# Solved: recent attack of false spyware infection warnings



## yettz (May 6, 2007)

I suddenly started getting windows that warn me of spyware infections and offer to remove them. They have taken over the desktop, disabled the task manager, and are generally wreaking havoc. Earlier, the desktop icons and task bar disappeared, leaving only the wallpaper, and I had to reboot. A Rundll error message appears now at startup.

Earlier Superantispyware detected a Vundo variant, a Downloader, and a few other pests, but it doesn't seem as though it was able to remove all of them. Then I ran Vundofix and it found no problems. I have not yet run Combofix. I'm hoping your trained eye can help me resolve this!

SAS + Vundofix logs follow, then the Hijackthis log. 
Thank you!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/13/2008 at 04:30 PM

Application Version : 4.0.1154

Core Rules Database Version : 3391
Trace Rules Database Version: 1383

Scan type : Quick Scan
Total Scan Time : 01:09:12

Memory items scanned : 470
Memory threats detected : 1
Registry items scanned : 489
Registry threats detected : 10
File items scanned : 6089
File threats detected : 7

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\QOMCCCSP.DLL
C:\WINDOWS\SYSTEM32\QOMCCCSP.DLL

Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}

Adware.2020Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B72E407-F908-45C9-AA61-64EACFC57E03}
HKCR\CLSID\{5B72E407-F908-45C9-AA61-64EACFC57E03}
HKCR\CLSID\{5B72E407-F908-45C9-AA61-64EACFC57E03}\InprocServer32
HKCR\CLSID\{5B72E407-F908-45C9-AA61-64EACFC57E03}\InprocServer32#ThreadingModel

Adware.180solutions/SurfAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}

Adware.Tracking Cookie
C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@tribalfusion[2].txt
C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@ads.techguy[2].txt
C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@msnportal.112.2o7[1].txt
C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@ads.as4x.tmcs[1].txt
C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@atdmt[1].txt
C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@trafficmp[1].txt

VundoFix V7.0.3

Scan started at 2:30:35 PM 4/13/2008

Listing files found while scanning....

No infected files were found.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:45 PM, on 4/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\QdrModule\QdrModule15.exe
C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\ie.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\winself.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [b8dec507] rundll32.exe "C:\WINDOWS\System32\lujdvdwd.dll",b
O4 - HKLM\..\Run: [BMbbedf69b] Rundll32.exe "C:\WINDOWS\System32\atyubtoh.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Matt's Things\Other Things\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for ôå: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098728199640
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://a1776.ff.fullaudio.com.edges...io.com/musicnow/phoenix/4.0.0.17/MusicNow.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9553 bytes


----------



## cybertech (Apr 16, 2002)

Please download (save) *SmitfraudFix* (by *S!Ri*) to your desktop. 
Extract the content (a folder named *SmitfraudFix*) to your Desktop. Select all of the contents and Extract them
to a new folder called *SmitfraudFix*.
Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


----------



## yettz (May 6, 2007)

Thanks so much for responding!!

When the SmitfraudFix process began scanning in the C:\ window, after a very short time, the window disappeared. I cannot see whether anything is running by using the Task Manager since it is disabled by the rogue files. It must not have completed. ??


----------



## yettz (May 6, 2007)

PS It disappears when it get to the Windows System32 folders in its scan.


----------



## cybertech (Apr 16, 2002)

Please visit *this webpage* for instructions on installing recovery console and downloading/running ComboFix.

Post the log from ComboFix along with a new HijackThis log.


----------



## yettz (May 6, 2007)

Hoo-boy! I turned Norton off in order to run Combofix, and many spam-popup windows have taken over! Combofix soldiered on through it all, here is the log file... (btw, I didn't install the recovery console, thought I had already done that before when I had problems last year)

ComboFix 08-04-13.3 - mom (and guests) 2008-04-14 13:48:21.3 - NTFSx86
Running from: C:\Documents and Settings\mom (and guests)\My Documents\Mom's Documents\ComboFix.exe
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.
_ ADS - svchost.exe: deleted 28160 bytes in 1 streams. _
/wow section not completed

((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-14 13:49 . 758 C:\WINDOWS\SYSTEM32\dwdvdjul.tmp
2008-04-14 13:45 . 2008-04-14 13:47	41,754	--a------	C:\WINDOWS\nivavir.config
2008-04-14 13:44 . 2008-04-14 13:44	391,168	--a------	C:\WINDOWS\SYSTEM32\alt.exe.exe
2008-04-14 13:44 . 2008-04-14 13:44	132,608	--a------	C:\WINDOWS\SYSTEM32\shift.exe.exe
2008-04-14 13:44 . 2008-04-14 13:44	132,608	--a------	C:\WINDOWS\kavir.exe
2008-04-14 13:44 . 2002-08-29 04:00	113,664	--a------	C:\WINDOWS\SYSTEM32\hcnqt.drv
2008-04-14 13:44 . 2008-04-14 13:44	4	--a------	C:\WINDOWS\SYSTEM32\winsub.xml
2008-04-14 13:44 . 2008-04-14 13:44	0	--a------	C:\WINDOWS\SYSTEM32\svcp.csv
2008-04-14 13:42 . 2008-04-14 13:43 d--------	C:\Program Files\iSecurity
2008-04-14 13:42 . 2008-04-14 13:42 d--------	C:\Program Files\cjb
2008-04-14 13:42 . 2008-04-14 13:42 d--------	C:\Documents and Settings\mom (and guests)\Application Data\Anti-Virus-Pro.com
2008-04-14 13:42 . 2008-04-14 13:42 d--------	C:\Documents and Settings\All Users\Application Data\grsxeryh
2008-04-14 13:42 . 2008-04-14 13:42	113,664	--a------	C:\WINDOWS\SYSTEM32\nmdkjetgf.dll
2008-04-14 13:42 . 2008-04-14 13:42	90,112	--a------	C:\WINDOWS\SYSTEM32\adqzaxcp.exe
2008-04-14 13:42 . 2008-04-14 13:42	40,448	--a------	C:\WINDOWS\SYSTEM32\khfGwTmk.dll
2008-04-14 13:42 . 2008-04-14 13:42	36,312	--a------	C:\Program Files\bho.exe
2008-04-14 13:42 . 2008-04-14 13:42	21,588	--a------	C:\Program Files\antiviirus.exe
2008-04-14 13:42 . 2008-04-14 13:42	19,584	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\kqmgzzkv.dat
2008-04-14 13:42 . 2008-04-14 13:42	16,464	-r-hs----	C:\Program Files\tmp3.exe
2008-04-14 13:42 . 2008-04-14 13:42	16,464	-r-hs----	C:\Program Files\tmp2.exe
2008-04-14 13:42 . 2008-04-14 13:42	16,464	-r-hs----	C:\Program Files\tmp1.exe
2008-04-14 13:42 . 2008-04-14 13:42	16,464	-r-hs----	C:\Program Files\tmp0.exe
2008-04-14 13:42 . 2008-04-14 13:42	6,144	-r-hs----	C:\WINDOWS\SYSTEM32\iSecurity.cpl
2008-04-14 13:42 . 2008-04-14 13:42	245	--a------	C:\WINDOWS\tmp64003890.bat
2008-04-14 13:42 . 2008-04-14 13:49	90	--a------	C:\WINDOWS\SYSTEM32\n.ini
2008-04-14 13:41 . 2008-04-14 13:41	160,256	--a------	C:\WINDOWS\SYSTEM32\blackster.scr
2008-04-14 13:41 . 2008-04-14 13:41	38,400	--a------	C:\WINDOWS\mrofinu1854.exe
2008-04-14 13:41 . 2005-08-20 10:22	9,728	--a------	C:\WINDOWS\SYSTEM32\spoolvs.exe
2008-04-14 13:41 . 2005-08-20 10:22	9,728	--a------	C:\WINDOWS\SYSTEM32\printer.exe
2008-04-14 13:41 . 2005-08-20 10:22	9,728	--a------	C:\WINDOWS\shell.exe
2008-04-14 13:41 . 2008-04-14 13:41	52	--a------	C:\smp.bat
2008-04-14 13:41 . 2008-04-14 13:41	29	--a------	C:\WINDOWS\SYSTEM32\oegseotw.tmp
2008-04-14 13:40 . 2008-04-14 13:42 d--------	C:\Program Files\AntiVirusPro
2008-04-14 13:40 . 2008-04-14 13:40	269,334	--a------	C:\WINDOWS\SYSTEM32\ctfmonb.bmp
2008-04-14 13:40 . 2008-04-14 13:40	269,334	--a------	C:\WINDOWS\SYSTEM32\credgfedojihsb.bmp
2008-04-14 13:40 . 2008-04-14 13:40	83,968	--a------	C:\WINDOWS\SYSTEM32\ctfmona.exe
2008-04-14 13:40 . 2008-04-14 13:41	40,599	--a------	C:\Documents and Settings\mom (and guests)\cftmon.exe
2008-04-14 13:40 . 2008-04-14 13:41	27,050	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe
2008-04-14 13:40 . 2008-04-14 13:40	25,088	--a------	C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.exe
2008-04-14 13:40 . 2005-08-18 09:47	18,944	--a------	C:\WINDOWS\SYSTEM32\wowfx.dll
2008-04-14 13:40 . 2008-04-14 13:40	12,800	--a------	C:\blf.exe
2008-04-14 13:40 . 2005-08-20 15:14	9,728	--a------	C:\Documents and Settings\mom (and guests)\Application Data\printer.exe
2008-04-14 13:40 . 2008-04-14 13:40	5,120	--a------	C:\WINDOWS\SYSTEM32\ftpdll.dll
2008-04-14 13:40 . 2008-04-14 13:40	5,120	--a------	C:\Documents and Settings\mom (and guests)\ftpdll.dll
2008-04-14 13:40 . 2008-04-14 13:40	10	--a------	C:\WINDOWS\SYSTEM32\kr_done1
2008-04-14 13:36 . 2008-04-14 13:36 d--------	C:\Program Files\QdrPack
2008-04-14 12:42 . 2007-09-06 00:22	289,144	--a------	C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-14 12:42 . 2006-04-27 17:49	288,417	--a------	C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-14 12:42 . 2008-04-14 19:28	86,528	--a------	C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-14 12:42 . 2008-04-12 13:49	82,432	--a------	C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-14 12:42 . 2003-06-05 21:13	53,248	--a------	C:\WINDOWS\SYSTEM32\Process.exe
2008-04-14 12:42 . 2004-07-31 18:50	51,200	--a------	C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-14 12:42 . 2007-10-04 00:36	25,600	--a------	C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-14 12:42 . 2008-04-14 13:14	3,730	--a------	C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-13 16:48 . 2008-04-13 16:48	85,568	--a------	C:\WINDOWS\SYSTEM32\lujdvdwd.dll
2008-04-13 16:45 . 2008-04-13 16:45	92,736	--a------	C:\WINDOWS\SYSTEM32\mmfsqbby.dll
2008-04-13 16:39 . 2008-04-13 16:39	272,896	--a------	C:\WINDOWS\SYSTEM32\pmnmljGX.dll
2008-04-13 16:39 . 2008-04-14 13:49	271,090	--ahs----	C:\WINDOWS\SYSTEM32\XGjlmnmp.ini2
2008-04-13 16:39 . 2008-04-14 13:49	271,090	--ahs----	C:\WINDOWS\SYSTEM32\XGjlmnmp.ini
2008-04-13 16:39 . 2008-04-13 16:39	95,296	--a------	C:\WINDOWS\SYSTEM32\atyubtoh.dll
2008-04-13 15:16 . 2008-04-13 15:16 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 22:50 . 2008-04-13 16:31	6,362	--ahs----	C:\WINDOWS\SYSTEM32\PsCccMoq.ini
2008-04-12 22:50 . 2008-04-13 16:30	6,322	--ahs----	C:\WINDOWS\SYSTEM32\PsCccMoq.ini2
2008-04-12 22:48 . 2008-04-12 22:48	29,952	--a------	C:\WINDOWS\stcloader.exe
2008-04-12 22:48 . 2008-04-12 22:48	23,552	--a------	C:\WINDOWS\swin32.dll
2008-04-12 22:48 . 2008-04-12 22:48	12,032	--a------	C:\WINDOWS\bokja.exe
2008-04-12 22:47 . 2008-04-12 22:47	27,392	--a------	C:\WINDOWS\2020search2.dll
2008-04-12 13:36 . 2008-04-14 13:49	1,906	--a------	C:\WINDOWS\SYSTEM32\default.htm
2008-04-12 11:47 . 2008-04-12 19:53	354	---hs----	C:\WINDOWS\SYSTEM32\oydvnteg.ini
2008-04-12 11:44 . 2008-04-13 11:45	101,091	--a------	C:\WINDOWS\BMbbedf69b.xml
2008-04-12 11:44 . 2008-04-12 11:44	94,272	--a------	C:\WINDOWS\SYSTEM32\vxsawvvc.dll
2008-04-12 11:44 . 2008-04-13 19:57	22	--a------	C:\WINDOWS\pskt.ini
2008-04-12 11:43 . 2008-04-12 22:41	290,995	--ahs----	C:\WINDOWS\SYSTEM32\lVFgjRqr.ini2
2008-04-12 11:43 . 2008-04-12 22:41	290,995	--ahs----	C:\WINDOWS\SYSTEM32\lVFgjRqr.ini
2008-04-12 11:43 . 2008-04-12 11:43	87,977	--a------	C:\WINDOWS\SYSTEM32\wmsdkns.exe
2008-04-12 11:43 . 2008-04-12 11:43	87,977	--a------	C:\WINDOWS\lfn.exe
2008-04-12 11:43 . 2008-04-14 11:47	138	-r-hs----	C:\WINDOWS\mscon.sio
2008-04-12 11:43 . 2008-04-12 11:43	4	--a------	C:\WINDOWS\SYSTEM32\winfrun32.bin
2008-04-12 11:41 . 2008-04-12 11:41	28,160	--a------	C:\WINDOWS\winself.exe
2008-04-12 11:41 . 2008-04-14 13:42	16	-r-hs----	C:\WINDOWS\conf.inf
2008-04-12 11:41 . 2008-04-14 13:42	4	-r-hs----	C:\WINDOWS\ky.sxc
2008-04-12 11:39 . 2008-04-14 13:36 d--------	C:\Program Files\QdrModule
2008-04-12 11:39 . 2008-04-12 22:43 d--------	C:\Program Files\QdrDrive
2008-04-12 11:39 . 2008-04-12 11:39 d--------	C:\Program Files\ISM
2008-04-12 11:38 . 2008-04-12 11:38	54,272	---------	C:\WINDOWS\SYSTEM32\L5A64.tmp
2008-04-12 11:38 . 2008-04-12 11:38	36,352	--a------	C:\WINDOWS\SYSTEM32\yayaArom.dll
2008-04-12 11:38 . 2008-04-12 11:38	397	--a------	C:\WINDOWS\SYSTEM32\L6CC3.tmp
2008-04-12 11:38 . 2008-04-12 11:38	397	--a------	C:\WINDOWS\SYSTEM32\L6B2C.tmp
2008-04-12 11:38 . 2008-04-12 11:38	397	--a------	C:\WINDOWS\SYSTEM32\L69D5.tmp
2008-04-12 11:38 . 2008-04-12 11:38	397	--a------	C:\WINDOWS\SYSTEM32\L686D.tmp
2008-04-11 12:44 . 2008-04-11 12:44	229,526	--a------	C:\WINDOWS\SYSTEM32\000080.exe
2008-04-04 23:29 . 2008-04-04 23:29	270,694	--a------	C:\WINDOWS\SYSTEM32\000090.exe
2008-03-30 07:02 . 2008-03-30 07:02	190,464	--a------	C:\WINDOWS\SYSTEM32\luapvs.dll
2008-03-28 09:41 . 2008-03-28 09:41	173,563	--a------	C:\WINDOWS\SYSTEM32\msram.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 19:40	15,872	----a-w	C:\WINDOWS\SYSTEM32\svchost.exe
2008-04-14 19:38	---------	d-----w	C:\Documents and Settings\mom (and guests)\Application Data\MSN6
2008-04-14 19:34	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-04-14 19:31	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-13 21:18	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-03-07 03:32	706	----a-w	C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 03:32	23,904	----a-w	C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 03:32	10,537	----a-w	C:\WINDOWS\system32\drivers\COH_Mon.cat
.

