# Solved: Buffer overrun detected!



## wjordan87 (May 7, 2007)

I recently received that buffer overrun detected error on my computer. Here is the logfile report, but I need help choosing which ones to 'fix'. Here is it.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:59:46 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Warren Jordan\Local Settings\Temporary Internet Files\Content.IE5\5C2GK7VC\HiJackThis_v2[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\mljihii.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {817E9040-0839-432B-BB8F-0C2D23D950D9} - (no file)
O2 - BHO: (no name) - {8900348F-7C22-40DE-A8B6-955DB2A8E89D} - C:\WINDOWS\system32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {A962C704-731D-4375-A2F1-B0FFC5DE5FF0} - C:\WINDOWS\system32\awvvw.dll
O2 - BHO: (no name) - {B29F5B67-C70E-428E-AABB-8950144598Ae} - C:\WINDOWS\system32\wjeosulr.dll (file missing)
O2 - BHO: (no name) - {DA59AA7F-C148-41DB-9740-1F5D76047556} - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [RegSweep] "C:\Program Files\RegSweep\RegSweep.exe" -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: awvvw - C:\WINDOWS\system32\awvvw.dll
O20 - Winlogon Notify: mljihii - C:\WINDOWS\SYSTEM32\mljihii.dll
O20 - Winlogon Notify: pmkji - C:\WINDOWS\system32\pmkji.dll (file missing)
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll (file missing)
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\system32\vtsqr.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8326 bytes


----------



## wjordan87 (May 7, 2007)

Here is the log from the combofix

"Warren Jordan" - 07-05-06 22:24:43 Service Pack 2 
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Warren Jordan\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\cwqsqvrg.dll
C:\WINDOWS\system32\dkjuhtol.dll
C:\WINDOWS\system32\dlwwwlfl.dll
C:\WINDOWS\system32\dnuykila.dll
C:\WINDOWS\system32\dvsliogy.dll
C:\WINDOWS\system32\fpbapivu.dll
C:\WINDOWS\system32\gjgxvaix.dll
C:\WINDOWS\system32\iihrjumx.dll
C:\WINDOWS\system32\kdbxlofo.dll
C:\WINDOWS\system32\nbvgnwpl.dll
C:\WINDOWS\system32\nqhhbula.dll
C:\WINDOWS\system32\taebmyec.dll
C:\WINDOWS\system32\yhblmnxe.dll
C:\WINDOWS\system32\byxvwur.dll
C:\WINDOWS\system32\grvqsqwc.ini
C:\WINDOWS\system32\lothujkd.ini
C:\WINDOWS\system32\lflwwwld.ini
C:\WINDOWS\system32\alikyund.ini
C:\WINDOWS\system32\ygoilsvd.ini
C:\WINDOWS\system32\uvipabpf.ini
C:\WINDOWS\system32\xiavxgjg.ini
C:\WINDOWS\system32\xmujrhii.ini
C:\WINDOWS\system32\ofolxbdk.ini
C:\WINDOWS\system32\lpwngvbn.ini
C:\WINDOWS\system32\alubhhqn.ini
C:\WINDOWS\system32\ceymbeat.ini
C:\WINDOWS\system32\exnmlbhy.ini
C:\WINDOWS\system32\mljihii.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))

2007-05-06 21:42	132,660	--a------	C:\WINDOWS\system32\mwjmdmxj.dll
2007-05-06 21:33	66,048	--a------	C:\WINDOWS\ieResetIcons.exe
2007-05-06 21:17	132,660	--a------	C:\WINDOWS\system32\cvfbjxft.dll
2007-05-06 13:04 d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\RegSweep
2007-05-06 12:42	1,505,672	---hs----	C:\WINDOWS\system32\wvvwa.ini2
2007-05-06 06:03 d--------	C:\Program Files\mIRC
2007-05-04 09:56	1,429,318	---hs----	C:\WINDOWS\system32\wvvwa.bak2
2007-05-04 09:15	5,369,856	--a------	C:\DOCUME~1\WARREN~1\ntuser.dat
2007-05-03 10:28 d--------	C:\My Downloads
2007-05-03 09:56	132,660	--a------	C:\WINDOWS\system32\ftdbtiog.dll
2007-05-03 09:56	1,491,264	---hs----	C:\WINDOWS\system32\wvvwa.bak1
2007-05-03 09:55	284,244	---hs----	C:\WINDOWS\system32\awvvw.dll
2007-04-26 21:22	80,003	--a------	C:\WINDOWS\system32\jkkjk.dll
2007-04-21 16:19	1,383	--a------	C:\WINDOWS\mozver.dat
2007-04-19 19:30	43,584	--a------	C:\WINDOWS\system32\drivers\avipbb.sys
2007-04-19 19:30	28,352	--a------	C:\WINDOWS\system32\drivers\ssmdrv.sys
2007-04-18 14:12	1,372,411	--ahs----	C:\WINDOWS\system32\rqstv.ini2
2007-04-11 07:03 d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\Netscape

