Jump to content

HELP AntivirusSpyware 2007 + easy error


WGMJR
 Share

Recommended Posts

I have this thing popping up and re-routing my browser, actually the title is wrong, its Winantispyware 2007. I have ran several different things to try and get rid of it, but nothing works. I am also showing a vundo virus when I run AntispywareBot, it picks it up, nd it acts like its getting rid of it, but I scan again and there it is again.. I have ran RogueRemover Pro, and it is not finding anything. I have ran Spyware Blaster, it finds nothing. This thing is even affecting my keystrokes. Anybody help please? I have Mcafee, and its up to date also. None of my protection is killing this thing. I'm kind of a noob when it comes to getting rid of these things, so you may have to walk me through any advice. Thanks

Here is a Panda Scan Report if this helps

Incident Status Location

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10000.qit

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10001.qit

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10003.qit

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10004.qit

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10006.qit

Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10007.qit

Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10008.qit

Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10009.qit

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\11968.qit

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\11969.qit

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10000.qit

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10001.qit

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10002.qit

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10003.qit

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10004.qit

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10005.qit

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10006.qit

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10007.qit

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-47-33\10031.qit

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-16-49-22\10037.qit

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-16-49-22\10038.qit

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Walt\Cookies\walt@2o7[2].txt

Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Walt\Cookies\walt@clickbank[1].txt

Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Walt\Cookies\walt@clickbank[2].txt

Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Walt\Cookies\walt@clickbank[3].txt

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Walt\Cookies\walt@server.iad.liveperson[1].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Walt\Cookies\walt@statcounter[1].txt

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Walt\Cookies\walt@stats1.reliablestats[1].txt

Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Walt\Cookies\walt@systemdoctor[1].txt

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Walt\Cookies\walt@www.winantiviruspro[2].txt

Adware:Adware/WinAntiSpyware Not disinfected C:\Documents and Settings\Walt\Local Settings\Temporary Internet Files\Content.IE5\ZJ9Y75H6\WinAntiSpyware2007FreeInstall[1].exe

Link to post
Share on other sites

Hi there and welcome to Malwarebytes. SpywareBlaster is not a removal program. It is a site blocking program and one you should keep.

If you can, uninstall AntispywareBot from your add/remove programs. This is a known rogue program and bad. You must have a new version because it should get removed by RogueRemover.

Please follow the directions below carefully.

Please get these programs, update and run a complete scan removing all items found.

Spybot Search & Destroy Be sure to use the immunize feature.

AVG AntiSpyware Be sure to "take action"

Post the logs from the AVG scan please, along with a log from this program HiJack This!

You will post two logs. 1. AVG scan. 2. HiJack This scan. You will finish the AVG first so go ahead and post that log, then with all programs and browsers closed run HiJack This and post that scan.

I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Link to post
Share on other sites

Thanks so much for your help. First, before I run Search and Destroy, I tried uninstalling Anspywarebot, and it won't let me. I went into Remove Programs and went in through the c drive, no luck either way. Also it is published by 2Squared, and it is version 1.5

I ran the AVG Antispyware, I clicked on generate a report for every scan, but I got noreport, and I cannot figure out how to get it. It found 22 meium risk cookies. The S&D did recognize the AntispywareBot and I think it got rid of it, its not in Add/Remove Programs or in my C drive, but it still shows up when I click Start and Programs, I'm afraid to click on it, I don't want to bring it back in if it is out. I'll ess with the AVG some more and see if I can figure out how to get a log. In the mean time here is the HiJackthis log you asked for.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:53:24 AM, on 9/29/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [sMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [searchIndexer] rundll32.exe "C:\WINDOWS\system32\dymvscda.dll",sitypnow

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/229?210ad2f1d4a418fbfe0c2f667f3363c

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/230?210ad2f1d4a418fbfe0c2f667f3363c

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Absolute Poker\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Absolute Poker\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)

O9 - Extra button: POKER - {FB389F33-303A-4490-9E18-B301A493FBF2} - C:\Program Files\PokermMPP\MPPoker.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} (InstallControl Class) - http://activex.casinosupportservice.com/Ve...stallHelper.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.gamingclubpoker.com/download_helper/Nyoko.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab

O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135346064623

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/controls/msnchat45.cab

O23 - Service: McAfee Application Installer Cleanup (0099491191071622) (0099491191071622mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP09949~1.EXE

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 15132 bytes

Link to post
Share on other sites

Heres the AVG

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 12:00:26 PM 9/29/2007

+ Scan result:

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10004.qit -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10005.qit -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Walt\Cookies\walt@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Walt\Cookies\walt@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Walt\Cookies\walt@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10000.qit -> TrackingCookie.Advertising : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10000.qit -> TrackingCookie.Advertising : Cleaned.

