WGMJR Posted September 28, 2007 ID:8494 Share Posted September 28, 2007 I have this thing popping up and re-routing my browser, actually the title is wrong, its Winantispyware 2007. I have ran several different things to try and get rid of it, but nothing works. I am also showing a vundo virus when I run AntispywareBot, it picks it up, nd it acts like its getting rid of it, but I scan again and there it is again.. I have ran RogueRemover Pro, and it is not finding anything. I have ran Spyware Blaster, it finds nothing. This thing is even affecting my keystrokes. Anybody help please? I have Mcafee, and its up to date also. None of my protection is killing this thing. I'm kind of a noob when it comes to getting rid of these things, so you may have to walk me through any advice. ThanksHere is a Panda Scan Report if this helpsIncident Status Location Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10000.qit Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10001.qit Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10003.qit Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10004.qit Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10006.qit Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10007.qit Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10008.qit Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10009.qit Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\11968.qit Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\11969.qit Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10000.qit Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10001.qit Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10002.qit Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10003.qit Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10004.qit Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10005.qit Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10006.qit Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10007.qit Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-47-33\10031.qit Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-16-49-22\10037.qit Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-16-49-22\10038.qit Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Walt\Cookies\walt@2o7[2].txt Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Walt\Cookies\walt@clickbank[1].txt Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Walt\Cookies\walt@clickbank[2].txt Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Walt\Cookies\walt@clickbank[3].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Walt\Cookies\walt@server.iad.liveperson[1].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Walt\Cookies\walt@statcounter[1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Walt\Cookies\walt@stats1.reliablestats[1].txt Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Walt\Cookies\walt@systemdoctor[1].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Cookies\walt@www.winantiviruspro[2].txt Adware:Adware/WinAntiSpyware Not disinfected C:\Documents and Settings\Walt\Local Settings\Temporary Internet Files\Content.IE5\ZJ9Y75H6\WinAntiSpyware2007FreeInstall[1].exe Link to post Share on other sites More sharing options...
JeanInMontana Posted September 29, 2007 ID:8498 Share Posted September 29, 2007 Hi there and welcome to Malwarebytes. SpywareBlaster is not a removal program. It is a site blocking program and one you should keep. If you can, uninstall AntispywareBot from your add/remove programs. This is a known rogue program and bad. You must have a new version because it should get removed by RogueRemover. Please follow the directions below carefully.Please get these programs, update and run a complete scan removing all items found.Spybot Search & Destroy Be sure to use the immunize feature.AVG AntiSpyware Be sure to "take action"Post the logs from the AVG scan please, along with a log from this program HiJack This! You will post two logs. 1. AVG scan. 2. HiJack This scan. You will finish the AVG first so go ahead and post that log, then with all programs and browsers closed run HiJack This and post that scan.I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures. Link to post Share on other sites More sharing options...
WGMJR Posted September 29, 2007 Author ID:8502 Share Posted September 29, 2007 Thanks so much for your help. First, before I run Search and Destroy, I tried uninstalling Anspywarebot, and it won't let me. I went into Remove Programs and went in through the c drive, no luck either way. Also it is published by 2Squared, and it is version 1.5I ran the AVG Antispyware, I clicked on generate a report for every scan, but I got noreport, and I cannot figure out how to get it. It found 22 meium risk cookies. The S&D did recognize the AntispywareBot and I think it got rid of it, its not in Add/Remove Programs or in my C drive, but it still shows up when I click Start and Programs, I'm afraid to click on it, I don't want to bring it back in if it is out. I'll ess with the AVG some more and see if I can figure out how to get a log. In the mean time here is the HiJackthis log you asked for.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:53:24 AM, on 9/29/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\ehome\RMSvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\McAfee.com\Agent\mcagent.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\MarkAny\ContentSafer\MAAgent.exeC:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exeC:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearchIndexer.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\explorer.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dllO3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exeO4 - HKLM\..\Run: [sMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exeO4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkeyO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [searchIndexer] rundll32.exe "C:\WINDOWS\system32\dymvscda.dll",sitypnowO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exeO8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.htmlO8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htmO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/229?210ad2f1d4a418fbfe0c2f667f3363cO8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/230?210ad2f1d4a418fbfe0c2f667f3363cO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exeO9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exeO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Absolute Poker\PartyPoker\RunApp.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Absolute Poker\PartyPoker\RunApp.exe (file missing)O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)O9 - Extra button: POKER - {FB389F33-303A-4490-9E18-B301A493FBF2} - C:\Program Files\PokermMPP\MPPoker.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} (InstallControl Class) - http://activex.casinosupportservice.com/Ve...stallHelper.cabO16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cabO16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.gamingclubpoker.com/download_helper/Nyoko.cabO16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cabO16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocxO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135346064623O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/controls/msnchat45.cabO23 - Service: McAfee Application Installer Cleanup (0099491191071622) (0099491191071622mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP09949~1.EXEO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe--End of file - 15132 bytes Link to post Share on other sites More sharing options...