------- Sigcheck -------

2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716	C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\svchost.exe
2008-04-14 13:40 15872 bca6d9199e55023e4b3f399f6f7a0542	C:\WINDOWS\SYSTEM32\svchost.exe

2002-08-29 04:00 516608 2246d8d8f4714a2cedb21ab9b1849abb	C:\WINDOWS\$NtUninstallKB841533$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe	C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\winlogon.exe
2004-05-26 19:38 487424 5996688f497ceec792c4803758f54f5a	C:\WINDOWS\SYSTEM32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477e64a4-d947-432a-a63a-51a43913433b}]
2008-04-13 16:45	92736	--a------	C:\WINDOWS\System32\mmfsqbby.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8EEB996-62AA-4E48-995D-EADDCAC47476}]
2008-04-12 11:38	36352	--a------	C:\WINDOWS\system32\yayaArom.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF26FAC0-7D4E-46D8-AE64-B277B11443AC}]
2008-03-30 07:02	190464	--a------	C:\WINDOWS\SYSTEM32\luapvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7CCAA14-2A53-4E76-A69B-A3F57EC89813}]
2008-04-13 16:39	272896	--a------	C:\WINDOWS\System32\pmnmljGX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2007-01-15 20:40 38924]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [ ]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-10-12 18:13 7086080]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:00 13312]
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [2008-04-03 07:53 364544]
"Microsoft Windows Installer"="C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\ie.exe" [2008-04-12 11:40 183206]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"QdrPack15"="C:\Program Files\QdrPack\QdrPack15.exe" [2008-04-04 14:17 352256]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [2008-04-14 13:41 27050]
"autoload"="C:\Documents and Settings\mom (and guests)\cftmon.exe" [2008-04-14 13:41 40599]
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" [2005-08-17 23:06 9728]
"kjwvvbhz"="C:\WINDOWS\system32\adqzaxcp.exe" [2008-04-14 13:42 90112]
"WintelUpdate"="C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\D11.tmp.exe" [2008-04-14 13:43 0]
"kavir"="C:\WINDOWS\kavir.exe" [2008-04-14 13:44 132608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-09-15 16:21 38912]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-09-15 16:21 38912]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2007-01-15 20:40 38924]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-01-15 20:40 38924]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-15 20:40 38924]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2007-09-15 16:21 38912]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2007-01-15 20:40 38924]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2007-09-15 16:21 38912]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-15 20:40 38924]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22 26248]
"b8dec507"="C:\WINDOWS\System32\lujdvdwd.dll" [2008-04-13 16:48 85568]
"BMbbedf69b"="C:\WINDOWS\System32\atyubtoh.dll" [2008-04-13 16:39 95296]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [2008-04-14 13:41 27050]
"autoload"="C:\Documents and Settings\mom (and guests)\cftmon.exe" [2008-04-14 13:41 40599]
"BluetoothAuthorizationAgent"="C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe" [2008-04-14 13:40 25088]
"ctfmona"="C:\WINDOWS\System32\ctfmona.exe" [2008-04-14 13:40 83968]
"Printer"="C:\WINDOWS\System32\printer.exe" [2005-08-17 23:06 9728]
"icasServ"="C:\WINDOWS\System32\icasServ.exe" [2006-04-15 13:41 13824]
"AntiVirusPro"="C:\Program Files\AntiVirusPro\AntiVirusPro.exe" [2008-03-03 08:10 216064]
"runner1"="C:\WINDOWS\mrofinu1854.exe" [2008-04-14 13:41 38400]
"iSecurity applet"="iSecurity.cpl" [2008-04-14 13:42 6144 C:\WINDOWS\SYSTEM32\iSecurity.cpl]
"antiviirus"="C:\Program Files\antiviirus.exe" [2008-04-14 13:42 21588]
"krqlojel"="C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\cjahcb.nls WLEntryPoint" [ ]
"advap32"="C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\load2.exe" [2008-04-14 13:42 11264]
"cjb"="C:\Program Files\cjb\cjb8.exe" [2008-04-14 13:42 10240]
"PromoReg"="C:\WINDOWS\System32\alt.exe.exe" [2008-04-14 13:57 336384]
"csrss"="C:\WINDOWS\System32\wbem\csrss.exe" [2008-04-14 13:42 26112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"tmp64003890"="cmd /Q /C C:\WINDOWS\tmp64003890.bat" [ ]

C:\Documents and Settings\mom (and guests)\Start Menu\Programs\Startup\
findfast.exe [2005-08-17 23:06:47 9728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-25 22:09:43 113664]
autorun.exe [2005-08-17 23:06:47 9728]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-15 04:31:34 806912]
Wireless Configuration Utility HW.51.lnk - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-14 20:53:38 454656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"lcjit"= rundll32.exe "C:\WINDOWS\System32\hsredgrid.nls" WLEntryPoint
"QjbnIox96g"= C:\Documents and Settings\All Users\Application Data\grsxeryh\czkborkb.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A8EEB996-62AA-4E48-995D-EADDCAC47476}"= C:\WINDOWS\system32\yayaArom.dll [2008-04-12 11:38 36352]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PrxComponent"= {6ce51b2d-ec04-48e1-821a-a5506168f1cc} - C:\WINDOWS\Resources\PrxComponent.dll [2008-04-14 13:42 12838]
"tkVwEOFhlh"= {B8DEC5A9-1274-6F03-664F-76A2A60565A6} - C:\WINDOWS\System32\pjxgz.dll [2004-06-17 11:58 32768]
"zip"= {51b30acc-36ac-4639-982a-a62cfccfe4aa} - C:\WINDOWS\Installer\{51b30acc-36ac-4639-982a-a62cfccfe4aa}\zip.dll [2008-04-14 13:42 23338]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\\WINDOWS\\shell.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nmdkjetgf]
nmdkjetgf.dll 2008-04-14 13:42 113664 C:\WINDOWS\SYSTEM32\nmdkjetgf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaArom]
yayaArom.dll 2008-04-12 11:38 36352 C:\WINDOWS\SYSTEM32\yayaArom.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\pmnmljGX

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-15 00:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FullAudio]
C:\PROGRA~1\MusicNow\WMPImporter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2003-06-25 11:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-15 20:40 38924 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 11:14 35328 C:\Matt's Things\Other Things\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Documents and Settings\\mom (and guests)\\Application Data\\printer.exe"=
"C:\\WINDOWS\\System32\\printer.exe"=
"C:\\WINDOWS\\System32\\spoolvs.exe"=
"C:\\WINDOWS\\shell.exe"=
"C:\\Documents and Settings\\mom (and guests)\\Start Menu\\Programs\\Startup\\findfast.exe"=
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12297:TCP"= 12297:TCPxpsp2res.dll,-22005
"1204:TCP"= 1204:TCPxpsp2res.dll,-22005
"60475:TCP"= 60475:TCPxpsp2res.dll,-22005
"45974:TCP"= 45974:TCPxpsp2res.dll,-22005

R2 MSSysInterv1;MSSysInterv;C:\WINDOWS\winself.exe service []
S2 ICF;ICF;C:\WINDOWS\System32\svchost.exe:exe.exe []
S3 lredbooo;lredbooo;C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\lredbooo.sys []

*Newly Created Service* - COMHOST
*Newly Created Service* - GYRKKVKE
*Newly Created Service* - OVM51
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 01:56:48 C:\WINDOWS\Tasks\Calculator.job"
- C:\WINDOWS\SYSTEM32\CALC.EXE
"2008-04-14 12:42:41 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - mom (and guests).job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 13:49:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\svchost.ex_:exe.exe 28160 bytes executable
IPC error: 109 The pipe has been ended.
**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ICF]
"ImagePath"="C:\WINDOWS\System32\svchost.exe:exe.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ovm51]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gyrkkvke]
"ImagePath"="system32\drivers\kqmgzzkv.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\yayaArom.dll
-> C:\WINDOWS\System32\khfGwTmk.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\System32\pmnmljGX.dll

PROCESS: C:\WINDOWS\Explorer.exe
-> C:\WINDOWS\System32\pmnmljGX.dll
-> C:\WINDOWS\System32\lujdvdwd.dll
-> C:\WINDOWS\system32\yayaArom.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
PROCESS: C:\WINDOWS\System32\wbem\csrss.exe
-> C:\WINDOWS\System32\lujdvdwd.dll
.
Completion time: 2008-04-14 14:00:13
ComboFix-quarantined-files.txt 2008-04-14 19:59:08
ComboFix2.txt 2007-08-10 21:27:50

Pre-Run: 2,467,196,928 bytes free
Post-Run: 2,507,964,416 bytes free


----------



## cybertech (Apr 16, 2002)

You still have a lot of baddies there!

*Click here* to download *Dr.Web CureIt* and save it to your desktop.

Doubleclick the *drweb-cureit.exe* file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the *green arrow* at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:








If so, click it and then click the next icon right below and select *Move incurable* as you'll see in next image:








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click *file* and choose *save report list*
Save the report to your desktop. The report will be called *DrWeb.csv*
Close Dr.Web Cureit.
*Reboot* your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.


----------



## yettz (May 6, 2007)

I will try to do this soon! However, the computer is pretty congested with various windows now, including one full screen, and I'm having trouble getting things done. I'm sending this from a 2nd computer. It wasn't too bad before I turned off Norton and began Combofix but has gone way downhill since. Now I am rebooting and will send you the results from Dr. Web CureIt. Many warnings appear now on reboot - rundll, load zip, arrgh!