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-25 14:30	--------	d--------	C:\Program Files\dl_cats
2007-04-24 18:49	1395560	--ahs----	C:\WINDOWS\system32\rqstv.bak2
2007-04-24 10:40	1402381	--ahs----	C:\WINDOWS\system32\rqstv.bak1
2007-04-10 21:28	--------	d--------	C:\Program Files\google
2007-04-04 20:28	--------	d--------	C:\Program Files\wildtangent
2007-04-04 20:23	--------	d--h-----	C:\Program Files\installshield installation information
2007-04-04 20:21	--------	d--------	C:\Program Files\yahoo!
2007-04-04 20:15	--------	d--------	C:\Program Files\sonic
2007-04-04 20:12	--------	d--------	C:\Program Files\quicken
2007-04-04 19:59	--------	d--------	C:\Program Files\opera
2007-04-04 19:56	--------	d--------	C:\Program Files\jasc software inc
2007-04-04 10:25	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\opera
2007-04-04 10:23	--------	d--------	C:\Program Files\orb networks
2007-04-04 06:16	174903	--a------	C:\WINDOWS\system32\ddccy.dll
2007-04-01 08:48	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\installshield
2007-04-01 08:47	--------	d--------	C:\Program Files\wal-mart music downloads store
2007-03-31 23:31	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\apple computer
2007-03-31 22:49	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\smith micro
2007-03-31 22:39	--------	d--------	C:\Program Files\verizon wireless
2007-03-31 21:14	--------	d--------	C:\Program Files\sierra wireless
2007-03-31 09:17	1280714	--ahs----	C:\WINDOWS\system32\qpqss.bak2
2007-03-30 17:27	--------	d--------	C:\Program Files\msn messenger
2007-03-30 12:39	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\winpatrol
2007-03-30 12:34	--------	d--------	C:\Program Files\billp studios
2007-03-30 09:16	1243884	--ahs----	C:\WINDOWS\system32\qpqss.bak1
2007-03-29 21:46	--------	d--------	C:\Program Files\seekmo programs
2007-03-29 21:46	--------	d--------	C:\Program Files\Common Files\winantivirus pro 2007
2007-03-29 21:13	0	-rahs----	C:\MSDOS.SYS
2007-03-29 21:13	0	-rahs----	C:\IO.SYS
2007-03-29 18:34	1285091	--ahs----	C:\WINDOWS\system32\ijkmp.bak2
2007-03-29 14:33	4	-r-hs----	C:\MSDOS.BIN
2007-03-29 14:18	--------	d--------	C:\Program Files\sony
2007-03-28 20:40	--------	d--------	C:\Program Files\viewpoint
2007-03-28 20:18	--------	d--------	C:\Program Files\gemmaster
2007-03-28 19:39	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\winantivirus pro 2007
2007-03-28 18:50	87248	--a------	C:\DOCUME~1\WARREN~1\APPLIC~1\winantiviruspro2007freeinstall[1].exe
2007-03-28 18:34	1233973	--ahs----	C:\WINDOWS\system32\ijkmp.bak1
2007-03-20 19:16	--------	d--------	C:\Program Files\Common Files\viewpoint
2007-03-17 09:43	292864	--a------	C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:36	577536	--a------	C:\WINDOWS\system32\user32.dll
2007-03-08 11:36	40960	--a------	C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36	281600	--a------	C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47	1843584	--a------	C:\WINDOWS\system32\win32k.sys
2007-02-10 13:28	664	--a------	C:\WINDOWS\system32\d3d9caps.dat

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}	C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{8900348F-7C22-40DE-A8B6-955DB2A8E89D}	C:\WINDOWS\system32\vtsqr.dll [x]
{B29F5B67-C70E-428E-AABB-8950144598Ae}	C:\WINDOWS\system32\wjeosulr.dll [x]
{EF4F6FFB-DF2F-49A8-8684-42D5CE6209B8}	C:\WINDOWS\system32\awvvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"DLCCCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLCCtime.dll,[email protected]"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"RegSweep"="\"C:\\Program Files\\RegSweep\\RegSweep.exe\" -boot"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -scheduler"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvw
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkji
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqr

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command	F:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e5843b6-74bb-11da-9ca0-0014a5ae35c1}]
Shell\AutoRun\command	F:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a112ced4-9c20-11db-9cb2-0016d42e32b3}]
Shell\AutoRun\command	F:\setupSNK.exe

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 22:35:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-06 22:35:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-06 22:35


----------



## JSntgRvr (Jul 1, 2003)

Hi, *wjordan87* 

Welcome.