WGMJR Posted September 29, 2007 Author ID:8503 Share Posted September 29, 2007 Heres the AVG---------------------------------------------------------AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 12:00:26 PM 9/29/2007 + Scan result: C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10004.qit -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10005.qit -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Walt\Cookies\walt@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Walt\Cookies\walt@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Walt\Cookies\walt@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10000.qit -> TrackingCookie.Advertising : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10000.qit -> TrackingCookie.Advertising : Cleaned.C:\Documents and Settings\Walt\Cookies\walt@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned.C:\Documents and Settings\Walt\Cookies\walt@clickbank[3].txt -> TrackingCookie.Clickbank : Cleaned.C:\Documents and Settings\Walt\Cookies\walt@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.C:\Documents and Settings\Walt\Cookies\walt@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10001.qit -> TrackingCookie.Mediaplex : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10001.qit -> TrackingCookie.Mediaplex : Cleaned.C:\Documents and Settings\Walt\Cookies\walt@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10002.qit -> TrackingCookie.Pointroll : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-16-49-22\10037.qit -> TrackingCookie.Pointroll : Cleaned.C:\Documents and Settings\Walt\Cookies\walt@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.C:\Documents and Settings\MCX1\Cookies\walt@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10002.qit -> TrackingCookie.Webtrends : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10003.qit -> TrackingCookie.Webtrendslive : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10006.qit -> TrackingCookie.Yieldmanager : Cleaned.C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10003.qit -> TrackingCookie.Yieldmanager : Cleaned.::Report end Link to post Share on other sites More sharing options...
JeanInMontana Posted September 29, 2007 ID:8505 Share Posted September 29, 2007 OK Please follow these instructions carefully and in the order written.Uninstall (if possible) UltimateBet.exeRun HJT scan only and put a check next to all of these:O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)O9 - Extra button: POKER - {FB389F33-303A-4490-9E18-B301A493FBF2} - C:\Program Files\PokermMPP\MPPoker.exe (file missing)O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exeO9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exeO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Absolute Poker\PartyPoker\RunApp.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Absolute Poker\PartyPoker\RunApp.exe (file missing)Now please get this program below, follow the directions carefully.VundoFix.exe PDF Print E-mailWritten by Atribune Feb 03, 2006 at 03:58 PMVundoFix.exe is a removal tool developed to remove Virtumonde infections. To use the tool follow the instrctions below.Please download VundoFix.exe to your desktop. http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * When VundoFix re-opens, click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click theScan for Vundo button." when VundoFix appears at reboot.Last Updated ( Aug 14, 2006 at 10:47 PM )Reboot and post a fresh HJT log for me. Link to post Share on other sites More sharing options...
WGMJR Posted September 29, 2007 Author ID:8510 Share Posted September 29, 2007 Ok, did everything you asked, but Spybot S & D popped up a few times saying something about some files changing as I was trying to get rid of the vundo files. I went ahead and allowed the change thinking it might be the vundofix scan I was running. It rebooted, the vundofix didn't try to run again, and I seemed to get back to this sight with ease, no re-routing, or messed up keystrokes or scroll. Heres the HJT file you asked for. By the way, why did I have to delete my poker sites??Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:31:24 PM, on 9/29/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\WINDOWS\ehome\RMSvc.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\PROGRA~1\McAfee.com\Agent\mcagent.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\MarkAny\ContentSafer\MAAgent.exeC:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dllO3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exeO4 - HKLM\..\Run: [sMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exeO4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkeyO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exeO8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.htmlO8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htmO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/229?210ad2f1d4a418fbfe0c2f667f3363cO8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/230?210ad2f1d4a418fbfe0c2f667f3363cO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} (InstallControl Class) - http://activex.casinosupportservice.com/Ve...stallHelper.cabO16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cabO16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.gamingclubpoker.com/download_helper/Nyoko.cabO16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cabO16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocxO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135346064623O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/controls/msnchat45.cabO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe--End of file - 13496 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted September 30, 2007 ID:8517 Share Posted September 30, 2007 Hi again. If you notice for most of your poker games the file was missing, most likely removed by a malware scan of some sort. These games are probably how you got infected. We missed one here:O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.gamingclubpoker.com/download_helper/Nyoko.cabThere should have been a log from the Vundo fix also. Look for it on C:\ Vundo.txt Please post that.Spybot Search & Destroy has a feature called Tea Timer, it is a tool for monitoring changes to your system and that is what was giving you the alerts. You can turn it off if you don't want the messages. However, it is a good thing to have for prevention and it will help you learn what is being changed by what in your system. You seem to keep getting yourself infected and as you were advised back in June by TheRock247uk here http://www.malwarebytes.org/forums/index.php?showtopic=1667 you should have some sort of protection and use more caution installing things. LOLLet's have a look at the Vundo log and some final instructions. Link to post Share on other sites More sharing options...