----------



## yettz (May 6, 2007)

OK now I'm scared. 
After starting Dr.Web CureIt, the screen went blue with the message, "a problem has been detected and windows has been shut down to prevent damage to your computer. .... remove any new programs, etc ... if this is the first time you've seen the stop error screen- restart...." So that is what I'm doing. Help!!


----------



## cybertech (Apr 16, 2002)

OK, let me go through the ComboFix log. There is just so much it may take me a while...


----------



## yettz (May 6, 2007)

I rebooted and tried Dr. W Cure It again - same blue screen... I will be patient, Thank You!!


----------



## cybertech (Apr 16, 2002)

Download *SDFix* and save it to your Desktop.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Double click *SDFix.exe* and choose *Install* to extract it to its own folder on the Desktop. Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer 
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; 
Instead of Windows loading as normal, a menu with options should appear; 
Select the first option, to run Windows in Safe Mode, then press "Enter". 
Choose your usual account. 

 Open the c:\SDFix folder and double click *RunThis.cmd* to start the script. 
 Type *Y* to begin the script. 
 It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 Your system will take longer that normal to restart as the fixtool will be running and removing files. 
 When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons. 
 Finally open the SDFix folder on your desktop and copy and paste the contents of the results file *Report.txt* back onto the forum with a new HijackThis log


----------



## yettz (May 6, 2007)

Thank for hanging with me!! ... this has become very difficult! (and upsetting) 
I am attemping to run SDfix but am having trouble getting the computer to respond properly through all the attacks. I finally got smart and disconnected it from the Internet. Will send the results as soon as I can! Am rebooting now..


----------



## yettz (May 6, 2007)

I am in safe mode, and looking for the RunThis.cmd file. It is not in the SDFix folder that was extracted from the download. There is a batch file called RunThis.bat, and clicking it opens the DOS prompt window with a blinking curser, but I can't type anything in the box. Not even Exit. At the top of the window is C:\Windows\System32\cmd.exe There is also a file in the SDfix folder called Catchme.exe - seems suspicious...

Sorta stuck here, please advise.


----------



## yettz (May 6, 2007)

Check that, started whole process over and the program seems to be running now...


----------



## yettz (May 6, 2007)

SDFix didn't ever seem to finish. The screen went to all black with the SAFE MODE labels in the corners, but nothing more. After an hour, I rebooted (power cycled). The 1st desktop background that loaded on reboot was the original Windows one, (old!) but it was quickly replaced with the one hijacked by malware saying this computer is infected. A SDFix box opened saying it was finishing, but nothing happened. There were many new files in the SDFix folder, but the report log was virtually empty. 

Could it be that it was still working and I interrupted when I rebooted? In case this was true, I tried to repeat the SDFix process by starting the Runthis file again, but am back to the earlier problem where the DOS black dialog box opens but nothing happens. 

Please - advise.


----------



## cybertech (Apr 16, 2002)

Please do try to connect this machine to the internet only when you have to and don't use it for anything until we are finished.

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
Open the *OTScanit* folder and double-click on *OTScanit.exe* to start the program.
Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file

Please post the resulting log here as an attachment.


Click on the orange *Post a Reply!* button 
scroll down to Manage Attachments 
Click in the box that says Upload File from your Computer
Click the Browse... button and find the file then click open
Click the Upload button
Wait until you see *Current Attachment *and your file name
Click on Close this window
Then submit the reply.


----------



## yettz (May 6, 2007)

Here is the OTScanIt log:
[BTW, the SDFix program stalled on the empty black page again. Even after leaving it all night, no progress.]