C:\Documents and Settings\Walt\Cookies\walt@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned.

C:\Documents and Settings\Walt\Cookies\walt@clickbank[3].txt -> TrackingCookie.Clickbank : Cleaned.

C:\Documents and Settings\Walt\Cookies\walt@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.

C:\Documents and Settings\Walt\Cookies\walt@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10001.qit -> TrackingCookie.Mediaplex : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10001.qit -> TrackingCookie.Mediaplex : Cleaned.

C:\Documents and Settings\Walt\Cookies\walt@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10002.qit -> TrackingCookie.Pointroll : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-16-49-22\10037.qit -> TrackingCookie.Pointroll : Cleaned.

C:\Documents and Settings\Walt\Cookies\walt@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.

C:\Documents and Settings\MCX1\Cookies\walt@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10002.qit -> TrackingCookie.Webtrends : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10003.qit -> TrackingCookie.Webtrendslive : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10006.qit -> TrackingCookie.Yieldmanager : Cleaned.

C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\28-09-2007-15-41-52\10003.qit -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

Link to post
Share on other sites

OK Please follow these instructions carefully and in the order written.

Uninstall (if possible) UltimateBet.exe

Run HJT scan only and put a check next to all of these:

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)

O9 - Extra button: POKER - {FB389F33-303A-4490-9E18-B301A493FBF2} - C:\Program Files\PokermMPP\MPPoker.exe (file missing)

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Absolute Poker\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Absolute Poker\PartyPoker\RunApp.exe (file missing)

Now please get this program below, follow the directions carefully.

VundoFix.exe PDF Print E-mail

Written by Atribune

Feb 03, 2006 at 03:58 PM

VundoFix.exe is a removal tool developed to remove Virtumonde infections. To use the tool follow the instrctions below.

Please download VundoFix.exe to your desktop. http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.

* When VundoFix re-opens, click the Scan for Vundo button.

* Once it's done scanning, click the Remove Vundo button.

* You will receive a prompt asking if you want to remove the files, click YES

* Once you click yes, your desktop will go blank as it starts removing Vundo.

* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the

Scan for Vundo button." when VundoFix appears at reboot.

Last Updated ( Aug 14, 2006 at 10:47 PM )

Reboot and post a fresh HJT log for me.

Link to post
Share on other sites

Ok, did everything you asked, but Spybot S & D popped up a few times saying something about some files changing as I was trying to get rid of the vundo files. I went ahead and allowed the change thinking it might be the vundofix scan I was running. It rebooted, the vundofix didn't try to run again, and I seemed to get back to this sight with ease, no re-routing, or messed up keystrokes or scroll. Heres the HJT file you asked for. By the way, why did I have to delete my poker sites??

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:31:24 PM, on 9/29/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [sMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/229?210ad2f1d4a418fbfe0c2f667f3363c

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/230?210ad2f1d4a418fbfe0c2f667f3363c

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} (InstallControl Class) - http://activex.casinosupportservice.com/Ve...stallHelper.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.gamingclubpoker.com/download_helper/Nyoko.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab

O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135346064623

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/controls/msnchat45.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 13496 bytes

Link to post
Share on other sites

Hi again. If you notice for most of your poker games the file was missing, most likely removed by a malware scan of some sort. These games are probably how you got infected. We missed one here:

O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.gamingclubpoker.com/download_helper/Nyoko.cab

There should have been a log from the Vundo fix also. Look for it on C:\ Vundo.txt Please post that.

Spybot Search & Destroy has a feature called Tea Timer, it is a tool for monitoring changes to your system and that is what was giving you the alerts. You can turn it off if you don't want the messages. However, it is a good thing to have for prevention and it will help you learn what is being changed by what in your system. You seem to keep getting yourself infected and as you were advised back in June by TheRock247uk here http://www.malwarebytes.org/forums/index.php?showtopic=1667 you should have some sort of protection and use more caution installing things. LOL

Let's have a look at the Vundo log and some final instructions.

