.sys -- (bmdc [boot | Stopped]) [2008/08/24 00:40:42 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [On_Demand | Stopped]) [2008/09/15 07:53:48 | 00,014,640 | ---- | M] () -- C:\WINDOWS\system32\drivers\HBKernel32.sys -- (HBKernel32 [boot | Running]) [2008/09/20 10:23:20 | 00,039,920 | ---- | M] () -- C:\WINDOWS\system32\drivers\HBKernel.sys -- (HBKernel [boot | Running]) ========== Internet Explorer ========== HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com HKU\S-1-5-21-442785047-2655992494-1152365243-1003\S-1-5-21-442785047-2655992494-1152365243-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 O1 HOSTS File: (205005 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 vt0r48p760.cn O1 - Hosts: 127.1 www.1txx.com O1 - Hosts: 127.1 www.myovec.cn O1 - Hosts: 127.1 po.uc-us.cn O1 - Hosts: 127.1 219.139.83.20 O1 - Hosts: 127.1 www.msj007.cn O1 - Hosts: 127.1 www.wyf009.cn O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 59.34.148.68 O1 - Hosts: 127.1 208.43.165.86 O1 - Hosts: 127.1 208.43.166.171 O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 61.164.140.39 O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn O1 - Hosts: 127.1 cwk1237.3322.org O1 - Hosts: 127.1 www.woaigan.com O1 - Hosts: 127.1 munchkin.marketo.net O1 - Hosts: 127.1 post.marketo.net O1 - Hosts: 127.1 www.mv2z.cn O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 facaizhifuok.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 a.woaigan.com O1 - Hosts: 9237 more lines... O2 - BHO: (ThunderHlpObj Class) - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll () O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx () O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found O3 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found O3 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found O3 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found O3 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found O4 - HKLM..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main () O4 - HKLM..\Run: [HBService] explore.exe () O4 - HKLM..\Run: [HBService32] System.exe () O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE () O4 - HKLM..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" () O4 - HKLM..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" () O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe File not found O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O7 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0 O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm () O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm () O15 - HKCU\..Trusted Sites: (msn in My Computer) O15 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\..Trusted Sites: (msn in My Computer) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool) O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1219522215203 (WUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.3.1/...-131_02-win.cab (Java Plug-in 1.3.1_02) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key does not exist or could not be opened.) O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.3.1/...-131_02-win.cab (Java Plug-in 1.3.1_02) O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl..._4_0_01-win.cab (Java Plug-in 1.4.0_01) O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key does not exist or could not be opened.) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key does not exist or could not be opened.) O18 - Protocol\Handler: - ipp - No CLSID value found O18 - Protocol\Handler: - msdaipp - No CLSID value found O18 - Protocol\Handler: - vnd.ms.radio - C:\WINDOWS\system32\msdxm.ocx () O20 - See sections below for AppInitDlls and Winlogon settings O21 - SSODL: bpoyvbfz.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6}C:\WINDOWS\system32\bpoyvbfz.dll () O21 - SSODL: hultwmtu.dll - {D3112B69-A745-4805-874E-ABD480EA1299}C:\WINDOWS\system32\hultwmtu.dll () O21 - SSODL: mabsowpl.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6}C:\WINDOWS\system32\bpoyvbfz.dll () O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99}C:\WINDOWS\sysocmgr.dll (Microsoft Corporation) O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD}C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll () O21 - SSODL: tvxlrqso.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}C:\WINDOWS\system32\tvxlrqso.dll () ========== AppInit_DLLs ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_Dlls" = aaa.dll,HBmhly.dll >File not found -- >[2008/09/19 12:59:22 | 00,019,456 | ---- | M] () -- C:\WINDOWS\system32\HBmhly.dll ========== Shell Execute Hooks ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{00240024-0024-0024-0024-00240024BB15}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{434FA69C-5F0A-42e1-82B8-10AF2C8E53C6}" (HKLM) -- C:\WINDOWS\system32\bpoyvbfz.dll () "{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{71A78CD4-E470-4a18-8457-E0E0283DD507}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{76D44356-B494-443a-BEDC-AA68DE4255E6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{898E02AB-9372-4a2c-9C4A-FFE1AF61097F}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{D3112B69-A745-4805-874E-ABD480EA1299}" (HKLM) -- C:\WINDOWS\system32\hultwmtu.dll () "{DA56B183-A731-402b-9235-2CB8803E212D}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}" (HKLM) -- C:\WINDOWS\system32\tvxlrqso.dll () "{F0930A2F-D971-4828-8209-B7DFD266ED44}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found ========== Safeboot Options ========== "AlternateShell" = cmd.exe ========== CDRom AutoRun Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] "AutoRun" = 1 ========== Autorun Files on Drives ========== AUTOEXEC.BAT [] [2003/01/24 10:07:32 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ] AUTOEXEC.BAT [] [2001/07/28 07:07:38 | 00,000,000 | RHS- | M] () -- D:\AUTOEXEC.BAT -- [ FAT32 ] Autorun.inf [[AUTORUN] | OPEN=Info.exe folder.htt 480 480 | ] [2002/09/11 04:02:32 | 00,000,045 | -HS- | M] () -- D:\Autorun.inf -- [ FAT32 ] ========== Files/Folders - Created Within 30 days ========== [2 C:\WINDOWS\*.tmp files] [2008/09/20 10:28:17 | 00,008,072 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hijackthis 9 20 [2008/09/20 10:23:22 | 02,180,896 | ---- | C] () -- C:\WINDOWS\System32\bpoyvbfz.dll [2008/09/20 10:23:21 | 00,003,584 | ---- | C] () -- C:\WINDOWS\System32\explore.exe [2008/09/20 10:23:20 | 00,039,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\HBKernel.sys [2008/09/20 10:20:17 | 00,014,848 | ---- | C] () -- C:\WINDOWS\System32\HBQQSG.dll [2008/09/19 15:47:21 | 23,440,9984 | -HS- | C] () -- C:\hiberfil.sys [2008/09/19 15:39:40 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\linkinfo.dll [2008/09/19 15:39:30 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\HBCT.dll [2008/09/19 15:39:30 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\HBXY2.dll [2008/09/19 15:39:29 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\HB1000Y.dll [2008/09/19 15:39:26 | 02,574,764 | ---- | C] () -- C:\WINDOWS\System32\hultwmtu.dll [2008/09/19 13:00:05 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\HBQQFFO.dll [2008/09/19 13:00:05 | 00,005,120 | ---- | C] () -- C:\WINDOWS\System32\System.exe [2008/09/19 13:00:03 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\wllame.dll [2008/09/19 12:59:58 | 02,124,716 | ---- | C] () -- C:\WINDOWS\System32\wtgdgmmw.dll [2008/09/19 12:59:51 | 02,630,060 | ---- | C] () -- C:\WINDOWS\System32\zxxcwpnz.dll [2008/09/19 12:59:50 | 01,049,888 | ---- | C] () -- C:\WINDOWS\System32\avicapwm.dll [2008/09/19 12:59:41 | 02,359,724 | ---- | C] () -- C:\WINDOWS\System32\tvxlrqso.dll [2008/09/19 12:59:39 | 02,175,636 | ---- | C] () -- C:\WINDOWS\System32\mabsowpl.dll [2008/09/19 12:59:27 | 02,182,060 | ---- | C] () -- C:\WINDOWS\System32\comuidsg.dll [2008/09/19 12:59:22 | 00,019,456 | ---- | C] () -- C:\WINDOWS\System32\HBmhly.dll [2008/09/19 12:59:09 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\sysocmgr.dll [2008/09/19 12:59:02 | 00,229,376 | ---- | C] () -- C:\WINDOWS\Update.dll [2008/09/18 19:03:33 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\HBCONQUER.dll [2008/09/18 19:03:16 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\HBFY.dll [2008/09/17 20:17:37 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\pewirek.exe [2008/09/17 20:01:39 | 02,220,460 | ---- | C] () -- C:\WINDOWS\System32\nwapi32dj.dll [2008/09/17 16:30:05 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\comboausk.exe [2008/09/17 16:30:03 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\comboaus.dll [2008/09/16 18:44:12 | 00,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rpnrvy.exe [2008/09/16 18:08:23 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\eskislk.exe [2008/09/16 17:53:01 | 00,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nqduxw.exe [2008/09/16 15:16:52 | 00,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\gfdmga.exe [2008/09/15 18:09:06 | 00,012,800 | ---- | C] () -- C:\WINDOWS\System32\jolndyok.exe [2008/09/15 18:09:05 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\jolndyo.dll [2008/09/15 07:54:16 | 00,008,234 | -HS- | C] () -- C:\WINDOWS\System32\kildh3l.dll [2008/09/15 07:54:15 | 00,004,410 | ---- | C] () -- C:\WINDOWS\System32\wrm32.dll [2008/09/15 07:54:07 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\catower.dll [2008/09/15 07:54:04 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\pewire.dll [2008/09/15 07:54:01 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\aotoppt.dll [2008/09/15 07:54:00 | 02,176,660 | ---- | C] () -- C:\WINDOWS\System32\twainyy.dll [2008/09/15 07:53:54 | 02,609,952 | ---- | C] () -- C:\WINDOWS\System32\adsntzt.dll [2008/09/15 07:53:49 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\HBSOUL.dll [2008/09/15 07:53:48 | 00,014,640 | ---- | C] () -- C:\WINDOWS\System32\drivers\HBKernel32.sys [2008/09/15 07:53:46 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\johandy.dll [2008/09/15 07:53:44 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\lensch.dll [2008/09/15 07:53:41 | 02,213,804 | ---- | C] () -- C:\WINDOWS\System32\dispexcb.dll [2008/09/15 07:53:38 | 02,458,772 | ---- | C] () -- C:\WINDOWS\System32\cliconfgzx.dll [2008/09/15 07:53:29 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\mduaey.dll [2008/09/15 07:53:23 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\eskisl.dll [2008/09/15 07:53:21 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\qxfelk.exe [2008/09/14 19:07:12 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys [2008/09/14 09:53:40 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\x [2008/09/14 03:33:05 | 00,201,030 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\lspfix.zip [2008/09/12 15:00:47 | 00,000,775 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk [2008/09/12 15:00:33 | 00,000,619 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk [2008/09/12 15:00:33 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk [2008/09/12 13:41:12 | 00,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\phqghu.exe [2008/09/12 12:30:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\buq.exe [2008/09/10 22:31:13 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe [2008/09/10 13:20:58 | 00,000,608 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to estherbaxter205.lnk [2008/09/09 17:11:01 | 00,003,000 | -HS- | C] () -- C:\WINDOWS\System32\kildh3l.cfg [2008/09/07 18:36:19 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\micsus.dll [2008/09/07 13:25:06 | 00,210,097 | ---- | C] () -- C:\WINDOWS\001f407d.exe [2008/09/07 12:43:57 | 00,008,704 | -HS- | C] () -- C:\WINDOWS\Thumbs.db @Alternate Data Stream - 0 bytes -> C:\WINDOWS\Thumbs.db:encryptable [2008/09/01 14:47:55 | 00,010,752 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe [2008/08/31 23:47:07 | 00,000,000 | RHS- | C] () -- C:\asdf [2008/08/30 22:56:21 | 00,002,017 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\15 56 before [2008/08/30 22:40:58 | 00,002,058 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\10 40 before [2008/08/30 19:20:41 | 00,002,830 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\7 20 before log [2008/08/30 00:02:15 | 00,000,022 | ---- | C] () -- C:\WINDOWS\System32\msCMTsrvc.zip [2008/08/29 22:27:34 | 00,001,742 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk [2008/08/29 22:22:27 | 00,001,170 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\10 22 log before [2008/08/26 19:30:03 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\rmchamp.dll [2008/08/26 10:57:08 | 00,000,750 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Media Player.lnk [2008/08/26 10:57:08 | 00,000,675 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk [2008/08/25 13:33:43 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\uyl.exe [2008/08/25 12:34:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\oyj.exe [2008/08/24 12:57:30 | 00,667,648 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Norton_Removal_Tool.exe [2008/08/24 00:40:48 | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini [2008/08/24 00:40:42 