----------



## cybertech (Apr 16, 2002)

Please *download* the *OTMoveIt2 by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt2.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
*Copy the lines in the codebox below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
Files to delete:
C:\Documents and Settings\All Users\Application Data\grsxeryh
C:\Program Files\antiviruspro
C:\Program Files\qdrmodule
C:\Program Files\qdrpack
c:\smp.bat
c:\windows\123messenger.per
c:\windows\2020search.dll
c:\windows\2020search2.dll
c:\windows\apphelp32.dll
c:\windows\asferror32.dll
c:\windows\asycfilt32.dll
c:\windows\athprxy32.dll
c:\windows\ati2dvaa32.dll
c:\windows\autodisc32.dll
c:\windows\avifile32.dll
c:\windows\avisynthex32.dll
c:\windows\aviwrap32.dll
c:\windows\bjam.dll
c:\windows\bmbbedf69b.xml
c:\windows\bokja.exe
c:\windows\browserad.dll
c:\windows\cdsm32.dll
c:\windows\changeurl_30.dll
c:\windows\didduid.ini
c:\windows\kavir.exe
c:\windows\ky.sxc
c:\windows\lfn.exe
c:\windows\mrofinu1854.exe
c:\windows\msa64chk.dll
c:\windows\msapasrc.dll
c:\windows\mscon.sio
c:\windows\mspphe.dll
c:\windows\mssvr.exe
c:\windows\nivavir.config
c:\windows\ntnut.exe
c:\windows\pskt.ini
c:\windows\saiemod.dll
c:\windows\shdocpe.dll
c:\windows\shdocpl.dll
c:\windows\stcloader.exe
c:\windows\swin32.dll
c:\windows\system32\000080.exe
c:\windows\system32\000090.exe
c:\windows\system32\adqzaxcp.exe 
c:\windows\system32\alt.exe.exe
c:\windows\system32\atyubtoh.dll
c:\windows\system32\blackster.scr
c:\windows\system32\ctfmona.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\dwdvdjul.ini
c:\windows\system32\ftpdll.dll
c:\windows\system32\hcnqt.drv
c:\windows\system32\isecurity.cpl
c:\windows\system32\ixvcohok.ini
c:\windows\system32\jmwmhefw.dll 
c:\windows\system32\khfgwtmk.dll
c:\windows\system32\luapvs.dll
c:\windows\system32\lvfgjrqr.ini
c:\windows\system32\mmfsqbby.dll
c:\windows\system32\msram.dll
c:\windows\system32\n.ini
c:\windows\system32\oydvnteg.ini
c:\windows\system32\pscccmoq.ini
c:\windows\system32\pscccmoq.ini2
c:\windows\system32\shift.exe.exe
c:\windows\system32\svcp.csv
c:\windows\system32\vcdwruji.exe
c:\windows\system32\vcdwruji.exe 
c:\windows\system32\vxsawvvc.dll
c:\windows\system32\winfrun32.bin
c:\windows\system32\winsub.xml
c:\windows\system32\wmsdkns.exe
c:\windows\system32\ws2fix.exe
c:\windows\system32\xgjlmnmp.ini
c:\windows\system32\xslenavg.exe
c:\windows\system32\xslenavg.exe 
c:\windows\system32\xwhookyj.dll
c:\windows\system32\yayaarom.dll
c:\windows\tmp64003890.bat
c:\windows\voiceip.dll
c:\windows\winsb.dll
c:\windows\winself.exe
c:\windows\zip.exe
%userprofile%\local settings\temp\ie.exe
c:\documents and settings\all users\application data\grsxeryh\czkborkb.exe
```

 Return to OTMoveIt2, right click in the *"Paste Custom List Of Files/Patterns To Move"* window (under the yellow bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTMoveIt2*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.* In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Start *OTScanIt*. Copy/Paste the information in the Code box below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> czkborkb.exe -> %AllUsersProfile%\Application Data\grsxeryh\czkborkb.exe
YY -> qdrmodule15.exe -> %ProgramFiles%\QdrModule\QdrModule15.exe
YY -> ie.exe -> %UserProfile%\Local Settings\Temp\ie.exe
YY -> qdrpack15.exe -> %ProgramFiles%\QdrPack\QdrPack15.exe
YY -> adqzaxcp.exe -> %SystemRoot%\SYSTEM32\adqzaxcp.exe
YY -> winself.exe -> %SystemRoot%\winself.exe
[Win32 Services - Non-Microsoft Only]
YY -> (MSSysInterv1) MSSysInterv [Win32_Shared | Auto | Running] -> %SystemRoot%\winself.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> AntiVirusPro -> %ProgramFiles%\AntiVirusPro\AntiVirusPro.exe [C:\Program Files\AntiVirusPro\AntiVirusPro.exe]
YN -> b8dec507 -> %SystemRoot%\System32\kohocvxi.DLL [rundll32.exe "C:\WINDOWS\System32\kohocvxi.dll",b]
YY -> BMbbedf69b -> %SystemRoot%\SYSTEM32\jmwmhefw.dll [Rundll32.exe "C:\WINDOWS\System32\jmwmhefw.dll",s]
YN -> krqlojel -> [rundll32.exe "C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\bdnhfjfjjnj.nls" WLEntryPoint]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> atcpsyqb -> %SystemRoot%\SYSTEM32\xslenavg.exe [C:\WINDOWS\system32\xslenavg.exe]
YY -> awnsgget -> %SystemRoot%\SYSTEM32\vcdwruji.exe [C:\WINDOWS\system32\vcdwruji.exe]
YY -> kjwvvbhz -> %SystemRoot%\SYSTEM32\adqzaxcp.exe [C:\WINDOWS\system32\adqzaxcp.exe]
YY -> Microsoft Windows Installer -> %UserProfile%\Local Settings\Temp\ie.exe [C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\ie.exe]
YY -> QdrModule15 -> %ProgramFiles%\QdrModule\QdrModule15.exe ["C:\Program Files\QdrModule\QdrModule15.exe"]
YY -> QdrPack15 -> %ProgramFiles%\QdrPack\QdrPack15.exe ["C:\Program Files\QdrPack\QdrPack15.exe"]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {A8EEB996-62AA-4E48-995D-EADDCAC47476} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\yayaArom.dll []
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\System32\wmsdkns.exe -> %SystemRoot%\SYSTEM32\wmsdkns.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*TaskMan* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\TaskMan
YN -> rundll32.exe "C:\WINDOWS\System32\tsrapkr.dll" WLEntryPoint -> %SystemRoot%\System32\tsrapkr.DLL
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> yayaArom -> %SystemRoot%\SYSTEM32\yayaArom.dll
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YY -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\QjbnIox96g -> C:\Documents and Settings\All Users\Application Data\grsxeryh\czkborkb.exe [C:\Documents and Settings\All Users\Application Data\grsxeryh\czkborkb.exe]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {00000250-0320-4dd4-be4f-7566d2314352} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {13197ace-6851-45c3-a7ff-c281324d5489} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {15651c7c-e812-44a2-a9ac-b467a2233e7d} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {477e64a4-d947-432a-a63a-51a43913433b} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\mmfsqbby.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {4e1075f4-eec4-4a86-add7-cd5f52858c31} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {5dafd089-24b1-4c5e-bd42-8ca72550717b} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {5fa6752a-c4a0-4222-88c2-928ae5ab4966} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {622cc208-b014-4fe0-801b-874a5e5e403a} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {8674aea0-9d3d-11d9-99dc-00600f9a01f1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {965a592f-8efa-4250-8630-7960230792f1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {9c5b2f29-1f46-4639-a6b4-828942301d3e} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {A8EEB996-62AA-4E48-995D-EADDCAC47476} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\yayaArom.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {cf021f40-3e14-23a5-cba2-717765728274} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {fc3a74e5-f281-4f10-ae1e-733078684f3c} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {ffff0001-0002-101a-a3c9-08002b2f49fb} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> 6 C:\*.tmp files -> C:\*.tmp
NY -> smp.bat -> %SystemDrive%\smp.bat
NY -> 000080.exe -> %SystemRoot%\System32\000080.exe
NY -> 000090.exe -> %SystemRoot%\System32\000090.exe
NY -> adqzaxcp.exe -> %SystemRoot%\System32\adqzaxcp.exe
NY -> alt.exe.exe -> %SystemRoot%\System32\alt.exe.exe
NY -> atyubtoh.dll -> %SystemRoot%\System32\atyubtoh.dll
NY -> blackster.scr -> %SystemRoot%\System32\blackster.scr
NY -> ctfmona.exe -> %SystemRoot%\System32\ctfmona.exe
NY -> dumphive.exe -> %SystemRoot%\System32\dumphive.exe
NY -> dwdvdjul.ini -> %SystemRoot%\System32\dwdvdjul.ini
NY -> ftpdll.dll -> %SystemRoot%\System32\ftpdll.dll
NY -> hcnqt.drv -> %SystemRoot%\System32\hcnqt.drv
NY -> iSecurity.cpl -> %SystemRoot%\System32\iSecurity.cpl
NY -> ixvcohok.ini -> %SystemRoot%\System32\ixvcohok.ini
NY -> jmwmhefw.dll -> %SystemRoot%\System32\jmwmhefw.dll
NY -> khfGwTmk.dll -> %SystemRoot%\System32\khfGwTmk.dll
NY -> luapvs.dll -> %SystemRoot%\System32\luapvs.dll
NY -> lVFgjRqr.ini -> %SystemRoot%\System32\lVFgjRqr.ini
NY -> mmfsqbby.dll -> %SystemRoot%\System32\mmfsqbby.dll
NY -> msram.dll -> %SystemRoot%\System32\msram.dll
NY -> n.ini -> %SystemRoot%\System32\n.ini
NY -> oydvnteg.ini -> %SystemRoot%\System32\oydvnteg.ini
NY -> PsCccMoq.ini -> %SystemRoot%\System32\PsCccMoq.ini
NY -> PsCccMoq.ini2 -> %SystemRoot%\System32\PsCccMoq.ini2
NY -> shift.exe.exe -> %SystemRoot%\System32\shift.exe.exe
NY -> svcp.csv -> %SystemRoot%\System32\svcp.csv
NY -> vcdwruji.exe -> %SystemRoot%\System32\vcdwruji.exe
NY -> vxsawvvc.dll -> %SystemRoot%\System32\vxsawvvc.dll
NY -> winfrun32.bin -> %SystemRoot%\System32\winfrun32.bin
NY -> winsub.xml -> %SystemRoot%\System32\winsub.xml
NY -> wmsdkns.exe -> %SystemRoot%\System32\wmsdkns.exe
NY -> WS2Fix.exe -> %SystemRoot%\System32\WS2Fix.exe
NY -> XGjlmnmp.ini -> %SystemRoot%\System32\XGjlmnmp.ini
NY -> xslenavg.exe -> %SystemRoot%\System32\xslenavg.exe
NY -> xwhookyj.dll -> %SystemRoot%\System32\xwhookyj.dll
NY -> 123messenger.per -> %SystemRoot%\123messenger.per
NY -> 2020search.dll -> %SystemRoot%\2020search.dll
NY -> 2020search2.dll -> %SystemRoot%\2020search2.dll
NY -> apphelp32.dll -> %SystemRoot%\apphelp32.dll
NY -> asferror32.dll -> %SystemRoot%\asferror32.dll
NY -> asycfilt32.dll -> %SystemRoot%\asycfilt32.dll
NY -> athprxy32.dll -> %SystemRoot%\athprxy32.dll
NY -> ati2dvaa32.dll -> %SystemRoot%\ati2dvaa32.dll
NY -> ati2dvag32.dll -> %SystemRoot%\ati2dvag32.dll
NY -> audiosrv32.dll -> %SystemRoot%\audiosrv32.dll
NY -> autodisc32.dll -> %SystemRoot%\autodisc32.dll
NY -> avifile32.dll -> %SystemRoot%\avifile32.dll
NY -> avisynthex32.dll -> %SystemRoot%\avisynthex32.dll
NY -> aviwrap32.dll -> %SystemRoot%\aviwrap32.dll
NY -> bjam.dll -> %SystemRoot%\bjam.dll
NY -> BMbbedf69b.xml -> %SystemRoot%\BMbbedf69b.xml
NY -> bokja.exe -> %SystemRoot%\bokja.exe
NY -> browserad.dll -> %SystemRoot%\browserad.dll
NY -> cdsm32.dll -> %SystemRoot%\cdsm32.dll
NY -> changeurl_30.dll -> %SystemRoot%\changeurl_30.dll
NY -> didduid.ini -> %SystemRoot%\didduid.ini
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> kavir.exe -> %SystemRoot%\kavir.exe
NY -> ky.sxc -> %SystemRoot%\ky.sxc
NY -> lfn.exe -> %SystemRoot%\lfn.exe
NY -> mrofinu1854.exe -> %SystemRoot%\mrofinu1854.exe
NY -> msa64chk.dll -> %SystemRoot%\msa64chk.dll
NY -> msapasrc.dll -> %SystemRoot%\msapasrc.dll
NY -> mscon.sio -> %SystemRoot%\mscon.sio
NY -> mspphe.dll -> %SystemRoot%\mspphe.dll
NY -> mssvr.exe -> %SystemRoot%\mssvr.exe
NY -> nivavir.config -> %SystemRoot%\nivavir.config
NY -> ntnut.exe -> %SystemRoot%\ntnut.exe
NY -> pskt.ini -> %SystemRoot%\pskt.ini
NY -> saiemod.dll -> %SystemRoot%\saiemod.dll
NY -> shdocpe.dll -> %SystemRoot%\shdocpe.dll
NY -> shdocpl.dll -> %SystemRoot%\shdocpl.dll
NY -> stcloader.exe -> %SystemRoot%\stcloader.exe
NY -> swin32.dll -> %SystemRoot%\swin32.dll
NY -> tmp64003890.bat -> %SystemRoot%\tmp64003890.bat
NY -> voiceip.dll -> %SystemRoot%\voiceip.dll
NY -> winsb.dll -> %SystemRoot%\winsb.dll
NY -> winself.exe -> %SystemRoot%\winself.exe
NY -> zip.exe -> %SystemRoot%\zip.exe
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new OTScanIt scan*.

I will review the information when it comes back in.


----------



## yettz (May 6, 2007)

No rundll messages at startup this time, but no changes to the screwed up desktop yet.
Here are the results:

OTMoveIt log:

File/Folder Files to delete: not found.
C:\Documents and Settings\All Users\Application Data\grsxeryh moved successfully.
C:\Program Files\antiviruspro\Quarantine moved successfully.
C:\Program Files\antiviruspro moved successfully.
C:\Program Files\qdrmodule moved successfully.
C:\Program Files\qdrpack moved successfully.
c:\smp.bat moved successfully.
c:\windows\123messenger.per moved successfully.
LoadLibrary failed for c:\windows\2020search.dll
c:\windows\2020search.dll NOT unregistered.
c:\windows\2020search.dll moved successfully.
LoadLibrary failed for c:\windows\2020search2.dll
c:\windows\2020search2.dll NOT unregistered.
c:\windows\2020search2.dll moved successfully.
LoadLibrary failed for c:\windows\apphelp32.dll
c:\windows\apphelp32.dll NOT unregistered.
c:\windows\apphelp32.dll moved successfully.
LoadLibrary failed for c:\windows\asferror32.dll
c:\windows\asferror32.dll NOT unregistered.
c:\windows\asferror32.dll moved successfully.
LoadLibrary failed for c:\windows\asycfilt32.dll
c:\windows\asycfilt32.dll NOT unregistered.
c:\windows\asycfilt32.dll moved successfully.
LoadLibrary failed for c:\windows\athprxy32.dll
c:\windows\athprxy32.dll NOT unregistered.
c:\windows\athprxy32.dll moved successfully.
LoadLibrary failed for c:\windows\ati2dvaa32.dll
c:\windows\ati2dvaa32.dll NOT unregistered.
c:\windows\ati2dvaa32.dll moved successfully.
LoadLibrary failed for c:\windows\autodisc32.dll
c:\windows\autodisc32.dll NOT unregistered.
c:\windows\autodisc32.dll moved successfully.
LoadLibrary failed for c:\windows\avifile32.dll
c:\windows\avifile32.dll NOT unregistered.
c:\windows\avifile32.dll moved successfully.
LoadLibrary failed for c:\windows\avisynthex32.dll
c:\windows\avisynthex32.dll NOT unregistered.
c:\windows\avisynthex32.dll moved successfully.
LoadLibrary failed for c:\windows\aviwrap32.dll
c:\windows\aviwrap32.dll NOT unregistered.
c:\windows\aviwrap32.dll moved successfully.
LoadLibrary failed for c:\windows\bjam.dll
c:\windows\bjam.dll NOT unregistered.
c:\windows\bjam.dll moved successfully.
c:\windows\bmbbedf69b.xml moved successfully.
c:\windows\bokja.exe moved successfully.
LoadLibrary failed for c:\windows\browserad.dll
c:\windows\browserad.dll NOT unregistered.
c:\windows\browserad.dll moved successfully.
LoadLibrary failed for c:\windows\cdsm32.dll
c:\windows\cdsm32.dll NOT unregistered.
c:\windows\cdsm32.dll moved successfully.
LoadLibrary failed for c:\windows\changeurl_30.dll
c:\windows\changeurl_30.dll NOT unregistered.
c:\windows\changeurl_30.dll moved successfully.
c:\windows\didduid.ini moved successfully.
File/Folder c:\windows\kavir.exe not found.
c:\windows\ky.sxc moved successfully.
c:\windows\lfn.exe moved successfully.
c:\windows\mrofinu1854.exe moved successfully.
LoadLibrary failed for c:\windows\msa64chk.dll
c:\windows\msa64chk.dll NOT unregistered.
c:\windows\msa64chk.dll moved successfully.
LoadLibrary failed for c:\windows\msapasrc.dll
c:\windows\msapasrc.dll NOT unregistered.
c:\windows\msapasrc.dll moved successfully.
c:\windows\mscon.sio moved successfully.
LoadLibrary failed for c:\windows\mspphe.dll
c:\windows\mspphe.dll NOT unregistered.
c:\windows\mspphe.dll moved successfully.
c:\windows\mssvr.exe moved successfully.
c:\windows\nivavir.config moved successfully.
c:\windows\ntnut.exe moved successfully.
c:\windows\pskt.ini moved successfully.
LoadLibrary failed for c:\windows\saiemod.dll
c:\windows\saiemod.dll NOT unregistered.
c:\windows\saiemod.dll moved successfully.
LoadLibrary failed for c:\windows\shdocpe.dll
c:\windows\shdocpe.dll NOT unregistered.
c:\windows\shdocpe.dll moved successfully.
LoadLibrary failed for c:\windows\shdocpl.dll
c:\windows\shdocpl.dll NOT unregistered.
c:\windows\shdocpl.dll moved successfully.
c:\windows\stcloader.exe moved successfully.
LoadLibrary failed for c:\windows\swin32.dll
c:\windows\swin32.dll NOT unregistered.
c:\windows\swin32.dll moved successfully.
c:\windows\system32\000080.exe moved successfully.
c:\windows\system32\000090.exe moved successfully.
c:\windows\system32\adqzaxcp.exe moved successfully.
c:\windows\system32\alt.exe.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\atyubtoh.dll
c:\windows\system32\atyubtoh.dll NOT unregistered.
c:\windows\system32\atyubtoh.dll moved successfully.
c:\windows\system32\blackster.scr moved successfully.
c:\windows\system32\ctfmona.exe moved successfully.
c:\windows\system32\dumphive.exe moved successfully.
c:\windows\system32\dwdvdjul.ini moved successfully.
File/Folder c:\windows\system32\ftpdll.dll not found.
File/Folder c:\windows\system32\hcnqt.drv not found.
c:\windows\system32\isecurity.cpl moved successfully.
c:\windows\system32\ixvcohok.ini moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\jmwmhefw.dll
c:\windows\system32\jmwmhefw.dll NOT unregistered.