Link to post
Share on other sites

Here you are

VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 4:19:01 PM 9/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\adcsvmyd.ini

C:\WINDOWS\system32\dymvscda.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\adcsvmyd.ini

C:\WINDOWS\system32\adcsvmyd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dymvscda.dll

C:\WINDOWS\system32\dymvscda.dll Has been deleted!

Performing Repairs to the registry.

Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 9:58:31 AM 9/30/2007

Listing files found while scanning....

C:\WINDOWS\system32\oenvepir.dll

C:\WINDOWS\system32\ripevneo.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oenvepir.dll

C:\WINDOWS\system32\oenvepir.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ripevneo.ini

C:\WINDOWS\system32\ripevneo.ini Has been deleted!

Performing Repairs to the registry.

Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:09:22 AM 9/30/2007

Listing files found while scanning....

VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:12:09 AM 9/30/2007

Listing files found while scanning....

No infected files were found.

I had to re-run VundoFix this morning, I was getting re-routed again and my keystrokes were messed up. This time it wanted to reboot after initially finding the same 2 files it found yesterday. So when it rebooted it never came up, so I ran it again, the second time I ran it, it had the file in there that it could't get rid of the first time. So far everything seems ok, but I still thnk I'm infected, just by my keystrokes and how slow my computer is responding. If your wondering why keep getting infected, its my 15 year old son, he is not the brightest bulb on the tree, and sometimes gets tricked into clicking on things he shouldn't. This is the 3rd time he has infected my computer in 6 months. I have Mcafee, even though I'm not real impressed with it, I'm comfortable with it. I have several different programs for protection, but when you invite someone in, none of it is any good. I really appreciate your help, without it I would be throwing this thing through a window. Yep, I keep having to go back and re-type things, my keystrokes are still messing up.

Link to post
Share on other sites

Oh the joys of 15 year olds. These miscreants target kids too and it is so wrong. What you can do is make sure Jr is using an account that does not have administrative capabilities. Then nothing can be installed without you having a say. That includes malware that can be gotten from just visiting a bad site. It is possible that is what is happening right now.

You have an outdated exploitable version of Java. Please uninstall all versions of Java you have in Add/Remove programs, and delete the program files also. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the off line installation. This could be causing you to be reinfected.

Be sure you have the system set to show hidden files and folders also.

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Then let's run this http://www.techsupportforum.com/sect...s/ComboFix.exe

Make sure you don't click the program during the scan. Please post the log when the scan finishes.

Link to post
Share on other sites

Ok, I'm sorry for being such a pain in the rear, but here goes. I was running this combofix, and everything is going fine, it starts deleting infected files, then it gets to a certain file...C:\Documents and Settings\Walt\Application Data\AntiSpywareBot\Quarantine\27-09-2007-20-41-36\10000.qit

I let it delete this file for a long time, but the last 5 numbers and last 3 letters just kept changing. I let it go to 11500, the last letters were changing from qit to qnf. I think it was regenerating itself as it was being deleted...??? I went in and looked at it, and it didn't go to 11500, but as I was deleting it, it just kept on climbing. Was I wrong to stop? I don't think it was ever going to end. Is it possible it was rewriting itself? What should I do?

Link to post
Share on other sites

Find that folder and delete it. It is a left over from uninstalling the program. I would do a file search for Antispywarebot and delete everything found connected. You might want to also get CCleaner http://www.ccleaner.com/download/ and prepare to be amazed at the "crap" it removes. Run it then ComboFix again.

Your not being a pain either. This stuff is often worse than what we are doing here to get rid of .

Link to post
Share on other sites

Here you go.

ComboFix 07-10-02.2 - Walt 2007-10-03 15:42:05.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480 [GMT -4:00]

Running from: C:\Documents and Settings\Walt\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\check_LSA7.txt

C:\Documents and Settings\All Users\Start Menu\Programs.\AntiSpywareBot

C:\WINDOWS\cookies.ini

C:\WINDOWS\system32\ehkmp.bak1

C:\WINDOWS\system32\ehkmp.bak2

C:\WINDOWS\system32\ehkmp.ini

C:\WINDOWS\system32\jfhmrgyr.ini

C:\WINDOWS\system32\pmkhe.dll

C:\WINDOWS\system32\rygrmhfj.dll

C:\WINDOWS\Tasks.\AntiSpywareBot Scheduled Scan.job

.