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll [2008/08/24 00:40:42 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys [2008/08/24 00:40:42 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd [2008/08/24 00:40:41 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe [2008/08/24 00:39:31 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip [2008/08/23 16:01:52 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\kandaof.dll [2008/08/23 16:01:43 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\cupops.dll [2008/08/23 16:00:11 | 00,000,008 | ---- | C] () -- C:\WINDOWS\System32\Update.dat [2008/08/22 17:38:10 | 00,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2008/08/22 17:27:14 | 01,119,784 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\MGADiag.exe [2008/08/21 22:22:32 | 00,000,032 | ---- | C] () -- C:\WINDOWS\System32\thxcfg.ini ========== Files - Modified Within 30 days ========== [1 C:\WINDOWS\System32\*.tmp files] [2 C:\WINDOWS\*.tmp files] [2008/09/20 10:28:17 | 00,008,072 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hijackthis 9 20 [2008/09/20 10:26:44 | 00,205,005 | R-S- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2008/09/20 10:23:22 | 02,180,896 | ---- | M] () -- C:\WINDOWS\System32\bpoyvbfz.dll [2008/09/20 10:23:21 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\eskisl.dll [2008/09/20 10:23:21 | 00,012,288 | ---- | M] () -- C:\WINDOWS\System32\eskislk.exe [2008/09/20 10:23:21 | 00,003,584 | ---- | M] () -- C:\WINDOWS\System32\explore.exe [2008/09/20 10:23:20 | 00,039,920 | ---- | M] () -- C:\WINDOWS\System32\drivers\HBKernel.sys [2008/09/20 10:23:20 | 00,000,008 | ---- | M] () -- C:\WINDOWS\System32\Update.dat [2008/09/20 10:23:19 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\sysocmgr.dll [2008/09/20 10:20:17 | 00,014,848 | ---- | M] () -- C:\WINDOWS\System32\HBQQSG.dll [2008/09/20 10:18:10 | 00,000,248 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat [2008/09/20 10:18:06 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2008/09/20 10:18:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2008/09/20 10:18:01 | 23,440,9984 | -HS- | M] () -- C:\hiberfil.sys [2008/09/19 15:39:40 | 00,053,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\linkinfo.dll [2008/09/19 15:39:30 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\HBCT.dll [2008/09/19 15:39:30 | 00,016,384 | ---- | M] () -- C:\WINDOWS\System32\HBXY2.dll [2008/09/19 15:39:29 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\HB1000Y.dll [2008/09/19 15:39:28 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\HBSOUL.dll [2008/09/19 15:39:26 | 02,574,764 | ---- | M] () -- C:\WINDOWS\System32\hultwmtu.dll [2008/09/19 13:00:07 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\HBFY.dll [2008/09/19 13:00:05 | 00,015,360 | ---- | M] () -- C:\WINDOWS\System32\HBQQFFO.dll [2008/09/19 13:00:05 | 00,005,120 | ---- | M] () -- C:\WINDOWS\System32\System.exe [2008/09/19 13:00:04 | 00,008,234 | -HS- | M] () -- C:\WINDOWS\System32\kildh3l.dll [2008/09/19 13:00:04 | 00,004,410 | ---- | M] () -- C:\WINDOWS\System32\wrm32.dll [2008/09/19 13:00:04 | 00,003,000 | -HS- | M] () -- C:\WINDOWS\System32\kildh3l.cfg [2008/09/19 13:00:03 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\wllame.dll [2008/09/19 13:00:02 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\catower.dll [2008/09/19 13:00:00 | 02,124,716 | ---- | M] () -- C:\WINDOWS\System32\wtgdgmmw.dll [2008/09/19 12:59:56 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\comboaus.dll [2008/09/19 12:59:53 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\pewire.dll [2008/09/19 12:59:52 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\aotoppt.dll [2008/09/19 12:59:51 | 02,630,060 | ---- | M] () -- C:\WINDOWS\System32\zxxcwpnz.dll [2008/09/19 12:59:50 | 01,049,888 | ---- | M] () -- C:\WINDOWS\System32\avicapwm.dll [2008/09/19 12:59:49 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\johandy.dll [2008/09/19 12:59:47 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\jolndyo.dll [2008/09/19 12:59:45 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\cupops.dll [2008/09/19 12:59:44 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\micsus.dll [2008/09/19 12:59:42 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\lensch.dll [2008/09/19 12:59:41 | 02,359,724 | ---- | M] () -- C:\WINDOWS\System32\tvxlrqso.dll [2008/09/19 12:59:39 | 02,175,636 | ---- | M] () -- C:\WINDOWS\System32\mabsowpl.dll [2008/09/19 12:59:27 | 02,182,060 | ---- | M] () -- C:\WINDOWS\System32\comuidsg.dll [2008/09/19 12:59:22 | 00,019,456 | ---- | M] () -- C:\WINDOWS\System32\HBmhly.dll [2008/09/19 12:59:02 | 00,229,376 | ---- | M] () -- C:\WINDOWS\Update.dll [2008/09/19 12:40:52 | 00,025,065 | ---- | M] () -- C:\WINDOWS\System32\wmpscheme.xml [2008/09/18 19:03:33 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\HBCONQUER.dll [2008/09/17 20:17:36 | 00,011,776 | ---- | M] () -- C:\WINDOWS\System32\pewirek.exe [2008/09/17 20:01:39 | 02,220,460 | ---- | M] () -- C:\WINDOWS\System32\nwapi32dj.dll [2008/09/17 20:01:29 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\mduaey.dll [2008/09/17 19:49:20 | 00,140,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\phqghu.exe [2008/09/17 16:30:03 | 00,011,776 | ---- | M] () -- C:\WINDOWS\System32\comboausk.exe [2008/09/16 18:44:14 | 00,140,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rpnrvy.exe [2008/09/16 17:53:04 | 00,140,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\nqduxw.exe [2008/09/16 15:16:56 | 00,140,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\gfdmga.exe [2008/09/15 18:09:05 | 00,012,800 | ---- | M] () -- C:\WINDOWS\System32\jolndyok.exe [2008/09/15 07:54:01 | 02,176,660 | ---- | M] () -- C:\WINDOWS\System32\twainyy.dll [2008/09/15 07:53:54 | 02,609,952 | ---- | M] () -- C:\WINDOWS\System32\adsntzt.dll [2008/09/15 07:53:48 | 00,014,640 | ---- | M] () -- C:\WINDOWS\System32\drivers\HBKernel32.sys [2008/09/15 07:53:41 | 02,213,804 | ---- | M] () -- C:\WINDOWS\System32\dispexcb.dll [2008/09/15 07:53:38 | 02,458,772 | ---- | M] () -- C:\WINDOWS\System32\cliconfgzx.dll [2008/09/15 07:53:20 | 00,011,776 | ---- | M] () -- C:\WINDOWS\System32\qxfelk.exe [2008/09/14 20:50:45 | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini [2008/09/14 16:16:06 | 00,040,448 | ---- | M] () -- C:\WINDOWS\System32\ftp.exe [2008/09/14 16:16:06 | 00,040,448 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ftp.exe [2008/09/14 09:53:40 | 00,000,054 | ---- | M] () -- C:\WINDOWS\System32\x [2008/09/14 06:48:49 