c:\windows\system32\jmwmhefw.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\khfgwtmk.dll
c:\windows\system32\khfgwtmk.dll NOT unregistered.
c:\windows\system32\khfgwtmk.dll moved successfully.
c:\windows\system32\luapvs.dll unregistered successfully.
c:\windows\system32\luapvs.dll moved successfully.
c:\windows\system32\lvfgjrqr.ini moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\mmfsqbby.dll
c:\windows\system32\mmfsqbby.dll NOT unregistered.
c:\windows\system32\mmfsqbby.dll moved successfully.
File/Folder c:\windows\system32\msram.dll not found.
c:\windows\system32\n.ini moved successfully.
c:\windows\system32\oydvnteg.ini moved successfully.
c:\windows\system32\pscccmoq.ini moved successfully.
c:\windows\system32\pscccmoq.ini2 moved successfully.
File/Folder c:\windows\system32\shift.exe.exe not found.
c:\windows\system32\svcp.csv moved successfully.
c:\windows\system32\vcdwruji.exe moved successfully.
File/Folder c:\windows\system32\vcdwruji.exe not found.
DllUnregisterServer procedure not found in c:\windows\system32\vxsawvvc.dll
c:\windows\system32\vxsawvvc.dll NOT unregistered.
c:\windows\system32\vxsawvvc.dll moved successfully.
c:\windows\system32\winfrun32.bin moved successfully.
c:\windows\system32\winsub.xml moved successfully.
c:\windows\system32\wmsdkns.exe moved successfully.
c:\windows\system32\ws2fix.exe moved successfully.
c:\windows\system32\xgjlmnmp.ini moved successfully.
c:\windows\system32\xslenavg.exe moved successfully.
File/Folder c:\windows\system32\xslenavg.exe not found.
File/Folder c:\windows\system32\xwhookyj.dll not found.
DllUnregisterServer procedure not found in c:\windows\system32\yayaarom.dll
c:\windows\system32\yayaarom.dll NOT unregistered.
File move failed. c:\windows\system32\yayaarom.dll scheduled to be moved on reboot.
c:\windows\tmp64003890.bat moved successfully.
LoadLibrary failed for c:\windows\voiceip.dll
c:\windows\voiceip.dll NOT unregistered.
c:\windows\voiceip.dll moved successfully.
LoadLibrary failed for c:\windows\winsb.dll
c:\windows\winsb.dll NOT unregistered.
c:\windows\winsb.dll moved successfully.
c:\windows\winself.exe moved successfully.
c:\windows\zip.exe moved successfully.
< %userprofile%\local settings\temp\ie.exe >
C:\Documents and Settings\mom (and guests)\local settings\temp\ie.exe moved successfully.
File/Folder c:\documents and settings\all users\application data\grsxeryh\czkborkb.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04152008_172905

Files moved on Reboot...
DllUnregisterServer procedure not found in c:\windows\system32\yayaarom.dll
c:\windows\system32\yayaarom.dll NOT unregistered.
File move failed. c:\windows\system32\yayaarom.dll scheduled to be moved on reboot.

OTScanIt LOG:
Explorer killed successfully
[Processes - Non-Microsoft Only]
Unable to kill process czkborkb.exe .
File C:\Documents and Settings\All Users\Application Data\grsxeryh\czkborkb.exe not found.
Unable to kill process qdrmodule15.exe .
File C:\Program Files\QdrModule\QdrModule15.exe not found.
Unable to kill process ie.exe .
File C:\Documents and Settings\mom (and guests)\Local Settings\Temp\ie.exe not found.
Unable to kill process qdrpack15.exe .
File C:\Program Files\QdrPack\QdrPack15.exe not found.
Unable to kill process adqzaxcp.exe .
File C:\WINDOWS\SYSTEM32\adqzaxcp.exe not found.
Unable to kill process winself.exe .
File C:\WINDOWS\winself.exe not found.
[Win32 Services - Non-Microsoft Only]
Service MSSysInterv1 stopped successfully.
Service MSSysInterv1 deleted successfully.
File C:\WINDOWS\winself.exe not found.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AntiVirusPro deleted successfully.
File C:\Program Files\AntiVirusPro\AntiVirusPro.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\b8dec507 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMbbedf69b deleted successfully.
File C:\WINDOWS\SYSTEM32\jmwmhefw.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\krqlojel deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\atcpsyqb deleted successfully.
File C:\WINDOWS\SYSTEM32\xslenavg.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\awnsgget deleted successfully.
File C:\WINDOWS\SYSTEM32\vcdwruji.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\kjwvvbhz deleted successfully.
File C:\WINDOWS\SYSTEM32\adqzaxcp.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Windows Installer deleted successfully.
File C:\Documents and Settings\mom (and guests)\Local Settings\Temp\ie.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QdrModule15 deleted successfully.
File C:\Program Files\QdrModule\QdrModule15.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QdrPack15 deleted successfully.
File C:\Program Files\QdrPack\QdrPack15.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{A8EEB996-62AA-4E48-995D-EADDCAC47476} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8EEB996-62AA-4E48-995D-EADDCAC47476}\ deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\yayaArom.dll
C:\WINDOWS\SYSTEM32\yayaArom.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\yayaArom.dll scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\System32\wmsdkns.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\wmsdkns.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\TaskMan:rundll32.exe "C:\WINDOWS\System32\tsrapkr.dll" WLEntryPoint deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayaArom\ deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\yayaArom.dll
C:\WINDOWS\SYSTEM32\yayaArom.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\yayaArom.dll scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\QjbnIox96g deleted successfully.
File C:\Documents and Settings\All Users\Application Data\grsxeryh\czkborkb.exe not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000250-0320-4dd4-be4f-7566d2314352}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13197ace-6851-45c3-a7ff-c281324d5489}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{15651c7c-e812-44a2-a9ac-b467a2233e7d}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{477e64a4-d947-432a-a63a-51a43913433b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{477e64a4-d947-432a-a63a-51a43913433b}\ deleted successfully.
File C:\WINDOWS\SYSTEM32\mmfsqbby.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e1075f4-eec4-4a86-add7-cd5f52858c31}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5dafd089-24b1-4c5e-bd42-8ca72550717b}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{622cc208-b014-4fe0-801b-874a5e5e403a}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{965a592f-8efa-4250-8630-7960230792f1}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9c5b2f29-1f46-4639-a6b4-828942301d3e}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8EEB996-62AA-4E48-995D-EADDCAC47476}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8EEB996-62AA-4E48-995D-EADDCAC47476}\ deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\yayaArom.dll
C:\WINDOWS\SYSTEM32\yayaArom.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\yayaArom.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cf021f40-3e14-23a5-cba2-717765728274}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fc3a74e5-f281-4f10-ae1e-733078684f3c}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ffff0001-0002-101a-a3c9-08002b2f49fb}\ not found.
[Files/Folders - Created Within 30 days]
C:\~QTWTMP.TMP folder deleted successfully.
File C:\smp.bat not found!
File C:\WINDOWS\System32\000080.exe not found!
File C:\WINDOWS\System32\000090.exe not found!
File C:\WINDOWS\System32\adqzaxcp.exe not found!
File C:\WINDOWS\System32\alt.exe.exe not found!
File C:\WINDOWS\System32\atyubtoh.dll not found!
File C:\WINDOWS\System32\blackster.scr not found!
File C:\WINDOWS\System32\ctfmona.exe not found!
File C:\WINDOWS\System32\dumphive.exe not found!
File C:\WINDOWS\System32\dwdvdjul.ini not found!
File C:\WINDOWS\System32\ftpdll.dll not found!
File C:\WINDOWS\System32\hcnqt.drv not found!
File C:\WINDOWS\System32\iSecurity.cpl not found!
File C:\WINDOWS\System32\ixvcohok.ini not found!
File C:\WINDOWS\System32\jmwmhefw.dll not found!
File C:\WINDOWS\System32\khfGwTmk.dll not found!
File C:\WINDOWS\System32\luapvs.dll not found!
File C:\WINDOWS\System32\lVFgjRqr.ini not found!
File C:\WINDOWS\System32\mmfsqbby.dll not found!
File C:\WINDOWS\System32\msram.dll not found!
File C:\WINDOWS\System32\n.ini not found!
File C:\WINDOWS\System32\oydvnteg.ini not found!
File C:\WINDOWS\System32\PsCccMoq.ini not found!
File C:\WINDOWS\System32\PsCccMoq.ini2 not found!
File C:\WINDOWS\System32\shift.exe.exe not found!
File C:\WINDOWS\System32\svcp.csv not found!
File C:\WINDOWS\System32\vcdwruji.exe not found!
File C:\WINDOWS\System32\vxsawvvc.dll not found!
File C:\WINDOWS\System32\winfrun32.bin not found!
File C:\WINDOWS\System32\winsub.xml not found!
File C:\WINDOWS\System32\wmsdkns.exe not found!
File C:\WINDOWS\System32\WS2Fix.exe not found!
File C:\WINDOWS\System32\XGjlmnmp.ini not found!
File C:\WINDOWS\System32\xslenavg.exe not found!
File C:\WINDOWS\System32\xwhookyj.dll not found!
C:\WINDOWS\123messenger.per moved successfully.
LoadLibrary failed for C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search.dll NOT unregistered.
C:\WINDOWS\2020search.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\2020search2.dll
C:\WINDOWS\2020search2.dll NOT unregistered.
C:\WINDOWS\2020search2.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\apphelp32.dll
C:\WINDOWS\apphelp32.dll NOT unregistered.
C:\WINDOWS\apphelp32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\asferror32.dll
C:\WINDOWS\asferror32.dll NOT unregistered.
C:\WINDOWS\asferror32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\asycfilt32.dll NOT unregistered.
C:\WINDOWS\asycfilt32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\athprxy32.dll
C:\WINDOWS\athprxy32.dll NOT unregistered.
C:\WINDOWS\athprxy32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvaa32.dll NOT unregistered.
C:\WINDOWS\ati2dvaa32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\ati2dvag32.dll NOT unregistered.
C:\WINDOWS\ati2dvag32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\audiosrv32.dll NOT unregistered.
C:\WINDOWS\audiosrv32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\autodisc32.dll
C:\WINDOWS\autodisc32.dll NOT unregistered.
C:\WINDOWS\autodisc32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\avifile32.dll
C:\WINDOWS\avifile32.dll NOT unregistered.
C:\WINDOWS\avifile32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\avisynthex32.dll NOT unregistered.
C:\WINDOWS\avisynthex32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\aviwrap32.dll NOT unregistered.
C:\WINDOWS\aviwrap32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\bjam.dll
C:\WINDOWS\bjam.dll NOT unregistered.
C:\WINDOWS\bjam.dll moved successfully.
File C:\WINDOWS\BMbbedf69b.xml not found!
C:\WINDOWS\bokja.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\browserad.dll
C:\WINDOWS\browserad.dll NOT unregistered.
C:\WINDOWS\browserad.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cdsm32.dll NOT unregistered.
C:\WINDOWS\cdsm32.dll moved successfully.
File C:\WINDOWS\changeurl_30.dll not found!
C:\WINDOWS\didduid.ini moved successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
File C:\WINDOWS\kavir.exe not found!
C:\WINDOWS\ky.sxc moved successfully.
File C:\WINDOWS\lfn.exe not found!
File C:\WINDOWS\mrofinu1854.exe not found!
LoadLibrary failed for C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msa64chk.dll NOT unregistered.
C:\WINDOWS\msa64chk.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\msapasrc.dll
C:\WINDOWS\msapasrc.dll NOT unregistered.
C:\WINDOWS\msapasrc.dll moved successfully.
File C:\WINDOWS\mscon.sio not found!
LoadLibrary failed for C:\WINDOWS\mspphe.dll
C:\WINDOWS\mspphe.dll NOT unregistered.
C:\WINDOWS\mspphe.dll moved successfully.
C:\WINDOWS\mssvr.exe moved successfully.
File C:\WINDOWS\nivavir.config not found!
File C:\WINDOWS\ntnut.exe not found!
File C:\WINDOWS\pskt.ini not found!
File C:\WINDOWS\saiemod.dll not found!
File C:\WINDOWS\shdocpe.dll not found!
File C:\WINDOWS\shdocpl.dll not found!
File C:\WINDOWS\stcloader.exe not found!
File C:\WINDOWS\swin32.dll not found!
File C:\WINDOWS\tmp64003890.bat not found!
File C:\WINDOWS\voiceip.dll not found!
File C:\WINDOWS\winsb.dll not found!
File C:\WINDOWS\winself.exe not found!
File C:\WINDOWS\zip.exe not found!
[Extra Files]
< Purity >
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\mom (and guests)\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.9.0 fix logfile created on 04152008_174606

NEW OTScanIT report in attachment


----------



## cybertech (Apr 16, 2002)

Open Notepad and copy and paste the text in the quote box below into it:


> KILLALL::
> 
> File::
> 
> ...


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## yettz (May 6, 2007)

ComboFix seems to be stalled. It completed stage 43, and began deleting files/folders, but it is stalled and has not completed. The desktop background is there, but no taskbar and only the C:\ command window is open. I've left it alone for 2 hours... Should I interrupt it and try again?


----------



## yettz (May 6, 2007)

Found a antivirus warning window that I had moved way in the corner, saying an executable file was trying to access the Internet. Didn't recognie the program, so I blocked it and the Combofix started up again. Here is the .log file, followed by HJT log: Thanks so much for your continued help!!

ComboFix 08-04-13.3 - mom (and guests) 2008-04-16 11:20:32.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.147 [GMT -6:00]
Running from: C:\Documents and Settings\mom (and guests)\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mom (and guests)\Desktop\CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE ::
C:\WINDOWS\System32\drivers\kqmgzzkv.dat
C:\WINDOWS\System32\kr_done1
C:\WINDOWS\System32\lVFgjRqr.ini2
C:\WINDOWS\SYSTEM32\pjxgz.dll
C:\WINDOWS\SYSTEM32\yayaArom.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Desktop\Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Register Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Start Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Uninstall.lnk
C:\Documents and Settings\mom (and guests)\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\mom (and guests)\Application Data\Microsoft\Internet Explorer\Quick Launch\Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\mom (and guests)\Application Data\printer.exe
C:\Documents and Settings\mom (and guests)\ftpdll.dll
C:\Documents and Settings\mom (and guests)\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\mom (and guests)\Local Settings\Application Data\n.ini
C:\Program Files\antiviirus.exe
C:\Program Files\BHO
C:\Program Files\bho.exe
C:\Program Files\BHO\bho.dat
C:\Program Files\BHO\er.dat
C:\Program Files\BHO\uninstall.exe
C:\Program Files\cjb
C:\Program Files\cjb\cjb8.exe
C:\Program Files\iSecurity
C:\Program Files\iSecurity\{32FF2108-1EF0-4ae8-8C23-17C92EAA5DEF}\install.exe
C:\Program Files\iSecurity\iSecurity.dat
C:\Program Files\iSecurity\ucleaner.bmp
C:\Program Files\iSecurity\ucleaneri.bmp
C:\Program Files\iSecurity\udefender.bmp
C:\Program Files\iSecurity\udefenderi.bmp
C:\Program Files\iSecurity\v5\iSecurity.cpl
C:\Program Files\iSecurity\winifixer.bmp
C:\Program Files\iSecurity\winifixeri.bmp
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\tmp0.exe
C:\Program Files\tmp1.exe
C:\Program Files\tmp2.exe
C:\Program Files\tmp3.exe
C:\WINDOWS\conf.inf
C:\WINDOWS\cookies.ini
C:\WINDOWS\licencia.txt
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\System32\drivers\kqmgzzkv.dat
C:\WINDOWS\System32\kr_done1
C:\WINDOWS\System32\lVFgjRqr.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\pjxgz.dll
C:\WINDOWS\SYSTEM32\yayaArom.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF
-------\Legacy_gyrkkvke
-------\gyrkkvke

((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-15 17:29 . 2008-04-15 17:29 d--------	C:\_OTMoveIt
2008-04-14 18:55 . 2008-04-15 15:36 d--------	C:\SDFix
2008-04-14 17:44 . 2008-04-14 17:44 d--------	C:\WINDOWS\ERUNT
2008-04-14 13:41 . 2008-04-14 13:41	29	--a------	C:\WINDOWS\SYSTEM32\oegseotw.tmp
2008-04-14 13:40 . 2008-04-14 13:41	40,599	--a------	C:\Documents and Settings\mom (and guests)\cftmon.exe