((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))

.

2007-10-03 15:45 6,473 ---hs---- C:\WINDOWS\system32\fgjlm.bak1

2007-10-03 15:45 319,072 --a------ C:\WINDOWS\system32\mljgf.dll

2007-10-03 15:30 <DIR> d-------- C:\Program Files\CCleaner

2007-10-03 15:27 77,376 --a------ C:\WINDOWS\system32\cqbtugfc.dll

2007-10-01 19:42 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-30 10:00 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe

2007-09-29 16:19 <DIR> d-------- C:\VundoFix Backups

2007-09-29 11:52 <DIR> d-------- C:\Program Files\Trend Micro

2007-09-29 10:16 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-09-29 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-09-28 17:25 <DIR> d-------- C:\Program Files\RogueRemover PRO

2007-09-26 16:24 <DIR> d-------- C:\Program Files\GameFlood

2007-09-26 14:04 35,328 --a------ C:\WINDOWS\system32\urqrsqp.dll

2007-09-25 18:05 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll

2007-09-25 18:05 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll

2007-09-25 18:05 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll

2007-09-25 18:05 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll

2007-09-25 18:05 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll

2007-09-14 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

2007-09-13 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-09-12 16:47 <DIR> d-------- C:\Program Files\Common Files\HP

2007-09-12 16:46 <DIR> d-------- C:\Program Files\Hewlett-Packard

2007-09-12 16:43 229,376 -ra------ C:\WINDOWS\system32\hpovst08.dll

2007-09-12 16:40 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll

2007-09-12 16:40 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe

2007-09-12 16:40 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe

2007-09-12 16:40 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll

2007-09-12 16:40 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll

2007-09-12 16:40 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll

2007-09-12 16:39 <DIR> d-------- C:\Program Files\HP

2007-09-12 16:36 69,385 --a------ C:\WINDOWS\hpoins05.dat

2007-09-12 16:36 19,696 --------- C:\WINDOWS\hpomdl05.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-29 20:14 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink

2007-09-29 16:48 --------- d-------- C:\Documents and Settings\Walt\Application Data\Vso

2007-09-29 16:24 --------- d-------- C:\Program Files\McAfee

2007-09-29 16:10 --------- d-------- C:\Program Files\UltimateBet

2007-09-28 19:19 --------- d-------- C:\Program Files\Windows Defender

2007-09-28 19:00 --------- d-------- C:\Program Files\Common Files\LightScribe

2007-09-28 17:42 --------- d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2007-09-28 17:25 2014 -r-h----- C:\WINDOWS\system32\drivers\hosts

2007-09-28 15:10 --------- d-------- C:\Program Files\AWS

2007-09-27 19:37 --------- d-------- C:\Program Files\RogueRemover FREE

2007-09-27 17:08 --------- d-------- C:\Program Files\SpywareBlaster

2007-09-26 16:51 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2007-09-23 19:20 --------- d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

2007-09-22 11:51 --------- d-------- C:\Program Files\Full Tilt Poker

2007-09-15 18:22 --------- d-------- C:\Documents and Settings\Walt\Application Data\Ahead

2007-09-14 21:48 --------- d-------- C:\Documents and Settings\All Users\Application Data\Ahead

2007-09-14 21:47 --------- d-------- C:\Program Files\Common Files\Ahead

2007-09-13 18:55 --------- d-------- C:\Program Files\DVDFab Platinum 3

2007-09-07 21:14 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys

2007-09-07 21:14 47360 --a------ C:\Documents and Settings\Walt\Application Data\pcouffin.sys

2007-09-07 21:14 --------- d-------- C:\Program Files\DVDFab Gold 3

2007-09-07 19:26 3366912 --a------ C:\WINDOWS\system32\dllcache\moviemk.exe

2007-09-07 15:42 --------- d-------- C:\Program Files\PC Doc Pro

2007-09-07 15:34 --------- d-------- C:\Program Files\Replay Media Catcher

2007-09-07 15:29 94208 --a------ C:\Documents and Settings\Walt\Application Data\ezplay.sys