WGMJR Posted September 30, 2007 Author ID:8518 Share Posted September 30, 2007 Here you areVundoFix V6.5.9Checking Java version...Java version is 1.4.2.3Old versions of java are exploitable and should be removed.Java version is 1.5.0.6Old versions of java are exploitable and should be removed.Java version is 1.5.0.9Old versions of java are exploitable and should be removed.Java version is 1.5.0.10Java version is 1.5.0.11Scan started at 4:19:01 PM 9/29/2007Listing files found while scanning....C:\WINDOWS\system32\adcsvmyd.iniC:\WINDOWS\system32\dymvscda.dllBeginning removal... Attempting to delete C:\WINDOWS\system32\adcsvmyd.iniC:\WINDOWS\system32\adcsvmyd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\dymvscda.dllC:\WINDOWS\system32\dymvscda.dll Has been deleted!Performing Repairs to the registry.Done!VundoFix V6.5.9Checking Java version...Java version is 1.4.2.3Old versions of java are exploitable and should be removed.Java version is 1.5.0.6Old versions of java are exploitable and should be removed.Java version is 1.5.0.9Old versions of java are exploitable and should be removed.Java version is 1.5.0.10Java version is 1.5.0.11Scan started at 9:58:31 AM 9/30/2007Listing files found while scanning....C:\WINDOWS\system32\oenvepir.dllC:\WINDOWS\system32\ripevneo.iniBeginning removal... Attempting to delete C:\WINDOWS\system32\oenvepir.dllC:\WINDOWS\system32\oenvepir.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\ripevneo.iniC:\WINDOWS\system32\ripevneo.ini Has been deleted!Performing Repairs to the registry.Done!VundoFix V6.5.9Checking Java version...Java version is 1.4.2.3Old versions of java are exploitable and should be removed.Java version is 1.5.0.6Old versions of java are exploitable and should be removed.Java version is 1.5.0.9Old versions of java are exploitable and should be removed.Java version is 1.5.0.10Java version is 1.5.0.11Scan started at 10:09:22 AM 9/30/2007Listing files found while scanning....VundoFix V6.5.9Checking Java version...Java version is 1.4.2.3Old versions of java are exploitable and should be removed.Java version is 1.5.0.6Old versions of java are exploitable and should be removed.Java version is 1.5.0.9Old versions of java are exploitable and should be removed.Java version is 1.5.0.10Java version is 1.5.0.11Scan started at 10:12:09 AM 9/30/2007Listing files found while scanning....No infected files were found.I had to re-run VundoFix this morning, I was getting re-routed again and my keystrokes were messed up. This time it wanted to reboot after initially finding the same 2 files it found yesterday. So when it rebooted it never came up, so I ran it again, the second time I ran it, it had the file in there that it could't get rid of the first time. So far everything seems ok, but I still thnk I'm infected, just by my keystrokes and how slow my computer is responding. If your wondering why keep getting infected, its my 15 year old son, he is not the brightest bulb on the tree, and sometimes gets tricked into clicking on things he shouldn't. This is the 3rd time he has infected my computer in 6 months. I have Mcafee, even though I'm not real impressed with it, I'm comfortable with it. I have several different programs for protection, but when you invite someone in, none of it is any good. I really appreciate your help, without it I would be throwing this thing through a window. Yep, I keep having to go back and re-type things, my keystrokes are still messing up. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 1, 2007 ID:8525 Share Posted October 1, 2007 Oh the joys of 15 year olds. These miscreants target kids too and it is so wrong. What you can do is make sure Jr is using an account that does not have administrative capabilities. Then nothing can be installed without you having a say. That includes malware that can be gotten from just visiting a bad site. It is possible that is what is happening right now. You have an outdated exploitable version of Java. Please uninstall all versions of Java you have in Add/Remove programs, and delete the program files also. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the off line installation. This could be causing you to be reinfected.Be sure you have the system set to show hidden files and folders also. Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Then let's run this http://www.techsupportforum.com/sect...s/ComboFix.exe Make sure you don't click the program during the scan. Please post the log when the scan finishes. Link to post Share on other sites More sharing options...