2008-04-14 12:42 . 2007-09-06 00:22	289,144	--a------	C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-14 12:42 . 2006-04-27 17:49	288,417	--a------	C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-14 12:42 . 2008-04-14 19:28	86,528	--a------	C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-14 12:42 . 2008-04-12 13:49	82,432	--a------	C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-14 12:42 . 2003-06-05 21:13	53,248	--a------	C:\WINDOWS\SYSTEM32\Process.exe
2008-04-14 12:42 . 2008-04-14 13:14	3,730	--a------	C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-13 15:16 . 2008-04-13 15:16 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 13:36 . 2008-04-15 17:31	1,906	--a------	C:\WINDOWS\SYSTEM32\default.htm
2008-04-12 11:38 . 2008-04-12 11:38	54,272	--a------	C:\WINDOWS\SYSTEM32\L5A64.tmp
2008-04-12 11:38 . 2008-04-12 11:38	397	--a------	C:\WINDOWS\SYSTEM32\L6CC3.tmp
2008-04-12 11:38 . 2008-04-12 11:38	397	--a------	C:\WINDOWS\SYSTEM32\L6B2C.tmp
2008-04-12 11:38 . 2008-04-12 11:38	397	--a------	C:\WINDOWS\SYSTEM32\L69D5.tmp
2008-04-12 11:38 . 2008-04-12 11:38	397	--a------	C:\WINDOWS\SYSTEM32\L686D.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 20:43	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-04-14 20:59	---------	d-----w	C:\Documents and Settings\mom (and guests)\Application Data\MSN6
2008-04-14 19:31	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-13 21:18	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-03-07 03:32	706	----a-w	C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 03:32	23,904	----a-w	C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 03:32	10,537	----a-w	C:\WINDOWS\system32\drivers\COH_Mon.cat
.

------- Sigcheck -------

2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716	C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\svchost.exe
2008-04-14 13:40 15872 bca6d9199e55023e4b3f399f6f7a0542	C:\WINDOWS\SYSTEM32\svchost.exe

2002-08-29 04:00 516608 2246d8d8f4714a2cedb21ab9b1849abb	C:\WINDOWS\$NtUninstallKB841533$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe	C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\winlogon.exe
2004-05-26 19:38 487424 5996688f497ceec792c4803758f54f5a	C:\WINDOWS\SYSTEM32\winlogon.exe

2002-08-29 04:00 1007104 d8dd00e86c0a20fc494034bfcc332fa0	C:\WINDOWS\explorer.exe
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64	C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\explorer.exe
.
((((((((((((((((((((((((((((( [email protected]_13.58.30.24 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 01:56:13	2,048	--s-a-w	C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-16 20:42:59	2,048	--s-a-w	C:\WINDOWS\BOOTSTAT.DAT
- 2007-03-13 16:57:10	163,328	----a-w	C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-21 02:02:28	163,328	----a-w	C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-04-14 11:40:17	163,328	----a-w	C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-15 01:23:14	7,745,536	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-04-15 01:23:14	176,128	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-14 11:40:17	163,328	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-14 23:44:26	7,757,824	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-04-14 23:44:26	176,128	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-04-14 01:56:28	16,384	-c--a-w	C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-04-15 23:48:44	16,384	-c--a-w	C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-04-14 01:56:28	32,768	-c--a-w	C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-04-15 23:48:44	32,768	-c--a-w	C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-04-14 01:56:28	65,536	-c--a-w	C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-15 23:48:44	65,536	-c--a-w	C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-12 17:01:59	53,668	----a-w	C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-04-14 21:14:01	53,668	----a-w	C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-03-12 17:02:00	382,308	----a-w	C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-04-14 21:14:01	382,308	----a-w	C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2007-01-15 20:40 38924]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [ ]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-10-12 18:13 7086080]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:00 13312]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-09-15 16:21 38912]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-09-15 16:21 38912]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2007-01-15 20:40 38924]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-01-15 20:40 38924]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-15 20:40 38924]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2007-09-15 16:21 38912]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2007-01-15 20:40 38924]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2007-09-15 16:21 38912]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-15 20:40 38924]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22 26248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"InetChk"="C:\WINDOWS\TEMP\ms1208294977.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-25 22:09:43 113664]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-15 04:31:34 806912]
Wireless Configuration Utility HW.51.lnk - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-14 20:53:38 454656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"tkVwEOFhlh"= {B8DEC5A9-1274-6F03-664F-76A2A60565A6} - C:\WINDOWS\system32\pjxgz.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"taskman"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaArom]
yayaArom.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-15 00:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FullAudio]
C:\PROGRA~1\MusicNow\WMPImporter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2003-06-25 11:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-15 20:40 38924 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 11:14 35328 C:\Matt's Things\Other Things\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12297:TCP"= 12297:TCPxpsp2res.dll,-22005
"1204:TCP"= 1204:TCPxpsp2res.dll,-22005
"60475:TCP"= 60475:TCPxpsp2res.dll,-22005
"45974:TCP"= 45974:TCPxpsp2res.dll,-22005

S3 lredbooo;lredbooo;C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\lredbooo.sys []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 20:43:07 C:\WINDOWS\Tasks\Calculator.job"
- C:\WINDOWS\SYSTEM32\CALC.EXE
"2008-04-14 12:42:41 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - mom (and guests).job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 14:44:08
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\svchost.ex_:exe.exe 28160 bytes executable

scan completed successfully 
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\SYSTEM32\DLLHOST.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-04-16 14:57:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 20:57:10
ComboFix2.txt 2008-04-14 20:00:15
ComboFix3.txt 2007-08-10 21:27:50

Pre-Run: 2,525,642,752 bytes free
Post-Run: 2,491,850,752 bytes free

HJT LOG::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:42 PM, on 4/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\DllHost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1208294977.exe work (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1208294977.exe work (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Matt's Things\Other Things\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmpojqhc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmpojqhc.dll
O12 - Plugin for ôå: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098728199640
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://a1776.ff.fullaudio.com.edges...io.com/musicnow/phoenix/4.0.0.17/MusicNow.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{182A91C4-E864-45B6-94B4-1F225EBEFBE9}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{560BC006-96FD-400C-884E-EC5D51D95CA2}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{91B7E03A-74C8-4BB9-9C2B-DC87F8B2170E}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AA52E13-30E8-498D-9252-F2FF390577A6}: NameServer = 195.141.193.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{182A91C4-E864-45B6-94B4-1F225EBEFBE9}: NameServer = 195.141.193.3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayaArom - yayaArom.dll (file missing)
O21 - SSODL: tkVwEOFhlh - {B8DEC5A9-1274-6F03-664F-76A2A60565A6} - C:\WINDOWS\system32\pjxgz.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10153 bytes


----------



## cybertech (Apr 16, 2002)

Please try to run SDFix again.


----------



## yettz (May 6, 2007)

SDFix is stalled again on the black screen with Safe Mode in the corners. It gets to the point where it says please be patient, this could take 20 mins, then goes to the black screen. It's been sitting like that for many minutes with no sign of life. I can let it go longer in case I'm just impatient, or reboot. ??


----------



## cybertech (Apr 16, 2002)

Have you stopped your anti-virus and anti-malware programs?

Also you are to be in safe mode and disconnected from the internet.


----------



## yettz (May 6, 2007)

Yes, I'm in Safe mode and unplugged from internet. Norton features are turned off and SAS version doesn't do auto-protect. Tried SDFix again, same result. [Computer looks better though, at least the nasty crawling bug screen saver is gone!!] ???


----------



## yettz (May 6, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:36 PM, on 4/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DllHost.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1208294977.exe work (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1208294977.exe work (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Matt's Things\Other Things\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmpojqhc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmpojqhc.dll
O12 - Plugin for ôå: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098728199640
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://a1776.ff.fullaudio.com.edges...io.com/musicnow/phoenix/4.0.0.17/MusicNow.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{182A91C4-E864-45B6-94B4-1F225EBEFBE9}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{560BC006-96FD-400C-884E-EC5D51D95CA2}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{91B7E03A-74C8-4BB9-9C2B-DC87F8B2170E}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AA52E13-30E8-498D-9252-F2FF390577A6}: NameServer = 195.141.193.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{182A91C4-E864-45B6-94B4-1F225EBEFBE9}: NameServer = 195.141.193.3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayaArom - yayaArom.dll (file missing)
O21 - SSODL: tkVwEOFhlh - {B8DEC5A9-1274-6F03-664F-76A2A60565A6} - C:\WINDOWS\system32\pjxgz.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10364 bytes


----------



## cybertech (Apr 16, 2002)

Click on the link below to get lsp-fix. 
Run that to fix your internet connection.

http://www.cexx.org/lspfix.htm

Check the box that says "I know what I'm doing". 
Remove c:\windows\system32\bmpojqhc.dll *only that one!*

*Run HJT again and put a check in the following:*

O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1208294977.exe work (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1208294977.exe work (User 'Default user')
O20 - Winlogon Notify: yayaArom - yayaArom.dll (file missing)
O21 - SSODL: tkVwEOFhlh - {B8DEC5A9-1274-6F03-664F-76A2A60565A6} - C:\WINDOWS\system32\pjxgz.dll (file missing)

*Close all applications and browser windows before you click "fix checked".*


----------



## yettz (May 6, 2007)

I'm hesitant...Do you see a problem with my Internet connection that I don't know about?


----------



## yettz (May 6, 2007)

ok, I see the 010 lines... guess I'm just a weary skeptic 
Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:20 PM, on 4/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Matt's Things\Other Things\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for ôå: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098728199640
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://a1776.ff.fullaudio.com.edges...io.com/musicnow/phoenix/4.0.0.17/MusicNow.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{182A91C4-E864-45B6-94B4-1F225EBEFBE9}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{560BC006-96FD-400C-884E-EC5D51D95CA2}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{91B7E03A-74C8-4BB9-9C2B-DC87F8B2170E}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AA52E13-30E8-498D-9252-F2FF390577A6}: NameServer = 195.141.193.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{182A91C4-E864-45B6-94B4-1F225EBEFBE9}: NameServer = 195.141.193.3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9841 bytes


----------



## cybertech (Apr 16, 2002)

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 6*.
Scroll down to where it says * Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications* (the fourth one in the list)..
Click the "*Download*" button to the right. A new page will open.
Select your platform and check the box that says: *I agree to the Java SE Runtime Environment 6 License Agreement*.
Click *Continue*.
Click on the link under *Windows Offline Installation* (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
Go to *Start* - *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.

Is your internet connection better now?


----------



## yettz (May 6, 2007)

Java update is completed, thanks for the reminder. 
The computer seems to be mostly back to normal now. Thanks so much!!!

There is still one nagging thing though...
On occasion, a black box with red outline will appear at the top of the screen and on the descktop - I think it happens sometimes when I close the browser. Written in the box in small font is something like:

"Script Failure Press left mouse button to...
Guru Meditation #0021 00004FBO.5 Script Fatal Error
Scripts/playertools maki"

Any idea what is triggering that? I just ignore it, and it disappears later.


----------



## cybertech (Apr 16, 2002)

No, I have not run into that before.

Please download *ATF Cleaner* by Atribune. 
*This program is for XP and Windows 2000 only*

Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 

Click *Exit* on the Main menu to close the program.

*Download (save and select your desktop to save it to)* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive and all other fixed drives.*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply with a new hijackthis log.*

Click *Close* to exit the program.

Please perform a scan with *Kaspersky Webscan Online Virus Scanner* 

 Read the Requirements and Privacy statement, then select "*Accept*". 
 A new window will appear promting you to install an ActiveX component from Kaspersky - "*Do you want to install this software*?". 
 Click "*Yes*" or select "*Install*" to download the ActiveX controls that allows ActiveScan to run. 
 When the download is complete it will say ready, click "*Next*". 
 Click "*Scan Settings*" and check the option to use the *Extended Database* if available otherwise Standard). 
 Click "*Scan Options*" and select both "*Scan Archives*" and "*Scan Mail Bases*". 
 Click "*OK*". 
 Under "*Select a target to scan*", click on "*My Computer*". 
 When the scan is complete choose to save the results as "*Save as Text*" named kaspersky.txt to your desktop and post them in your next reply. 

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for _Free Online Virus Scanner_. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps *here* and reboot afterwards if your system does not reboot automatically or it will show '_Kaspersky Online Scanner license key was not found!_


----------



## yettz (May 6, 2007)

Shoot, still Vundo and Downloader, among others. !!?
SAS log followed by HJT. Kaspersky will follow in new message.

SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/18/2008 at 08:36 PM

Application Version : 4.0.1154

Core Rules Database Version : 3442
Trace Rules Database Version: 1434

Scan type : Complete Scan
Total Scan Time : 00:59:40