2007-09-07 15:29 --------- d-------- C:\Program Files\VSO

2007-09-07 15:28 --------- d-------- C:\Program Files\Common Files\Sonic Shared

2007-09-07 15:27 --------- d-------- C:\Program Files\Sonic

2007-09-02 16:34 --------- d-------- C:\Program Files\AV Music Morpher Gold

2007-09-02 16:18 --------- d-------- C:\Program Files\MSXML 6.0

2007-09-02 16:16 --------- d-------- C:\Program Files\MSBuild

2007-09-02 16:11 --------- d-------- C:\Program Files\Reference Assemblies

2007-09-02 02:40 --------- d-------- C:\Program Files\NCH Swift Sound

2007-09-02 02:40 --------- d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound

2007-09-01 10:20 --------- d-------- C:\Program Files\Audio Edit Magic

2007-09-01 00:09 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-08-31 16:47 --------- d-------- C:\Program Files\Sonic Foundry

2007-08-31 16:47 --------- d-------- C:\Program Files\Pure Motion

2007-08-31 16:47 --------- d-------- C:\Program Files\DebugMode

2007-08-30 20:40 81920 --a------ C:\Documents and Settings\Walt\Application Data\ezpinst.exe

2007-08-27 01:31 --------- d-------- C:\Documents and Settings\All Users\Application Data\NCH Software

2007-08-27 01:30 --------- d-------- C:\Program Files\NCH Software

2007-08-27 00:56 --------- d-------- C:\Documents and Settings\Walt\Application Data\GetRightToGo

2007-08-26 23:28 --------- d-------- C:\Program Files\Kate's Video Cutter

2007-08-26 22:55 --------- d-------- C:\Program Files\Cucusoft

2007-08-26 22:55 --------- d-------- C:\Program Files\Common Files\Download Manager

2007-08-20 18:59 --------- d-------- C:\Program Files\iTunes

2007-08-20 18:59 --------- d-------- C:\Program Files\iPod

2007-08-20 18:56 --------- d-------- C:\Program Files\Apple Software Update

2007-08-19 16:12 --------- d-------- C:\Documents and Settings\Walt\Application Data\InstallShield Installation Information

2007-08-19 16:05 --------- d-------- C:\Documents and Settings\Walt\Application Data\InstallShield

2007-08-14 19:35 --------- d-------- C:\Program Files\MSXML 4.0

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll

2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll

2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll

2007-07-19 02:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll

2007-07-12 19:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll

2007-05-28 11:47 2874926 --a------ C:\Program Files\FLV PlayerRCATSetup.exe

2007-05-27 14:21 25990392 --a------ C:\Program Files\FLV PlayerRCSetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{547C617E-D409-4B45-92D3-01CAC28B7199}]

C:\WINDOWS\system32\jkklm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64BCF3C6-5919-4869-8874-40699298AE13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6BE20E3B-6CB4-42DA-9515-ED70CB8FD9C0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CEFE835-8EBF-420F-AFA2-807008E32917}]

2007-09-26 14:04 35328 --a------ C:\WINDOWS\system32\urqrsqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6A428A2-E716-4CAD-87D1-AA7ABEBEF98C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFA0D9FF-CF58-4DB7-8903-76C67219ADD7}]

2007-10-03 15:45 319072 --a------ C:\WINDOWS\system32\mljgf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 15:56]

"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12]

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 15:49]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 15:46]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 15:50]

"POINTER"="point32.exe" []

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-21 21:59]

"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 14:46]

"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-03-13 16:49]

"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-02-21 16:36]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 22:07]

"nwiz"="nwiz.exe" [2005-07-20 22:07 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-20 22:07]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-12-14 12:07]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

"SearchIndexer"="C:\WINDOWS\system32\bgfdgtec.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 19:10:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 19:10:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{8CEFE835-8EBF-420F-AFA2-807008E32917}"= C:\WINDOWS\system32\urqrsqp.dll [2007-09-26 14:04 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrsqp]

urqrsqp.dll 2007-09-26 14:04 35328 C:\WINDOWS\system32\urqrsqp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\mljgf C:\\WINDOWS\\system32\\mljgf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

R1 SSHDRV85;SSHDRV85;\??\C:\WINDOWS\system32\drivers\SSHDRV85.sys

R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe

S3 cdiskdun;cdiskdun;\??\C:\DOCUME~1\Walt\LOCALS~1\Temp\cdiskdun.sys

S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe -k QWAVE

S3 QWAVEDRV;QWAVE driver;C:\WINDOWS\system32\DRIVERS\qwavedrv.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

AutoRun\command- E:\setup.exe

.