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\tmsshf.bin [2008/09/14 06:35:51 | 00,010,752 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe [2008/09/14 03:33:06 | 00,201,030 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\lspfix.zip [2008/09/12 15:00:47 | 00,000,775 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk [2008/09/12 15:00:33 | 00,000,619 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk [2008/09/12 15:00:33 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk [2008/09/12 12:30:19 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\buq.exe [2008/09/11 10:07:32 | 00,000,800 | ---- | M] () -- C:\WINDOWS\win.ini [2008/09/10 22:31:23 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe [2008/09/10 13:20:58 | 00,000,608 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to estherbaxter205.lnk [2008/09/07 13:25:09 | 00,210,097 | ---- | M] () -- C:\WINDOWS\001f407d.exe [2008/09/07 12:43:57 | 00,008,704 | -HS- | M] () -- C:\WINDOWS\Thumbs.db @Alternate Data Stream - 0 bytes -> C:\WINDOWS\Thumbs.db:encryptable [2008/09/06 17:21:35 | 00,416,732 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2008/09/06 17:21:35 | 00,365,076 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2008/09/06 17:21:35 | 00,046,080 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2008/09/05 16:33:30 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2008/08/31 23:47:07 | 00,000,000 | RHS- | M] () -- C:\asdf [2008/08/30 22:56:21 | 00,002,017 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\15 56 before [2008/08/30 22:40:58 | 00,002,058 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\10 40 before [2008/08/30 22:05:00 | 00,016,896 | ---- | M] () -- C:\myspace promotion.wps [2008/08/30 19:20:41 | 00,002,830 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\7 20 before log [2008/08/30 00:03:04 | 00,000,022 | ---- | M] () -- C:\WINDOWS\System32\msCMTsrvc.zip [2008/08/29 22:27:34 | 00,001,742 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk [2008/08/29 22:22:28 | 00,001,170 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\10 22 log before [2008/08/28 10:00:32 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\rmchamp.dll [2008/08/28 10:00:31 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\kandaof.dll [2008/08/26 10:57:13 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2008/08/26 10:57:13 | 00,000,182 | RHS- | M] () -- C:\boot.ini [2008/08/26 10:23:09 | 00,024,648 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2008/08/25 13:33:43 | 00,090,112 | ---- | M] () -- C:\WINDOWS\System32\uyl.exe [2008/08/25 12:34:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\oyj.exe [2008/08/24 16:32:00 | 00,000,750 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Media Player.lnk [2008/08/24 12:57:39 | 00,667,648 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Norton_Removal_Tool.exe [2008/08/24 00:40:42 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll [2008/08/24 00:40:42 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys [2008/08/24 00:40:42 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd [2008/08/24 00:39:41 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip [2008/08/23 21:42:27 | 00,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2008/08/22 23:36:04 | 02,114,040 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db [2008/08/22 17:27:14 | 01,119,784 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\MGADiag.exe [2008/08/21 22:22:50 | 00,000,032 | ---- | M] () -- C:\WINDOWS\System32\thxcfg.ini [2008/08/21 20:46:21 | 00,039,936 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini < End of report >
-
I come on today and run a scan for the hell of it and the log changed, thought I'd show you ***note*** [HBService32] System.exe & [HBService] explore.exe are both present again(Im guessing killing those .dll's(that are also back) will work now since they are both present again?) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:28:17 AM, on 9/20/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\eskislk.exe C:\WINDOWS\System32\explore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 vt0r48p760.cn O1 - Hosts: 127.1 www.1txx.com O1 - Hosts: 127.1 www.myovec.cn O1 - Hosts: 127.1 po.uc-us.cn O1 - Hosts: 127.1 219.139.83.20 O1 - Hosts: 127.1 www.msj007.cn O1 - Hosts: 127.1 www.wyf009.cn O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 59.34.148.68 O1 - Hosts: 127.1 208.43.165.86 O1 - Hosts: 127.1 208.43.166.171 O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 61.164.140.39 O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn O1 - Hosts: 127.1 cwk1237.3322.org O1 - Hosts: 127.1 www.woaigan.com O1 - Hosts: 127.1 munchkin.marketo.net O1 - Hosts: 127.1 post.marketo.net O1 - Hosts: 127.1 www.mv2z.cn O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 facaizhifuok.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 a.woaigan.com O1 - Hosts: 127.1 b.woaigan.com O1 - Hosts: 127.1 xxx.usxx.info O1 - Hosts: 127.1 alenxya.1122mb.com O1 - Hosts: 127.1 www.972se.com O1 - Hosts: 127.1 972se.com O1 - Hosts: 127.1 pic.03wyt.com O1 - Hosts: 127.1 d.03wyt.com O1 - Hosts: 127.1 xs.03wyt.com O1 - Hosts: 127.1 www.8jse.net O1 - Hosts: 127.1 8jse.net O1 - Hosts: 127.1 www.bmwtvb.cn O1 - Hosts: 127.1 www.kcuf-09.cn O1 - Hosts: 127.1 www.dvgdfg4650.com O1 - Hosts: 127.1 www.kcuf-08.cn O1 - Hosts: 127.1 www.kcuf-11.cn O1 - Hosts: 127.1 www.kcuf-12.cn O1 - Hosts: 127.1 1aa1aa.com O1 - Hosts: 127.1 xx.avno3.com O1 - Hosts: 127.1 xxx.avno5.com O1 - Hosts: 127.1 www.avno7.com O1 - Hosts: 127.1 avno7.com O1 - Hosts: 127.1 ok.avno4.com O1 - Hosts: 127.1 ok.avno5.com O1 - Hosts: 127.1 ok.avno6.com O1 - Hosts: 127.1 ok.avno7.com O1 - Hosts: 127.1 ok.avno9.com O1 - Hosts: 127.1 avno1.com O1 - Hosts: 127.1 avno3.com O1 - Hosts: 127.1 avno4.com O1 - Hosts: 127.1 aikanav.com O1 - Hosts: 127.1 link.selink.org O1 - Hosts: 127.1 www.avno6.com O1 - Hosts: 127.1 avno6.com O1 - Hosts: 127.1 4.chibbs.info O1 - Hosts: 127.1 bbs.chibbs.info O1 - Hosts: 127.1 aa.ss99.biz O1 - Hosts: 127.1 se.ss99.biz O1 - Hosts: 127.1 aa.sxlk.net O1 - Hosts: 127.1 se.sxlk99.com O1 - Hosts: 127.1 www.88xj.net O1 - Hosts: 127.1 88xj.net O1 - Hosts: 127.1 www.99xj.net O1 - Hosts: 127.1 99xj.net O1 - Hosts: 127.1 www.91semi.com O1 - Hosts: 127.1 91semi.com O1 - Hosts: 127.1 haobaidu.1122mb.com O1 - Hosts: 127.1 xiao777.za.pl O1 - Hosts: 127.1 ccavo6.avno6.com O1 - Hosts: 127.1 a.sxlk99.com O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.qq08w12.cn O1 - Hosts: 127.1 www.21xx.info O1 - Hosts: 127.1 php-1.cn O1 - Hosts: 127.1 www.v232.com O1 - Hosts: 127.1 php-2.cn O1 - Hosts: 127.1 php-3.cn O1 - Hosts: 127.1 php-4.cn O1 - Hosts: 127.1 php-5.cn O1 - Hosts: 127.1 php-6.cn O1 - Hosts: 127.1 php-7.cn O1 - Hosts: 127.1 php-8.cn O1 - Hosts: 127.1 php-9.cn O1 - Hosts: 127.1 php-10.cn O1 - Hosts: 127.1 php-11.cn O1 - Hosts: 127.1 k.5x2x.com O1 - Hosts: 127.1 a.5x2x.com O1 - Hosts: 127.1 202.108.23.205 O1 - Hosts: 127.1 60.190.218.21 O1 - Hosts: 127.1 121.14.154.195 O1 - Hosts: 127.1 218.30.82.201 O1 - Hosts: 127.1 59.34.198.48 O1 - Hosts: 127.1 121.14.154.216 O1 - Hosts: 127.1 219.152.120.237 O1 - Hosts: 127.1 121.14.154.184 O1 - Hosts: 127.1 125.67.67.201 O1 - Hosts: 127.1 222.168.102.12 O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKLM\..