WGMJR Posted October 1, 2007 Author ID:8528 Share Posted October 1, 2007 The link at the bottom is not working, it says website not found. I did everything up to that point. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 1, 2007 ID:8529 Share Posted October 1, 2007 http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe I had to right click this link and choose save as to get it to download without a "page not found" error. So pick your desktop and save it there. Link to post Share on other sites More sharing options...
WGMJR Posted October 2, 2007 Author ID:8536 Share Posted October 2, 2007 Ok, I'm sorry for being such a pain in the rear, but here goes. I was running this combofix, and everything is going fine, it starts deleting infected files, then it gets to a certain file...C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10000.qit I let it delete this file for a long time, but the last 5 numbers and last 3 letters just kept changing. I let it go to 11500, the last letters were changing from qit to qnf. I think it was regenerating itself as it was being deleted...??? I went in and looked at it, and it didn't go to 11500, but as I was deleting it, it just kept on climbing. Was I wrong to stop? I don't think it was ever going to end. Is it possible it was rewriting itself? What should I do? Link to post Share on other sites More sharing options...
JeanInMontana Posted October 2, 2007 ID:8540 Share Posted October 2, 2007 Find that folder and delete it. It is a left over from uninstalling the program. I would do a file search for Antispywarebot and delete everything found connected. You might want to also get CCleaner http://www.ccleaner.com/download/ and prepare to be amazed at the "crap" it removes. Run it then ComboFix again.Your not being a pain either. This stuff is often worse than what we are doing here to get rid of . Link to post Share on other sites More sharing options...
WGMJR Posted October 2, 2007 Author ID:8543 Share Posted October 2, 2007 Here you go.ComboFix 07-10-02.2 - Walt 2007-10-03 15:42:05.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480 [GMT -4:00]Running from: C:\Documents and Settings\Walt\Desktop\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\check_LSA7.txtC:\Documents and Settings\All Users\Start Menu\Programs.\AntiSpywareBotC:\WINDOWS\cookies.iniC:\WINDOWS\system32\ehkmp.bak1C:\WINDOWS\system32\ehkmp.bak2C:\WINDOWS\system32\ehkmp.iniC:\WINDOWS\system32\jfhmrgyr.iniC:\WINDOWS\system32\pmkhe.dllC:\WINDOWS\system32\rygrmhfj.dllC:\WINDOWS\Tasks.\AntiSpywareBot Scheduled Scan.job.((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 ))))))))))))))))))))))))))))))).2007-10-03 15:45 6,473 ---hs---- C:\WINDOWS\system32\fgjlm.bak12007-10-03 15:45 319,072 --a------ C:\WINDOWS\system32\mljgf.dll2007-10-03 15:30 <DIR> d-------- C:\Program Files\CCleaner2007-10-03 15:27 77,376 --a------ C:\WINDOWS\system32\cqbtugfc.dll2007-10-01 19:42 51,200 --a------ C:\WINDOWS\NirCmd.exe2007-09-30 10:00 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe2007-09-29 16:19 <DIR> d-------- C:\VundoFix Backups2007-09-29 11:52 <DIR> d-------- C:\Program Files\Trend Micro2007-09-29 10:16 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys2007-09-29 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2007-09-28 17:25 <DIR> d-------- C:\Program Files\RogueRemover PRO2007-09-26 16:24 <DIR> d-------- C:\Program Files\GameFlood2007-09-26 14:04 35,328 --a------ C:\WINDOWS\system32\urqrsqp.dll2007-09-25 18:05 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll2007-09-25 18:05 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll2007-09-25 18:05 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll2007-09-25 18:05 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll2007-09-25 18:05 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll2007-09-14 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero2007-09-13 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.22007-09-12 16:47 <DIR> d-------- C:\Program Files\Common Files\HP2007-09-12 16:46 <DIR> d-------- C:\Program Files\Hewlett-Packard2007-09-12 16:43 229,376 -ra------ C:\WINDOWS\system32\hpovst08.dll2007-09-12 16:40 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll2007-09-12 16:40 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe2007-09-12 16:40 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe2007-09-12 16:40 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll2007-09-12 16:40 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll2007-09-12 16:40 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll2007-09-12 16:39 <DIR> d-------- C:\Program Files\HP2007-09-12 16:36 69,385 --a------ C:\WINDOWS\hpoins05.dat2007-09-12 16:36 19,696 --------- C:\WINDOWS\hpomdl05.dat.