Memory items scanned : 445
Memory threats detected : 0
Registry items scanned : 5958
Registry threats detected : 0
File items scanned : 23082
File threats detected : 52

Trojan.Unclassified/CFTMon-Fake
C:\DOCUMENTS AND SETTINGS\MOM (AND GUESTS)\CFTMON.EXE

Trojan.FakeDrop-2020Search
C:\DOCUMENTS AND SETTINGS\MOM (AND GUESTS)\DESKTOP\OTSCANIT\MOVEDFILES\04152008_174606\WINDOWS\2020SEARCH.DLL
C:\DOCUMENTS AND SETTINGS\MOM (AND GUESTS)\DESKTOP\OTSCANIT\MOVEDFILES\04152008_174606\WINDOWS\2020SEARCH2.DLL

Adware.Second Thought
C:\DOCUMENTS AND SETTINGS\MOM (AND GUESTS)\DESKTOP\OTSCANIT\MOVEDFILES\04152008_174606\WINDOWS\BOKJA.EXE
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\BOKJA.EXE
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\STCLOADER.EXE

Trojan.FakeDrop-MSPPHE
C:\DOCUMENTS AND SETTINGS\MOM (AND GUESTS)\DESKTOP\OTSCANIT\MOVEDFILES\04152008_174606\WINDOWS\MSPPHE.DLL

Adware.webHancer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0013632.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0013635.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0013642.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0013643.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0013641.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0015920.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0013644.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0013646.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014919.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0015919.DLL
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SYSTEM32\MMFSQBBY.DLL

Trojan.Unclassified/SCInst-WL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014896.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014897.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0021175.DRV

Trojan.Unclassified/FTP-Fake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0021174.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021307.DLL

Trojan.Unclassified/MRT-Fake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0021178.DLL

Trojan.Unclassified/CJB8
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021286.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021288.EXE

Adware.Vundo-Variant/H
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021299.DLL
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SYSTEM32\KHFGWTMK.DLL

RootKit.Unclassified/PolyMorph-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021300.SYS

Trojan.Unclassified/Tmp-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021301.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021302.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021303.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021304.EXE

Trojan.Unclassified/AddToKill
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021310.EXE

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\BMPOJQHC.DLL
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\GRSXERYH\CZKBORKB.EXE

Rogue.LiveSecurityCenter-Trace
C:\WINDOWS\SYSTEM32\DEFAULT.HTM

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\KJJLM.INI

Trojan.Downloader-CSRSS/Fake
C:\WINDOWS\SYSTEM32\WBEM\CSRSS.EXE

Adware.AdSponsor/ISM
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\PROGRAM FILES\QDRMODULE\QDRMODULE15.EXE
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\PROGRAM FILES\QDRPACK\QDRPACK15.EXE

Trojan.Downloader-Gen/MROFIN
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\MROFINU1854.EXE

Rogue.Multi-Dropper/Installer
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\LFN.EXE
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SYSTEM32\WMSDKNS.EXE

Trojan.FakeDrop-SWin32
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SWIN32.DLL

Trojan.Unclassified/Multi-Dropper
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SYSTEM32\ADQZAXCP.EXE
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SYSTEM32\VCDWRUJI.EXE
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SYSTEM32\XSLENAVG.EXE

Trojan.Downloader-Gen/Alt
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SYSTEM32\ALT.EXE.EXE

Trojan.Unclassified/CTFMONA
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SYSTEM32\CTFMONA.EXE

Trojan.Downloader-Gen
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SYSTEM32\ISECURITY.CPL

Trojan.Unclassified-Packed/Suspicious
C:\_OTMOVEIT\MOVEDFILES\04152008_172905\WINDOWS\SYSTEM32\LUAPVS.DLL

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:06 PM, on 4/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DllHost.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\DllHost.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Matt's Things\Other Things\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for ôå: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098728199640
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://a1776.ff.fullaudio.com.edges...io.com/musicnow/phoenix/4.0.0.17/MusicNow.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{182A91C4-E864-45B6-94B4-1F225EBEFBE9}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{560BC006-96FD-400C-884E-EC5D51D95CA2}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{91B7E03A-74C8-4BB9-9C2B-DC87F8B2170E}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AA52E13-30E8-498D-9252-F2FF390577A6}: NameServer = 195.141.193.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{182A91C4-E864-45B6-94B4-1F225EBEFBE9}: NameServer = 195.141.193.3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10068 bytes


----------



## yettz (May 6, 2007)

Kaspersky results:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 18, 2008 11:38:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/04/2008
Kaspersky Anti-Virus database records: 715009
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 112423
Number of viruses found: 36
Number of infected objects: 99
Number of suspicious objects: 0
Duration of the scan process: 02:19:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-18_Log.ALUSchedulerSvc.LiveUpdate	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\etr3.tmp	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\0452270C.TMP	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\47C7707C.TMP	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\mom (and guests)\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-18-2008( 20-49-9 ).LOG	Object is locked	skipped
C:\Documents and Settings\mom (and guests)\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\mom (and guests)\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\mom (and guests)\Desktop\SmitfraudFix.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\mom (and guests)\Local Settings\Application Data\Microsoft\MSN\db\bcyetter-msn-com.sdf	Object is locked	skipped
C:\Documents and Settings\mom (and guests)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\mom (and guests)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\mom (and guests)\Local Settings\History\History.IE5\INDEX.DAT	Object is locked	skipped
C:\Documents and Settings\mom (and guests)\Local Settings\Temp\fdr948.fdr	Object is locked	skipped
C:\Documents and Settings\mom (and guests)\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\mom (and guests)\My Documents\Mom's Documents\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\mom (and guests)\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\mom (and guests)\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Matt's Things\School Things\Programming I\Borland\jdk1.4\jre\bin\jusched.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log	Object is locked	skipped
C:\Program Files\Dell\Media Experience\PCMService.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\Program Files\Dell Support\DSAgnt.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.ex_	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\Program Files\MSN\MSNCoreFiles\calendar.mar	Object is locked	skipped
C:\Program Files\MSN\MSNCoreFiles\mail.mar	Object is locked	skipped
C:\Program Files\MSN\MSNCoreFiles\market.mar	Object is locked	skipped
C:\Program Files\MSN\MSNCoreFiles\market32.mar	Object is locked	skipped
C:\Program Files\MSN\MSNCoreFiles\miadv.mar	Object is locked	skipped
C:\Program Files\MSN\MSNCoreFiles\mibas.mar	Object is locked	skipped
C:\Program Files\MSN\MSNCoreFiles\printing.mar	Object is locked	skipped
C:\Program Files\MSN\MSNCoreFiles\qos.mar	Object is locked	skipped
C:\Program Files\MSN\MSNCoreFiles\themedef32.mar	Object is locked	skipped
C:\Program Files\MSN\MsnInstaller\install.mar	Object is locked	skipped
C:\Program Files\MSN\MsnInstaller\Resources\MSNClientBrand\en\us\q002\9.50.433.0\brand.mar	Object is locked	skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log	Object is locked	skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log	Object is locked	skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log	Object is locked	skipped
C:\Program Files\QuickTime\qttask.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\Program Files\Real\RealPlayer\RealPlay.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\QooBox\Quarantine\C\DOCUME~1\MOM(AN~1\APPLIC~1\tmp8B.tmp.exe.vir	Infected: not-a-virus:AdWare.Win32.Virtumonde.jes	skipped
C:\QooBox\Quarantine\C\Program Files\cjb\cjb8.exe.vir	Infected: Trojan-Downloader.Win32.Agent.mas	skipped
C:\QooBox\Quarantine\C\Program Files\iSecurity\v5\iSecurity.cpl.vir	Infected: Trojan-Downloader.Win32.Agent.mrd	skipped
C:\QooBox\Quarantine\C\Program Files\iSecurity\{32FF2108-1EF0-4ae8-8C23-17C92EAA5DEF}\install.exe.vir	Infected: Trojan-Downloader.Win32.Agent.mas	skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\kqmgzzkv.dat.vir	Infected: Rootkit.Win32.Agent.aap	skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yayaArom.dll.vir	Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf	skipped
C:\QooBox\Quarantine\catchme2008-04-16_144337.57.zip/Documents and Settings/mom (and guests)/Desktop/catchme.zip/pjxgz.dll	Infected: Trojan-Downloader.Win32.Agent.lyb	skipped
C:\QooBox\Quarantine\catchme2008-04-16_144337.57.zip/Documents and Settings/mom (and guests)/Desktop/catchme.zip	Infected: Trojan-Downloader.Win32.Agent.lyb	skipped
C:\QooBox\Quarantine\catchme2008-04-16_144337.57.zip/catchme2008-04-16_112018.59.zip/spools.exe	Infected: Worm.Win32.Socks.cd	skipped
C:\QooBox\Quarantine\catchme2008-04-16_144337.57.zip/catchme2008-04-16_112018.59.zip	Infected: Worm.Win32.Socks.cd	skipped
C:\QooBox\Quarantine\catchme2008-04-16_144337.57.zip	ZIP: infected - 4	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0014798.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0014799.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0014800.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0014802.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0014803.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237\A0014808.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237\A0014809.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237\A0014810.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237\A0014811.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237\A0014812.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237\A0014814.exe	Infected: Trojan.Win32.Patched.aa	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237\A0014814.exe:exe.exe:$DATA	Infected: Trojan.Win32.Obfuscated.xf	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238\A0014820.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238\A0014821.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238\A0014822.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238\A0014823.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238\A0014824.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238\A0014826.exe	Infected: Trojan.Win32.Agent.jdn	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238\A0014837.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014885.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014886.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014887.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014888.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014889.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014892.dll	Infected: Trojan.Win32.Qhost.abh	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014901.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014902.exe	Infected: Trojan-Clicker.Win32.Small.pe	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014903.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014906.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014908.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014911.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014913.dll	Infected: Trojan-Dropper.Win32.Agent.qfy	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0014914.dll	Infected: Trojan.Win32.Agent.jvv	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0019927.exe	Infected: Worm.Win32.Socks.bn	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0020174.dll	Infected: Rootkit.Win32.Agent.ym	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0021176.dll	Infected: not-a-virus:AdWare.Win32.BHO.ajw	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0021177.exe	Infected: Email-Worm.Win32.Zhelatin.xh	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239\A0021179.exe	Infected: Email-Worm.Win32.Zhelatin.xh	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021287.cpl	Infected: Trojan-Downloader.Win32.Agent.mrd	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021297.exe	Infected: Trojan-Downloader.Win32.Small.ivo	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021298.exe	Infected: Trojan-Downloader.Win32.Small.ivo	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241\A0021305.exe	Infected: Trojan.Win32.Qhost.aes	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030673.dll	Infected: Trojan-Dropper.Win32.Agent.qfy	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030674.exe	Infected: Worm.Win32.Socks.cd	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030682.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.oax	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030683.dll	Infected: Email-Worm.Win32.Locksky.da	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030686.exe	Infected: Trojan.Win32.Agent.glb	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030687.exe	Infected: not-a-virus:AdWare.Win32.AdBand.w	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030688.exe	Infected: not-a-virus:AdWare.Win32.AdBand.x	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030689.exe	Infected: Trojan-Downloader.Win32.Homles.bf	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030690.exe	Infected: not-virus:Hoax.Win32.Renos.bqi	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030691.exe	Infected: not-virus:Hoax.Win32.Renos.bqi	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030694.exe	Infected: Trojan-Downloader.Win32.Obfuscated.sk	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030695.exe	Infected: Trojan-Downloader.Win32.Obfuscated.sw	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030696.exe	Infected: Trojan.Win32.Agent.juy	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\A0030699.dll	Infected: not-a-virus:AdWare.Win32.BHO.ank	skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246\change.log	Object is locked	skipped
C:\WINDOWS\Debug\oakley.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\explorer.exe	Infected: Trojan.Win32.Patched.aa	skipped
C:\WINDOWS\MEMORY.DMP	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{766CC864-D739-4F9B-8E8A-E6167A822445}.bin	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\default	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\sam	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\security	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\software	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\system	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT	Object is locked	skipped
C:\WINDOWS\SYSTEM32\hkcmd.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\WINDOWS\SYSTEM32\hkcmd.ex_	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\WINDOWS\SYSTEM32\igfxtray.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\WINDOWS\SYSTEM32\igfxtray.ex_	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\WINDOWS\SYSTEM32\L5A64.tmp	Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf	skipped