\Run: [HBService] explore.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: eskisl.dll O21 - SSODL: hultwmtu.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\hultwmtu.dll O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll O21 - SSODL: mabsowpl.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\bpoyvbfz.dll O21 - SSODL: tvxlrqso.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\tvxlrqso.dll O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll O21 - SSODL: bpoyvbfz.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\bpoyvbfz.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 8071 bytes
-
Hey Raid, I did what you said, but I zipped up the 3 .dll's first in normal mode but they were too big so I went to my email and sent them to marcin. I hope that was okay, but before I did that I successfully deleted those entries but only after I made copies to send to you. So when I verified they were gone by scanning again, I forgot i still had copies on the desktop to send to you(or actually marcin) and when I did that in normal mode and went back to safe mode, and scanned again, they were found again. So I deleted the copies and killed the entries successfully in hijackthis but others came up. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:49:50 PM, on 9/19/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 vt0r48p760.cn O1 - Hosts: 127.1 www.1txx.com O1 - Hosts: 127.1 www.myovec.cn O1 - Hosts: 127.1 po.uc-us.cn O1 - Hosts: 127.1 219.139.83.20 O1 - Hosts: 127.1 www.msj007.cn O1 - Hosts: 127.1 www.wyf009.cn O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 59.34.148.68 O1 - Hosts: 127.1 208.43.165.86 O1 - Hosts: 127.1 208.43.166.171 O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 61.164.140.39 O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn O1 - Hosts: 127.1 cwk1237.3322.org O1 - Hosts: 127.1 www.woaigan.com O1 - Hosts: 127.1 munchkin.marketo.net O1 - Hosts: 127.1 post.marketo.net O1 - Hosts: 127.1 www.mv2z.cn O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 facaizhifuok.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 a.woaigan.com O1 - Hosts: 127.1 b.woaigan.com O1 - Hosts: 127.1 xxx.usxx.info O1 - Hosts: 127.1 alenxya.1122mb.com O1 - Hosts: 127.1 www.972se.com O1 - Hosts: 127.1 972se.com O1 - Hosts: 127.1 pic.03wyt.com O1 - Hosts: 127.1 d.03wyt.com O1 - Hosts: 127.1 xs.03wyt.com O1 - Hosts: 127.1 www.8jse.net O1 - Hosts: 127.1 8jse.net O1 - Hosts: 127.1 www.bmwtvb.cn O1 - Hosts: 127.1 www.kcuf-09.cn O1 - Hosts: 127.1 www.dvgdfg4650.com O1 - Hosts: 127.1 www.kcuf-08.cn O1 - Hosts: 127.1 www.kcuf-11.cn O1 - Hosts: 127.1 www.kcuf-12.cn O1 - Hosts: 127.1 1aa1aa.com O1 - Hosts: 127.1 xx.avno3.com O1 - Hosts: 127.1 xxx.avno5.com O1 - Hosts: 127.1 www.avno7.com O1 - Hosts: 127.1 avno7.com O1 - Hosts: 127.1 ok.avno4.com O1 - Hosts: 127.1 ok.avno5.com O1 - Hosts: 127.1 ok.avno6.com O1 - Hosts: 127.1 ok.avno7.com O1 - Hosts: 127.1 ok.avno9.com O1 - Hosts: 127.1 avno1.com O1 - Hosts: 127.1 avno3.com O1 - Hosts: 127.1 avno4.com O1 - Hosts: 127.1 aikanav.com O1 - Hosts: 127.1 link.selink.org O1 - Hosts: 127.1 www.avno6.com O1 - Hosts: 127.1 avno6.com O1 - Hosts: 127.1 4.chibbs.info O1 - Hosts: 127.1 bbs.chibbs.info O1 - Hosts: 127.1 aa.ss99.biz O1 - Hosts: 127.1 se.ss99.biz O1 - Hosts: 127.1 aa.sxlk.net O1 - Hosts: 127.1 se.sxlk99.com O1 - Hosts: 127.1 www.88xj.net O1 - Hosts: 127.1 88xj.net O1 - Hosts: 127.1 www.99xj.net O1 - Hosts: 127.1 99xj.net O1 - Hosts: 127.1 www.91semi.com O1 - Hosts: 127.1 91semi.com O1 - Hosts: 127.1 haobaidu.1122mb.com O1 - Hosts: 127.1 xiao777.za.pl O1 - Hosts: 127.1 ccavo6.avno6.com O1 - Hosts: 127.1 a.sxlk99.com O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.qq08w12.cn O1 - Hosts: 127.1 www.21xx.info O1 - Hosts: 127.1 php-1.cn O1 - Hosts: 127.1 www.v232.com O1 - Hosts: 127.1 php-2.cn O1 - Hosts: 127.1 php-3.cn O1 - Hosts: 127.1 php-4.cn O1 - Hosts: 127.1 php-5.cn O1 - Hosts: 127.1 php-6.cn O1 - Hosts: 127.1 php-7.cn O1 - Hosts: 127.1 php-8.cn O1 - Hosts: 127.1 php-9.cn O1 - Hosts: 127.1 php-10.cn O1 - Hosts: 127.1 php-11.cn O1 - Hosts: 127.1 k.5x2x.com O1 - Hosts: 127.1 a.5x2x.com O1 - Hosts: 127.1 202.108.23.205 O1 - Hosts: 127.1 60.190.218.21 O1 - Hosts: 127.1 121.14.154.195 O1 - Hosts: 127.1 218.30.82.201 O1 - Hosts: 127.1 59.34.198.48 O1 - Hosts: 127.1 121.14.154.216 O1 - Hosts: 127.1 219.152.120.237 O1 - Hosts: 127.1 121.14.154.184 O1 - Hosts: 127.1 125.67.67.201 O1 - Hosts: 127.1 222.168.102.12 O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBFS2.dll,HBXY 3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.dll,HBASKTAO . dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.dll,HBCHIBI . dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.dll,HBHM.dll , HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2.dll,HBRXJH . dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX.dll,HBR2.d l l,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dll,HBJTLQ.dl l ,HBQJSJ.dll O21 - SSODL: hultwmtu.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\hultwmtu.dll O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll O21 - SSODL: mabsowpl.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\mabsowpl.dll O21 - SSODL: tvxlrqso.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\tvxlrqso.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 8339 bytes
-