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2007-09-29 20:14 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink2007-09-29 16:48 --------- d-------- C:\Documents and Settings\Walt\Application Data\Vso2007-09-29 16:24 --------- d-------- C:\Program Files\McAfee2007-09-29 16:10 --------- d-------- C:\Program Files\UltimateBet2007-09-28 19:19 --------- d-------- C:\Program Files\Windows Defender2007-09-28 19:00 --------- d-------- C:\Program Files\Common Files\LightScribe2007-09-28 17:42 --------- d-a------ C:\Documents and Settings\All Users\Application Data\TEMP2007-09-28 17:25 2014 -r-h----- C:\WINDOWS\system32\drivers\hosts2007-09-28 15:10 --------- d-------- C:\Program Files\AWS2007-09-27 19:37 --------- d-------- C:\Program Files\RogueRemover FREE2007-09-27 17:08 --------- d-------- C:\Program Files\SpywareBlaster2007-09-26 16:51 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys2007-09-23 19:20 --------- d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion2007-09-22 11:51 --------- d-------- C:\Program Files\Full Tilt Poker2007-09-15 18:22 --------- d-------- C:\Documents and Settings\Walt\Application Data\Ahead2007-09-14 21:48 --------- d-------- C:\Documents and Settings\All Users\Application Data\Ahead2007-09-14 21:47 --------- d-------- C:\Program Files\Common Files\Ahead2007-09-13 18:55 --------- d-------- C:\Program Files\DVDFab Platinum 32007-09-07 21:14 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys2007-09-07 21:14 47360 --a------ C:\Documents and Settings\Walt\Application Data\pcouffin.sys2007-09-07 21:14 --------- d-------- C:\Program Files\DVDFab Gold 32007-09-07 19:26 3366912 --a------ C:\WINDOWS\system32\dllcache\moviemk.exe2007-09-07 15:42 --------- d-------- C:\Program Files\PC Doc Pro2007-09-07 15:34 --------- d-------- C:\Program Files\Replay Media Catcher2007-09-07 15:29 94208 --a------ C:\Documents and Settings\Walt\Application Data\ezplay.sys2007-09-07 15:29 --------- d-------- C:\Program Files\VSO2007-09-07 15:28 --------- d-------- C:\Program Files\Common Files\Sonic Shared2007-09-07 15:27 --------- d-------- C:\Program Files\Sonic2007-09-02 16:34 --------- d-------- C:\Program Files\AV Music Morpher Gold2007-09-02 16:18 --------- d-------- C:\Program Files\MSXML 6.02007-09-02 16:16 --------- d-------- C:\Program Files\MSBuild2007-09-02 16:11 --------- d-------- C:\Program Files\Reference Assemblies2007-09-02 02:40 --------- d-------- C:\Program Files\NCH Swift Sound2007-09-02 02:40 --------- d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound2007-09-01 10:20 --------- d-------- C:\Program Files\Audio Edit Magic2007-09-01 00:09 --------- d--h----- C:\Program Files\InstallShield Installation Information2007-08-31 16:47 --------- d-------- C:\Program Files\Sonic Foundry2007-08-31 16:47 --------- d-------- C:\Program Files\Pure Motion2007-08-31 16:47 --------- d-------- C:\Program Files\DebugMode2007-08-30 20:40 81920 --a------ C:\Documents and Settings\Walt\Application Data\ezpinst.exe2007-08-27 01:31 --------- d-------- C:\Documents and Settings\All Users\Application Data\NCH Software2007-08-27 01:30 --------- d-------- C:\Program Files\NCH Software2007-08-27 00:56 --------- d-------- C:\Documents and Settings\Walt\Application Data\GetRightToGo2007-08-26 23:28 --------- d-------- C:\Program Files\Kate's Video Cutter2007-08-26 22:55 --------- d-------- C:\Program Files\Cucusoft2007-08-26 22:55 --------- d-------- C:\Program Files\Common Files\Download Manager2007-08-20 18:59 --------- d-------- C:\Program Files\iTunes2007-08-20 18:59 --------- d-------- C:\Program Files\iPod2007-08-20 18:56 --------- d-------- C:\Program Files\Apple Software Update2007-08-19 16:12 --------- d-------- C:\Documents and Settings\Walt\Application Data\InstallShield Installation Information2007-08-19 16:05 --------- d-------- C:\Documents and Settings\Walt\Application Data\InstallShield2007-08-14 19:35 --------- d-------- C:\Program Files\MSXML 4.02007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll2007-07-19 02:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll2007-07-12 19:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll2007-05-28 11:47 2874926 --a------ C:\Program Files\FLV PlayerRCATSetup.exe2007-05-27 14:21 25990392 --a------ C:\Program Files\FLV PlayerRCSetup.