Contents of the 'Scheduled Tasks' folder

"2007-09-26 01:31:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-09-15 05:36:19 C:\WINDOWS\Tasks\McDefragTask.job"

- c:\program files\mcafee\mqc\QcConsol.exe

"2007-09-01 05:00:11 C:\WINDOWS\Tasks\McQcTask.job"

- c:\program files\mcafee\mqc\QcConsol.exe

"2007-10-03 19:51:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

.

**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-03 15:49:57

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-10-03 15:56:34 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-10-03 15:56

.

--- E O F ---

Link to post
Share on other sites

So, how are you running now? You should do a disk error check, and a defragment after all this. Do the error check first. You will probably get a message saying you don't need to defrag, if it is over 3% fragmented do it anyway, you will notice a performance boost.

If everything is running good now we need to do a final step or two. Post another HJT log. Make sure you have updated the Java. Do the error check and defrag. If the HJT log is clean there is one final step.

Link to post
Share on other sites

I 'm contacting you thru my mom's computer via a telephone call.I updated Java with no problems. Then I ran disc error check,when my system rebooted,I'm getting a box that says operation failed,with the file lsass.exe in the box.Now I can not even get to my log in screen to get onto windows.I tried F8 safe mode,same results,hit F12 during bootup,and ran diagnostics,everything checks out fine.After some research I found the SASSER virus could be at work here.I know the LSASS.exe is a windows operating file.Any ideas?????

Link to post
Share on other sites

I highly doubt it is Sasser. That is an old worm and if you scan regularly with updated AV you shouldn't have it. Besides that wouldn't keep you from booting with that error I'm pretty sure. I can't imagine why you would get this after a disk error check. I am away from home right now on business. i will post a request for someone to help you in the experts forum. If someone new starts responding that will be why.

Link to post
Share on other sites

I should have thought of this. It was late when I replied last night, in my mind/brain. Try Last Known Good Configuration that is your best bet to restore the system. You may end up infected again, but you save your system. Here are some good instructions on how to do this http://www.techsupportforum.com/security-c...tml#post1099176 I have just been alerted that there is a new version of Vundo that causes this damage.

I'm hoping this works, otherwise if you have a restore disk or the original install that is you last resort. Let me know how it goes.

Link to post
Share on other sites

Hi Jean, I did everything I could except restore back to factory settings. I ended up putting it in the shop Friday, I just got it back this evening, I lost everything, all my data, although it really wasn't a whole lot of important stuff. I have learned a very important lesson, back up back up back up!!! LOL I want to thank you for all the help and time you took to try and help me fix this thing, your a saint! Not everyone would take the time to do what you do, it shows a lot of kindness and character on your part. Well, anyway, thanks again, and I hope I won't be back anytime soon...LOL

Link to post
Share on other sites

Im sorry it ended like this. This is a new development with this malware I have found. Prevention is your best defense. I recommend you install the programs below. And I hope your not back soon either. :P

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

For an excellent list of reliable free firewalls and antivirus programs see here.

Link to post
Share on other sites

Thanks Jean, I switched from Mcafee to Norton, I have never really been impressed with Norton, but the guy at the repair shop said Mcafee was junk, and it has been letting me down lately. I got the top three you link for me, RogueRemover wasn't free, and hpHosts, well after reading it I wasn't comfortable going in a turning things off. The Norton is the 360 version, it covers everything, and has its own firewall like most of them do. So I guess we'll see how it performs, I'm already getting some crashes when I play my games, it must be the settings, unless my Nvidia card just got to hot. Again, thank you.

Link to post
Share on other sites

Norton is a notorious resource hog and not the highest rated in performance either. Plus you have to fork out big bucks. hpHosts doesn't turn anything off. It blocks bad sites. It uses no resources. There is a free version of RogueRemover. If you don't pay for the license for Pro after the trial it reverts to the free version. I thought that was explained...oops.

I would try doing some basic maintenance again. Most likely your HD is fragmented with all the new installations and who knows what the shop did.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.