Thanks, thats good to know. They wont be deleted.(when I try to delete them a message comes up that says "Cannot delete:"name of file": Unable to complete the requested operation because of either a catastrophic media failure or a data structure corruption on the disk." Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:18:56 PM, on 9/19/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 vt0r48p760.cn O1 - Hosts: 127.1 www.1txx.com O1 - Hosts: 127.1 www.myovec.cn O1 - Hosts: 127.1 po.uc-us.cn O1 - Hosts: 127.1 219.139.83.20 O1 - Hosts: 127.1 www.msj007.cn O1 - Hosts: 127.1 www.wyf009.cn O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 59.34.148.68 O1 - Hosts: 127.1 208.43.165.86 O1 - Hosts: 127.1 208.43.166.171 O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 61.164.140.39 O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn O1 - Hosts: 127.1 cwk1237.3322.org O1 - Hosts: 127.1 www.woaigan.com O1 - Hosts: 127.1 munchkin.marketo.net O1 - Hosts: 127.1 post.marketo.net O1 - Hosts: 127.1 www.mv2z.cn O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 facaizhifuok.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 a.woaigan.com O1 - Hosts: 127.1 b.woaigan.com O1 - Hosts: 127.1 xxx.usxx.info O1 - Hosts: 127.1 alenxya.1122mb.com O1 - Hosts: 127.1 www.972se.com O1 - Hosts: 127.1 972se.com O1 - Hosts: 127.1 pic.03wyt.com O1 - Hosts: 127.1 d.03wyt.com O1 - Hosts: 127.1 xs.03wyt.com O1 - Hosts: 127.1 www.8jse.net O1 - Hosts: 127.1 8jse.net O1 - Hosts: 127.1 www.bmwtvb.cn O1 - Hosts: 127.1 www.kcuf-09.cn O1 - Hosts: 127.1 www.dvgdfg4650.com O1 - Hosts: 127.1 www.kcuf-08.cn O1 - Hosts: 127.1 www.kcuf-11.cn O1 - Hosts: 127.1 www.kcuf-12.cn O1 - Hosts: 127.1 1aa1aa.com O1 - Hosts: 127.1 xx.avno3.com O1 - Hosts: 127.1 xxx.avno5.com O1 - Hosts: 127.1 www.avno7.com O1 - Hosts: 127.1 avno7.com O1 - Hosts: 127.1 ok.avno4.com O1 - Hosts: 127.1 ok.avno5.com O1 - Hosts: 127.1 ok.avno6.com O1 - Hosts: 127.1 ok.avno7.com O1 - Hosts: 127.1 ok.avno9.com O1 - Hosts: 127.1 avno1.com O1 - Hosts: 127.1 avno3.com O1 - Hosts: 127.1 avno4.com O1 - Hosts: 127.1 aikanav.com O1 - Hosts: 127.1 link.selink.org O1 - Hosts: 127.1 www.avno6.com O1 - Hosts: 127.1 avno6.com O1 - Hosts: 127.1 4.chibbs.info O1 - Hosts: 127.1 bbs.chibbs.info O1 - Hosts: 127.1 aa.ss99.biz O1 - Hosts: 127.1 se.ss99.biz O1 - Hosts: 127.1 aa.sxlk.net O1 - Hosts: 127.1 se.sxlk99.com O1 - Hosts: 127.1 www.88xj.net O1 - Hosts: 127.1 88xj.net O1 - Hosts: 127.1 www.99xj.net O1 - Hosts: 127.1 99xj.net O1 - Hosts: 127.1 www.91semi.com O1 - Hosts: 127.1 91semi.com O1 - Hosts: 127.1 haobaidu.1122mb.com O1 - Hosts: 127.1 xiao777.za.pl O1 - Hosts: 127.1 ccavo6.avno6.com O1 - Hosts: 127.1 a.sxlk99.com O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.qq08w12.cn O1 - Hosts: 127.1 www.21xx.info O1 - Hosts: 127.1 php-1.cn O1 - Hosts: 127.1 www.v232.com O1 - Hosts: 127.1 php-2.cn O1 - Hosts: 127.1 php-3.cn O1 - Hosts: 127.1 php-4.cn O1 - Hosts: 127.1 php-5.cn O1 - Hosts: 127.1 php-6.cn O1 - Hosts: 127.1 php-7.cn O1 - Hosts: 127.1 php-8.cn O1 - Hosts: 127.1 php-9.cn O1 - Hosts: 127.1 php-10.cn O1 - Hosts: 127.1 php-11.cn O1 - Hosts: 127.1 k.5x2x.com O1 - Hosts: 127.1 a.5x2x.com O1 - Hosts: 127.1 202.108.23.205 O1 - Hosts: 127.1 60.190.218.21 O1 - Hosts: 127.1 121.14.154.195 O1 - Hosts: 127.1 218.30.82.201 O1 - Hosts: 127.1 59.34.198.48 O1 - Hosts: 127.1 121.14.154.216 O1 - Hosts: 127.1 219.152.120.237 O1 - Hosts: 127.1 121.14.154.184 O1 - Hosts: 127.1 125.67.67.201 O1 - Hosts: 127.1 222.168.102.12 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: eskisl.dll lensch.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll comboaus.dll catower.dll wllame.dll,HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBF S2.dll,HBXY3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.d l l,HBASKTAO.dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL. d ll,HBCHIBI.dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.d l l,HBHM.dll,HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2 . dll,HBRXJH.dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX . dll,HBR2.dll,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dl l ,HBJTLQ.dll,HBQJSJ.dll O21 - SSODL: mabsowpl.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\mabsowpl.dll O21 - SSODL: tvxlrqso.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\tvxlrqso.dll O21 - SSODL: jfktyugq.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\jfktyugq.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7993 bytes O4 - HKLM\..\Run: [HBService] explore.exe was missing so I couldnt fix it The computer is running fine, the internet connection is a little slower though
-
Thank God, MBAM Malwarebytes' Anti-Malware 1.28 Database version: 1166 Windows 5.1.2600 Service Pack 1 9/17/2008 8:03:00 PM mbam-log-2008-09-17 (20-03-00).txt Scan type: Quick Scan Objects scanned: 53917 Time elapsed: 9 minute(s), 23 second(s) Memory Processes Infected: 1 Memory Modules Infected: 1 Registry Keys Infected: 6 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 30 Memory Processes Infected: C:\WINDOWS\system32\explore.exe (Backdoor.Bot) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel (Rootkit.OnlineGames) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel (Rootkit.OnlineGames) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel (Rootkit.OnlineGames) -> Delete on reboot. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cryptographic service (Worm.Padobot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\DesktopWin (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\qsqnt.exe (Worm.Padobot) -> Quarantined and deleted successfully. C:\WINDOWS\sysocmgr.dll (Trojan.Small) -> Delete on reboot. C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\system32\ftpupd.exe (Worm.Padobot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mcromv.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qxfel.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wllame.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\QQ_Update.cab (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot. C:\Documents and Settings\David\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1L5UBF9R\1b[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1L5UBF9R\b[1].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4RM1I1MF\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GHQVWPMB\23[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GHQVWPMB\d[1].gif (Virus.Alman) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\STUVKXMB\28[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W1QVSXAR\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\7K6KNQ36\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\UY2VUD1C\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\explore.exe (Backdoor.Bot) -> Delete on reboot. C:\WINDOWS\system32\lweurqhx.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\comuidsg.dll (Spyware.OnlineGames) -> Delete on reboot. C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot. C:\Documents and Settings\Owner\Local Settings\Temp\dat6D.