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{547C617E-D409-4B45-92D3-01CAC28B7199}] C:\WINDOWS\system32\jkklm.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64BCF3C6-5919-4869-8874-40699298AE13}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6BE20E3B-6CB4-42DA-9515-ED70CB8FD9C0}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CEFE835-8EBF-420F-AFA2-807008E32917}]2007-09-26 14:04 35328 --a------ C:\WINDOWS\system32\urqrsqp.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6A428A2-E716-4CAD-87D1-AA7ABEBEF98C}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFA0D9FF-CF58-4DB7-8903-76C67219ADD7}]2007-10-03 15:45 319072 --a------ C:\WINDOWS\system32\mljgf.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 15:56]"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12]"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44]"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44]"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 15:49]"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 15:46]"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 15:50]"POINTER"="point32.exe" []"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-21 21:59]"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 14:46]"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-03-13 16:49]"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-02-21 16:36]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 22:07]"nwiz"="nwiz.exe" [2005-07-20 22:07 C:\WINDOWS\system32\nwiz.exe]"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-20 22:07]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-12-14 12:07]"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]"SearchIndexer"="C:\WINDOWS\system32\bgfdgtec.dll" [][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40]HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 19:10:04]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40]HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 19:10:04][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableRegistryTools"=0 (0x0)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{8CEFE835-8EBF-420F-AFA2-807008E32917}"= C:\WINDOWS\system32\urqrsqp.dll [2007-09-26 14:04 35328][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrsqp] urqrsqp.dll 2007-09-26 14:04 35328 C:\WINDOWS\system32\urqrsqp.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\mljgf C:\\WINDOWS\\system32\\mljgf[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnkbackup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnkbackup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnkbackup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnkbackup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]"C:\Program Files\iTunes\iTunesHelper.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" /startup[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe""HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"R1 SSHDRV85;SSHDRV85;\??\C:\WINDOWS\system32\drivers\SSHDRV85.sysR2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exeS3 cdiskdun;cdiskdun;\??\C:\DOCUME~1\Walt\LOCALS~1\Temp\cdiskdun.sysS3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe -k QWAVES3 QWAVEDRV;QWAVE driver;C:\WINDOWS\system32\DRIVERS\qwavedrv.sys[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]QWAVE QWAVE[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]AutoRun\command- E:\setup.exe.Contents of the 'Scheduled Tasks' folder"2007-09-26 01:31:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe"2007-09-15 05:36:19 C:\WINDOWS\Tasks\McDefragTask.job"- c:\program files\mcafee\mqc\QcConsol.exe"2007-09-01 05:00:11 C:\WINDOWS\Tasks\McQcTask.job"- c:\program files\mcafee\mqc\QcConsol.exe"2007-10-03 19:51:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"- C:\Program Files\Windows Defender\MpCmdRun.exe.**************************************************************************catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2007-10-03 15:49:57Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2007-10-03 15:56:34 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-10-03 15:56. --- E O F --- Link to post Share on other sites More sharing options...