C:\WINDOWS\SYSTEM32\lsass.exe	Infected: Trojan.Win32.Patched.aa	skipped
C:\WINDOWS\SYSTEM32\services.exe	Infected: Trojan.Win32.Patched.aa	skipped
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb09.exe	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb09.ex_	Infected: Trojan-Downloader.Win32.Agent.awf	skipped
C:\WINDOWS\SYSTEM32\spoolsv.exe	Infected: Trojan.Win32.Patched.aa	skipped
C:\WINDOWS\SYSTEM32\svchost.exe	Infected: Trojan.Win32.Patched.aa	skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\SYSTEM32\winlogon.exe	Infected: Trojan.Win32.Patched.aa	skipped
C:\WINDOWS\WIADEBUG.LOG	Object is locked	skipped
C:\WINDOWS\WIASERVC.LOG	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
C:\_OTMoveIt\MovedFiles\04152008_172905\Program Files\antiviruspro\AntiVirusPro.exe	Infected: not-a-virus:FraudTool.Win32.AntiVirPro.k	skipped
C:\_OTMoveIt\MovedFiles\04152008_172905\Program Files\antiviruspro\Core.dll	Infected: not-a-virus:FraudTool.Win32.AntiVirPro.k	skipped
C:\_OTMoveIt\MovedFiles\04152008_172905\windows\system32\000090.exe/stream/data0004	Infected: not-a-virus:AdWare.Win32.AdBand.w	skipped
C:\_OTMoveIt\MovedFiles\04152008_172905\windows\system32\000090.exe/stream	Infected: not-a-virus:AdWare.Win32.AdBand.w	skipped
C:\_OTMoveIt\MovedFiles\04152008_172905\windows\system32\000090.exe	NSIS: infected - 2	skipped
C:\_OTMoveIt\MovedFiles\04152008_172905\windows\system32\jmwmhefw.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.pil	skipped
C:\_OTMoveIt\MovedFiles\04152008_172905\windows\system32\vxsawvvc.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.nve	skipped

Scan process completed.


----------



## cybertech (Apr 16, 2002)

Please download this from Microsoft and run it on your computer
Filename = WGADiag2.exe
http://go.microsoft.com/fwlink/?linkid=52012

Press "Copy to clipboard" and then you can paste to Wordpad and post to this thread


----------



## yettz (May 6, 2007)

The file provided by this link was MGSDiag.exe .

Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Windows Product ID: 55277-OEM-2111907-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {31430E70-C2EF-42E0-98C2-E709A3825F45}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.3.265.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Basic Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\winlogon.exe[5.1.2600.1557]
File Mismatch: C:\WINDOWS\system32\oembios.bin[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.dat[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.sig[hr = 0x80070714]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{31430E70-C2EF-42E0-98C2-E709A3825F45}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>55277-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-1996808787-3166223641-3302103093</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 2400 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A05</Version><SMBIOSVersion major="2" minor="3"/><Date>20031202******.******+***</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>AB143B4F01842052</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Mountain Standard Time(GMT-07:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Computer Corporation</name><model>Dell DIMENSION DIM2400</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91130409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Basic Edition 2003</Name><Ver>11</Ver><Val>F8D86C1F4D710</Val><Hash>PXsrvsZvHORWADicGqGj9cjhq3Q=</Hash><Pid>73102-OEM-5690422-66113</Pid><PidType>6</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>


----------



## cybertech (Apr 16, 2002)

Click *here* to download *Dr.Web CureIt *and save it to your desktop.

Doubleclick the *drweb-cureit.exe *file and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the *yes* button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click *'Yes to all' *if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: 








If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: 








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the *Dr.Web CureIt *menu on top, click file and choose save report list
Save the report to your desktop. The report will be called *DrWeb.csv*
*Close Dr.Web Cureit*.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from *Dr.Web *you saved previously in your next reply along with a new *HijackThis log*.


----------



## yettz (May 6, 2007)

Dr. Web CureIt ran without trouble this time. HJT log follows.

[As Dr. Web began curing some of the baddies, Norton warned me that it was blocking some others. I quickly disconnected from Internet as the scan continued.]

Before the Dr. Web scan, I noticed explorer.exe was actively running when I wouldn't have expected it to be. Now after the scan, it is mostly idle. One of the trojan files was located there. So that's progress, huh?

sgtray.exe;c:\program files\common files\sonic\update manager;Trojan.Click.2166;Deleted.;
dsagnt.exe;c:\program files\dell support;Trojan.Click.2166;Deleted.;
pcmservice.exe;c:\program files\dell\media experience;Trojan.Click.2166;Deleted.;
hpotdd01.exe;c:\program files\hewlett-packard\digital imaging\bin;Trojan.Click.2166;Deleted.;
hpcmpmgr.exe;c:\program files\hp\hpcoretech;Trojan.Click.2166;Deleted.;
qttask.exe;c:\program files\quicktime;Trojan.Click.2166;Deleted.;
realplay.exe;c:\program files\real\realplayer;Trojan.Click.2166;Deleted.;
explorer.exe;c:\windows;Trojan.Starter.384;Cured.;
hkcmd.exe;c:\windows\system32;Trojan.Click.2166;Deleted.;
igfxtray.exe;c:\windows\system32;Trojan.Click.2166;Deleted.;
lsass.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
services.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
hpztsb09.exe;c:\windows\system32\spool\drivers\w32x86\3;Trojan.Click.2166;Deleted.;
spoolsv.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
svchost.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
winlogon.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
Process.exe;C:\Documents and Settings\mom (and guests)\My Documents\Mom's Documents\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\mom (and guests)\My Documents\Mom's Documents\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
WxBug.EXE;C:\Matt's Things\Other Things\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
jusched.exe;C:\Matt's Things\School Things\Programming I\Borland\jdk1.4\jre\bin;Trojan.Click.2166;Deleted.;
hpotdd01.ex_;C:\Program Files\Hewlett-Packard\Digital Imaging\bin;Trojan.Click.2166;Deleted.;
tmp8B.tmp.exe.vir;C:\QooBox\Quarantine\C\DOCUME~1\MOM(AN~1\APPLIC~1;Trojan.Virtumod;Deleted.;
uninstall.exe.vir;C:\QooBox\Quarantine\C\Program Files\BHO;Adware.SearchTwo.origin;Incurable.Moved.;
yayaArom.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.based;Incurable.Moved.;
kqmgzzkv.dat.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS;Trojan.NtRootKit.738;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0013645.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232;Adware.SearchAid.origin;Incurable.Moved.;
A0014766.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235;Probably BATCH.Virus;Incurable.Moved.;
A0014772.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235;Probably SCRIPT.Virus;Incurable.Moved.;
A0014798.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236;Trojan.Fakealert.443;Deleted.;
A0014799.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236;Trojan.Fakealert.443;Deleted.;
A0014800.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236;Trojan.Fakealert.443;Deleted.;
A0014802.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236;Trojan.Fakealert.443;Deleted.;
A0014803.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236;Trojan.Fakealert.443;Deleted.;
A0014808.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237;Trojan.Fakealert.443;Deleted.;
A0014809.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237;Trojan.Fakealert.443;Deleted.;
A0014810.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237;Trojan.Fakealert.443;Deleted.;
A0014811.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237;Trojan.Fakealert.443;Deleted.;
A0014812.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237;Trojan.Fakealert.443;Deleted.;
A0014814.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP237;Trojan.Starter.384;Cured.;
A0014820.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Trojan.Fakealert.443;Deleted.;
A0014821.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Trojan.Fakealert.443;Deleted.;
A0014822.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Trojan.Fakealert.443;Deleted.;
A0014823.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Trojan.Fakealert.443;Deleted.;
A0014824.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Trojan.Fakealert.443;Deleted.;
A0014826.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Trojan.DownLoader.55671;Deleted.;
A0014836.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Tool.Prockill;Incurable.Moved.;
A0014838.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Tool.ShutDown.11;Incurable.Moved.;
A0014850.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Program.PsExec.170;Incurable.Moved.;
A0014853.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Probably BATCH.Virus;Incurable.Moved.;
A0014859.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238;Probably SCRIPT.Virus;Incurable.Moved.;
A0014885.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Fakealert.443;Deleted.;
A0014886.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Fakealert.443;Deleted.;
A0014887.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Fakealert.443;Deleted.;
A0014888.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Fakealert.443;Deleted.;
A0014889.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Fakealert.443;Deleted.;
A0014892.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.DownLoader.38373;Deleted.;
A0014901.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Fakealert.443;Deleted.;
A0014903.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Fakealert.443;Deleted.;
A0014906.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Fakealert.443;Deleted.;
A0014908.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Fakealert.443;Deleted.;
A0014911.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Fakealert.443;Deleted.;
A0014913.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.MulDrop.14031;Deleted.;
A0014914.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Click.origin;Incurable.Moved.;
A0019927.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Win32.HLLW.Socks.5;Deleted.;
A0019943.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Tool.Prockill;Incurable.Moved.;
A0020045.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Tool.Prockill;Incurable.Moved.;
A0020117.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Tool.Prockill;Incurable.Moved.;
A0021177.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Packed.431;Deleted.;
A0021179.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP239;Trojan.Packed.431;Deleted.;
A0021242.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP240;Tool.Prockill;Incurable.Moved.;
A0021289.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241;Adware.SearchTwo.origin;Incurable.Moved.;
A0021297.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241;Trojan.MulDrop.13008;Deleted.;
A0021298.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241;Trojan.MulDrop.13008;Deleted.;
A0021305.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241;Trojan.Fakealert.443;Deleted.;
A0021316.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241;Probably BATCH.Virus;Incurable.Moved.;
A0021329.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241;Program.PsExec.170;Incurable.Moved.;
A0021341.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP241;Probably SCRIPT.Virus;Incurable.Moved.;
A0030673.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246;Trojan.MulDrop.14031;Deleted.;
A0030674.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246;BackDoor.FireOn.6;Deleted.;
A0030681.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246;Trojan.Virtumod.based;Incurable.Moved.;
A0030682.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246;Trojan.Virtumod.based;Incurable.Moved.;
A0030686.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246;Trojan.LowZones.origin;Incurable.Moved.;
A0030689.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246;Trojan.DownLoader.45546;Deleted.;
A0030696.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP246;Trojan.DownLoader.58370;Deleted.;
A0030894.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Virtumod.based;Incurable.Moved.;
A0030895.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Virtumod.based;Incurable.Moved.;
A0031808.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031809.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031810.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031811.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031812.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031813.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031814.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031815.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Starter.384;Cured.;
A0031816.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031817.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031818.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Starter.384;Cured.;
A0031819.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Starter.384;Cured.;
A0031820.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031821.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Starter.384;Cured.;
A0031822.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Starter.384;Cured.;
A0031823.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Starter.384;Cured.;
A0031832.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
A0031833.ex_;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP248;Trojan.Click.2166;Deleted.;
GTDownDE_87.ocx;C:\WINDOWS\SYSTEM32;Adware.Gdown;Incurable.Moved.;
hkcmd.ex_;C:\WINDOWS\SYSTEM32;Trojan.Click.2166;Deleted.;
igfxtray.ex_;C:\WINDOWS\SYSTEM32;Trojan.Click.2166;Deleted.;
L5A64.tmp;C:\WINDOWS\SYSTEM32;Trojan.Virtumod.based;Incurable.Moved.;
Process.exe;C:\WINDOWS\SYSTEM32;Tool.Prockill;Incurable.Moved.;
hpztsb09.ex_;C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3;Trojan.Click.2166;Deleted.;
vxsawvvc.dll;C:\_OTMoveIt\MovedFiles\04152008_172905\windows\system32;Trojan.Virtumod.based;Incurable.Moved.;

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:57 PM, on 4/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Matt's Things\Other Things\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for ôå: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098728199640
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://a1776.ff.fullaudio.com.edges...io.com/musicnow/phoenix/4.0.0.17/MusicNow.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{182A91C4-E864-45B6-94B4-1F225EBEFBE9}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{560BC006-96FD-400C-884E-EC5D51D95CA2}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{91B7E03A-74C8-4BB9-9C2B-DC87F8B2170E}: NameServer = 195.141.193.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AA52E13-30E8-498D-9252-F2FF390577A6}: NameServer = 195.141.193.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{182A91C4-E864-45B6-94B4-1F225EBEFBE9}: NameServer = 195.141.193.3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8837 bytes


----------



## cybertech (Apr 16, 2002)

Looks better! Are you having any problems now?


----------



## yettz (May 6, 2007)

Not that I can tell. The Dr. Web scan made a Big difference! Thanks so much for all your help. I will head to the donation web site today!


----------



## cybertech (Apr 16, 2002)

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









It's a good idea to Flush your System Restore after removing malware: 
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405

Now you should Clean up your PC

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Good free tools and advice on how to tighten your security settings.

Security Help Tools

You're welcome!


----------