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\HBKernel.sys (Rootkit.OnlineGames) -> Delete on reboot. HIJACKTHIS Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:07:35 PM, on 9/17/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 vt0r48p760.cn O1 - Hosts: 127.1 www.1txx.com O1 - Hosts: 127.1 www.myovec.cn O1 - Hosts: 127.1 po.uc-us.cn O1 - Hosts: 127.1 219.139.83.20 O1 - Hosts: 127.1 www.msj007.cn O1 - Hosts: 127.1 www.wyf009.cn O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 59.34.148.68 O1 - Hosts: 127.1 208.43.165.86 O1 - Hosts: 127.1 208.43.166.171 O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 61.164.140.39 O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn O1 - Hosts: 127.1 cwk1237.3322.org O1 - Hosts: 127.1 www.woaigan.com O1 - Hosts: 127.1 munchkin.marketo.net O1 - Hosts: 127.1 post.marketo.net O1 - Hosts: 127.1 www.mv2z.cn O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 facaizhifuok.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 a.woaigan.com O1 - Hosts: 127.1 b.woaigan.com O1 - Hosts: 127.1 xxx.usxx.info O1 - Hosts: 127.1 alenxya.1122mb.com O1 - Hosts: 127.1 www.972se.com O1 - Hosts: 127.1 972se.com O1 - Hosts: 127.1 pic.03wyt.com O1 - Hosts: 127.1 d.03wyt.com O1 - Hosts: 127.1 xs.03wyt.com O1 - Hosts: 127.1 www.8jse.net O1 - Hosts: 127.1 8jse.net O1 - Hosts: 127.1 www.bmwtvb.cn O1 - Hosts: 127.1 www.kcuf-09.cn O1 - Hosts: 127.1 www.dvgdfg4650.com O1 - Hosts: 127.1 www.kcuf-08.cn O1 - Hosts: 127.1 www.kcuf-11.cn O1 - Hosts: 127.1 www.kcuf-12.cn O1 - Hosts: 127.1 1aa1aa.com O1 - Hosts: 127.1 xx.avno3.com O1 - Hosts: 127.1 xxx.avno5.com O1 - Hosts: 127.1 www.avno7.com O1 - Hosts: 127.1 avno7.com O1 - Hosts: 127.1 ok.avno4.com O1 - Hosts: 127.1 ok.avno5.com O1 - Hosts: 127.1 ok.avno6.com O1 - Hosts: 127.1 ok.avno7.com O1 - Hosts: 127.1 ok.avno9.com O1 - Hosts: 127.1 avno1.com O1 - Hosts: 127.1 avno3.com O1 - Hosts: 127.1 avno4.com O1 - Hosts: 127.1 aikanav.com O1 - Hosts: 127.1 link.selink.org O1 - Hosts: 127.1 www.avno6.com O1 - Hosts: 127.1 avno6.com O1 - Hosts: 127.1 4.chibbs.info O1 - Hosts: 127.1 bbs.chibbs.info O1 - Hosts: 127.1 aa.ss99.biz O1 - Hosts: 127.1 se.ss99.biz O1 - Hosts: 127.1 aa.sxlk.net O1 - Hosts: 127.1 se.sxlk99.com O1 - Hosts: 127.1 www.88xj.net O1 - Hosts: 127.1 88xj.net O1 - Hosts: 127.1 www.99xj.net O1 - Hosts: 127.1 99xj.net O1 - Hosts: 127.1 www.91semi.com O1 - Hosts: 127.1 91semi.com O1 - Hosts: 127.1 haobaidu.1122mb.com O1 - Hosts: 127.1 xiao777.za.pl O1 - Hosts: 127.1 ccavo6.avno6.com O1 - Hosts: 127.1 a.sxlk99.com O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.qq08w12.cn O1 - Hosts: 127.1 www.21xx.info O1 - Hosts: 127.1 php-1.cn O1 - Hosts: 127.1 www.v232.com O1 - Hosts: 127.1 php-2.cn O1 - Hosts: 127.1 php-3.cn O1 - Hosts: 127.1 php-4.cn O1 - Hosts: 127.1 php-5.cn O1 - Hosts: 127.1 php-6.cn O1 - Hosts: 127.1 php-7.cn O1 - Hosts: 127.1 php-8.cn O1 - Hosts: 127.1 php-9.cn O1 - Hosts: 127.1 php-10.cn O1 - Hosts: 127.1 php-11.cn O1 - Hosts: 127.1 k.5x2x.com O1 - Hosts: 127.1 a.5x2x.com O1 - Hosts: 127.1 202.108.23.205 O1 - Hosts: 127.1 60.190.218.21 O1 - Hosts: 127.1 121.14.154.195 O1 - Hosts: 127.1 218.30.82.201 O1 - Hosts: 127.1 59.34.198.48 O1 - Hosts: 127.1 121.14.154.216 O1 - Hosts: 127.1 219.152.120.237 O1 - Hosts: 127.1 121.14.154.184 O1 - Hosts: 127.1 125.67.67.201 O1 - Hosts: 127.1 222.168.102.12 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKLM\..\Run: [HBService] explore.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: eskisl.dll mcromv.dll mduaey.dll lensch.dll comboaus.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll O21 - SSODL: comuidsg.dll - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} - C:\WINDOWS\System32\comuidsg.dll (file missing) O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll O21 - SSODL: nwapi32dj.dll - {A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} - C:\WINDOWS\System32\nwapi32dj.dll O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll (file missing) O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7912 bytes Also, I just noticed in c:, theres a new folder titled "avenger". I thought at first, maybe thats something you told me to create days/weeks ago that I had forgot about. So i went into the folder and found HBmhly.dll that was created on 9/16 and an app named "system" that was created 9/15. Should they be deleted? Edit: today I noticed in the "avenger" folder, 2 new files have been created: HBmhly.dll-ren-946 and System.exe-ren-942. Once again should I go ahead and try to delete these manually?
-
It is running fine. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:42:30 PM, on 9/17/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\explore.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 vt0r48p760.cn O1 - Hosts: 127.1 www.1txx.com O1 - Hosts: 127.1 www.myovec.cn O1 - Hosts: 127.1 po.uc-us.cn O1 - Hosts: 127.1 219.139.83.20 O1 - Hosts: 127.1 www.msj007.cn O1 - Hosts: 127.1 www.wyf009.cn O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 59.34.148.68 O1 - Hosts: 127.1 208.43.165.86 O1 - Hosts: 127.1 208.43.166.171 O1 - Hosts: 127.1 219.153.71.185 O1 - Hosts: 127.1 61.164.140.39 O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn O1 - Hosts: 127.1 cwk1237.3322.org O1 - Hosts: 127.1 www.woaigan.com O1 - Hosts: 127.1 munchkin.marketo.net O1 - Hosts: 127.1 post.marketo.net O1 - Hosts: 127.1 www.mv2z.cn O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.wq9q.cn O1 - Hosts: 127.1 facaizhifuok.cn O1 - Hosts: 127.1 www.wo9188.cn O1 - Hosts: 127.1 a.woaigan.com O1 - Hosts: 127.1 b.woaigan.com O1 - Hosts: 127.1 xxx.usxx.info O1 - Hosts: 127.1 alenxya.1122mb.com O1 - Hosts: 127.1 www.972se.com O1 - Hosts: 127.1 972se.com O1 - Hosts: 127.1 pic.03wyt.com O1 - Hosts: 127.1 d.03wyt.com O1 - Hosts: 127.1 xs.03wyt.com O1 - Hosts: 127.1 www.8jse.net O1 - Hosts: 127.1 8jse.net O1 - Hosts: 127.1 www.bmwtvb.cn O1 - Hosts: 127.1 www.kcuf-09.cn O1 - Hosts: 127.1 www.dvgdfg4650.com O1 - Hosts: 127.1 www.kcuf-08.cn O1 - Hosts: 127.1 www.kcuf-11.cn O1 - Hosts: 127.1 www.kcuf-12.cn O1 - Hosts: 127.1 1aa1aa.com O1 - Hosts: 127.1 xx.avno3.com O1 - Hosts: 127.1 xxx.avno5.com O1 - Hosts: 127.1 www.avno7.com O1 - Hosts: 127.1 avno7.com O1 - Hosts: 127.1 ok.avno4.com O1 - Hosts: 127.1 ok.avno5.com O1 - Hosts: 127.1 ok.avno6.com O1 - Hosts: 127.1 ok.avno7.com O1 - Hosts: 127.1 ok.avno9.com O1 - Hosts: 127.1 avno1.com O1 - Hosts: 127.1 avno3.com O1 - Hosts: 127.1 avno4.com O1 - Hosts: 127.1 aikanav.com O1 - Hosts: 127.1 link.selink.org O1 - Hosts: 127.1 www.avno6.com O1 - Hosts: 127.1 