JeanInMontana Posted October 2, 2007 ID:8544 Share Posted October 2, 2007 So, how are you running now? You should do a disk error check, and a defragment after all this. Do the error check first. You will probably get a message saying you don't need to defrag, if it is over 3% fragmented do it anyway, you will notice a performance boost.If everything is running good now we need to do a final step or two. Post another HJT log. Make sure you have updated the Java. Do the error check and defrag. If the HJT log is clean there is one final step. Link to post Share on other sites More sharing options...
WGMJR Posted October 3, 2007 Author ID:8551 Share Posted October 3, 2007 I 'm contacting you thru my mom's computer via a telephone call.I updated Java with no problems. Then I ran disc error check,when my system rebooted,I'm getting a box that says operation failed,with the file lsass.exe in the box.Now I can not even get to my log in screen to get onto windows.I tried F8 safe mode,same results,hit F12 during bootup,and ran diagnostics,everything checks out fine.After some research I found the SASSER virus could be at work here.I know the LSASS.exe is a windows operating file.Any ideas????? Link to post Share on other sites More sharing options...
JeanInMontana Posted October 4, 2007 ID:8556 Share Posted October 4, 2007 I highly doubt it is Sasser. That is an old worm and if you scan regularly with updated AV you shouldn't have it. Besides that wouldn't keep you from booting with that error I'm pretty sure. I can't imagine why you would get this after a disk error check. I am away from home right now on business. i will post a request for someone to help you in the experts forum. If someone new starts responding that will be why. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 4, 2007 ID:8569 Share Posted October 4, 2007 I should have thought of this. It was late when I replied last night, in my mind/brain. Try Last Known Good Configuration that is your best bet to restore the system. You may end up infected again, but you save your system. Here are some good instructions on how to do this http://www.techsupportforum.com/security-c...tml#post1099176 I have just been alerted that there is a new version of Vundo that causes this damage. I'm hoping this works, otherwise if you have a restore disk or the original install that is you last resort. Let me know how it goes. Link to post Share on other sites More sharing options...
WGMJR Posted October 7, 2007 Author ID:8612 Share Posted October 7, 2007 Hi Jean, I did everything I could except restore back to factory settings. I ended up putting it in the shop Friday, I just got it back this evening, I lost everything, all my data, although it really wasn't a whole lot of important stuff. I have learned a very important lesson, back up back up back up!!! LOL I want to thank you for all the help and time you took to try and help me fix this thing, your a saint! Not everyone would take the time to do what you do, it shows a lot of kindness and character on your part. Well, anyway, thanks again, and I hope I won't be back anytime soon...LOL Link to post Share on other sites More sharing options...
JeanInMontana Posted October 7, 2007 ID:8615 Share Posted October 7, 2007 Im sorry it ended like this. This is a new development with this malware I have found. Prevention is your best defense. I recommend you install the programs below. And I hope your not back soon either. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsFor an excellent list of reliable free firewalls and antivirus programs see here. Link to post Share on other sites More sharing options...
WGMJR Posted October 8, 2007 Author ID:8637 Share Posted October 8, 2007 Thanks Jean, I switched from Mcafee to Norton, I have never really been impressed with Norton, but the guy at the repair shop said Mcafee was junk, and it has been letting me down lately. I got the top three you link for me, RogueRemover wasn't free, and hpHosts, well after reading it I wasn't comfortable going in a turning things off. The Norton is the 360 version, it covers everything, and has its own firewall like most of them do. So I guess we'll see how it performs, I'm already getting some crashes when I play my games, it must be the settings, unless my Nvidia card just got to hot. Again, thank you. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 8, 2007 ID:8641 Share Posted October 8, 2007 Norton is a notorious resource hog and not the highest rated in performance either. Plus you have to fork out big bucks. hpHosts doesn't turn anything off. It blocks bad sites. It uses no resources. There is a free version of RogueRemover. If you don't pay for the license for Pro after the trial it reverts to the free version. I thought that was explained...oops. I would try doing some basic maintenance again. Most likely your HD is fragmented with all the new installations and who knows what the shop did. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 14, 2007 ID:8788 Share Posted October 14, 2007 Since this issue has been resolved I will close the thread.The advice in this thread is for this machine only. Applying the fixes to your system can cause disaster and irreparable damage. Post your own topic for help. Link to post Share on other sites More sharing options...
Recommended Posts