avno6.com O1 - Hosts: 127.1 4.chibbs.info O1 - Hosts: 127.1 bbs.chibbs.info O1 - Hosts: 127.1 aa.ss99.biz O1 - Hosts: 127.1 se.ss99.biz O1 - Hosts: 127.1 aa.sxlk.net O1 - Hosts: 127.1 se.sxlk99.com O1 - Hosts: 127.1 www.88xj.net O1 - Hosts: 127.1 88xj.net O1 - Hosts: 127.1 www.99xj.net O1 - Hosts: 127.1 99xj.net O1 - Hosts: 127.1 www.91semi.com O1 - Hosts: 127.1 91semi.com O1 - Hosts: 127.1 haobaidu.1122mb.com O1 - Hosts: 127.1 xiao777.za.pl O1 - Hosts: 127.1 ccavo6.avno6.com O1 - Hosts: 127.1 a.sxlk99.com O1 - Hosts: 127.1 www.91vva.cn O1 - Hosts: 127.1 www.qq08w12.cn O1 - Hosts: 127.1 www.21xx.info O1 - Hosts: 127.1 php-1.cn O1 - Hosts: 127.1 www.v232.com O1 - Hosts: 127.1 php-2.cn O1 - Hosts: 127.1 php-3.cn O1 - Hosts: 127.1 php-4.cn O1 - Hosts: 127.1 php-5.cn O1 - Hosts: 127.1 php-6.cn O1 - Hosts: 127.1 php-7.cn O1 - Hosts: 127.1 php-8.cn O1 - Hosts: 127.1 php-9.cn O1 - Hosts: 127.1 php-10.cn O1 - Hosts: 127.1 php-11.cn O1 - Hosts: 127.1 k.5x2x.com O1 - Hosts: 127.1 a.5x2x.com O1 - Hosts: 127.1 202.108.23.205 O1 - Hosts: 127.1 60.190.218.21 O1 - Hosts: 127.1 121.14.154.195 O1 - Hosts: 127.1 218.30.82.201 O1 - Hosts: 127.1 59.34.198.48 O1 - Hosts: 127.1 121.14.154.216 O1 - Hosts: 127.1 219.152.120.237 O1 - Hosts: 127.1 121.14.154.184 O1 - Hosts: 127.1 125.67.67.201 O1 - Hosts: 127.1 222.168.102.12 O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qsqnt.exe O4 - HKLM\..\Run: [HBService] explore.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203 O20 - AppInit_DLLs: aaa.dll,HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBFS2. dll,HBXY3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.dll, H BASKTAO.dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.dll , HBCHIBI.dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.dll, H BHM.dll,HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2.dl l ,HBRXJH.dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX.dl l ,HBR2.dll,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dll,H B JTLQ.dll,HBQJSJ.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7928 bytes
-
;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-09-14 20:45:28 PROTECTIONS: 0 MALWARE: 10 SUSPECTS: 29 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 02943497 Bck/DService.TK Virus/Trojan No 1 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_winhtb[2].exe 03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Image-Line\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll 03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\update[1].gif 03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GOY3AKKJ\update[1].gif 03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\update[2].gif 03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\Temp\QQ_Update.cab 03215283 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\AppPatch\DesktopWin.dll 03215284 Trj/Agent.JBH Virus/Trojan Yes 1 Yes No C:\WINDOWS\AppPatch\AclLayer.dll 03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\abb[2].gif 03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll 03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\abb[1].gif 03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\WINDOWS\Temp\wmsetup.dll 03238426 Trj/Downloader.UCP Virus/Trojan Yes 1 Yes No C:\DOCUME~1\Owner\LOCALS~1\Temp\wmsetup.dll 03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4RM1I1MF\abb[1].gif 03429845 Bck/Hupigon.AZG Virus/Trojan No 1 Yes No C:\Program Files\Image-Line\Toxic Biohazard\Toxic Biohazard.dll 03520282 Trj/Lineage.JOC Virus/Trojan No 1 Yes No C:\WINDOWS\system32\kandaof.dll 03625206 W32/Lineage.JSB.worm Virus/Trojan No 1 Yes No C:\WINDOWS\system32\micsus.dll 03667267 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\system32\cupops.dll ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location T\ts5 ;=============================================================================== ================================================================================ = =================== No C:\hp\bin\KillIt.exe T\ts5 No C:\Program Files\TrojanHunter 5.0\THSec.dll T\ts5 No D:\MiniNT\system32\userinit.exe T\ts5 No D:\MiniNT\system32\xcopy.exe T\ts5 No D:\MiniNT\system32\attrib.exe T\ts5 No D:\MiniNT\system32\Bootini.exe T\ts5 No D:\MiniNT\system32\chkdsk.exe T\ts5 No D:\MiniNT\system32\clipsrv.exe T\ts5 No D:\MiniNT\system32\cmd.exe T\ts5 No D:\MiniNT\system32\cmd2.exe T\ts5 No D:\MiniNT\system32\DblRes.exe T\ts5 No D:\MiniNT\system32\DskPart.exe T\ts5 No D:\MiniNT\system32\Eject.exe T\ts5 No D:\MiniNT\system32\expand.exe T\ts5 No D:\MiniNT\system32\factory.exe T\ts5 No D:\MiniNT\system32\FATFMT32.EXE T\ts5 No D:\MiniNT\system32\ipconfig.exe T\ts5 No D:\MiniNT\system32\LABEL.EXE T\ts5 No D:\MiniNT\system32\locator.exe T\ts5 No D:\MiniNT\system32\net.exe T\ts5 No D:\MiniNT\system32\net1.exe T\ts5 No D:\MiniNT\system32\notepad.exe T\ts5 No D:\MiniNT\system32\PAGEFILE.EXE T\ts5 No D:\MiniNT\system32\pentnt.exe T\ts5 No D:\MiniNT\system32\ping.exe T\ts5 No D:\MiniNT\system32\RPONOFF.EXE T\ts5 No D:\MiniNT\system32\services.exe T\ts5 No D:\MiniNT\system32\setup.exe T\ts5 No D:\MiniNT\system32\spoolsv.exe T\ts5 ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description T\ts5 ;=============================================================================== ================================================================================ = =================== 133387 MEDIUM MS06-065 T\ts5 133386 MEDIUM MS06-064 T\ts5 133385 MEDIUM MS06-063 T\ts5 133379 HIGH MS06-057 T\ts5 131654 HIGH MS06-055 T\ts5 129977 MEDIUM MS06-053 T\ts5 129976 MEDIUM MS06-052 T\ts5 126093 HIGH MS06-051 T\ts5 126092 MEDIUM MS06-050 T\ts5 126087 HIGH MS06-046 T\ts5 126086 MEDIUM MS06-045 T\ts5 126083 HIGH MS06-042 T\ts5 126082 HIGH MS06-041 T\ts5 126081 HIGH MS06-040 T\ts5 123421 HIGH MS06-036 T\ts5 123420 HIGH MS06-035 T\ts5 120825 MEDIUM MS06-032 T\ts5 120823 MEDIUM MS06-030 T\ts5 120818 HIGH MS06-025 T\ts5 120815 HIGH MS06-022 T\ts5 120814 HIGH MS06-021 T\ts5 117384 MEDIUM MS06-018 T\ts5 114666 HIGH MS06-015 T\ts5 114664 HIGH MS06-013 T\ts5 111790 MEDIUM MS06-011 T\ts5 108744 MEDIUM MS06-008 T\ts5 108743 MEDIUM MS06-007 T\ts5 108742 MEDIUM MS06-006 T\ts5 104567 HIGH MS06-002 T\ts5 104237 HIGH MS06-001 T\ts5 101055 HIGH MS05-054 T\ts5 96574 HIGH MS05-053 T\ts5 93396 HIGH MS05-052 T\ts5 93395 HIGH MS05-051 T\ts5 93394 HIGH MS05-050 T\ts5 93454 MEDIUM MS05-049 T\ts5 ;=============================================================================== ================================================================================ = =================== GMER found nothing again