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):


```
Files to delete:
C:\WINDOWS\system32\mwjmdmxj.dll
C:\WINDOWS\system32\cvfbjxft.dll
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\ftdbtiog.dll
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\rqstv.bak2
C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\ijkmp.bak2
C:\WINDOWS\system32\ijkmp.bak1

Folders to delete:
C:\Documents and Settings\Warren Jordan\Application Data\winantivirus pro 2007

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8900348F-7C22-40DE-A8B6-955DB2A8E89D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B29F5B67-C70E-428E-AABB-8950144598Ae}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF4F6FFB-DF2F-49A8-8684-42D5CE6209B8}
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awvvw
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\pmkji
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpq
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqr
```
_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HJT log *.


----------



## wjordan87 (May 7, 2007)

It worked. Thanx alot. Here is the contents of c:\avenger.txt along with a fresh HJT log. I will be donating to this forum for all its great help. 

p.s,
I have one more question. Is it safe for me to download IE 7.0 again?

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ygbaldho

*******************

Script file located at: \??\C:\Documents and Settings\qdyakcrt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\mwjmdmxj.dll deleted successfully.
File C:\WINDOWS\system32\cvfbjxft.dll deleted successfully.
File C:\WINDOWS\system32\wvvwa.ini2 deleted successfully.
File C:\WINDOWS\system32\wvvwa.bak2 deleted successfully.
File C:\WINDOWS\system32\ftdbtiog.dll deleted successfully.
File C:\WINDOWS\system32\wvvwa.bak1 deleted successfully.
File C:\WINDOWS\system32\awvvw.dll deleted successfully.
File C:\WINDOWS\system32\jkkjk.dll deleted successfully.
File C:\WINDOWS\system32\rqstv.ini2 deleted successfully.
File C:\WINDOWS\system32\rqstv.bak2 deleted successfully.
File C:\WINDOWS\system32\rqstv.bak1 deleted successfully.
File C:\WINDOWS\system32\ddccy.dll deleted successfully.
File C:\WINDOWS\system32\qpqss.bak2 deleted successfully.
File C:\WINDOWS\system32\qpqss.bak1 deleted successfully.
File C:\WINDOWS\system32\ijkmp.bak2 deleted successfully.
File C:\WINDOWS\system32\ijkmp.bak1 deleted successfully.
Folder C:\Documents and Settings\Warren Jordan\Application Data\winantivirus pro 2007 deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8900348F-7C22-40DE-A8B6-955DB2A8E89D} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B29F5B67-C70E-428E-AABB-8950144598Ae} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF4F6FFB-DF2F-49A8-8684-42D5CE6209B8} deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awvvw deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\pmkji deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpq deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqr deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

"Warren Jordan" - 07-05-06 23:39:57 Service Pack 2 
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Warren Jordan\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))

2007-05-06 23:27 d--------	C:\avenger
2007-05-06 22:35	49,152	--a------	C:\WINDOWS\nircmd.exe
2007-05-06 21:33	66,048	--a------	C:\WINDOWS\ieResetIcons.exe
2007-05-06 13:04 d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\RegSweep
2007-05-06 06:03 d--------	C:\Program Files\mIRC
2007-05-04 09:15	5,369,856	--a------	C:\DOCUME~1\WARREN~1\ntuser.dat
2007-05-03 10:28 d--------	C:\My Downloads
2007-04-21 16:19	1,383	--a------	C:\WINDOWS\mozver.dat
2007-04-19 19:30	43,584	--a------	C:\WINDOWS\system32\drivers\avipbb.sys
2007-04-19 19:30	28,352	--a------	C:\WINDOWS\system32\drivers\ssmdrv.sys
2007-04-11 07:03 d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\Netscape

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-25 14:30	--------	d--------	C:\Program Files\dl_cats
2007-04-10 21:28	--------	d--------	C:\Program Files\google
2007-04-04 20:28	--------	d--------	C:\Program Files\wildtangent
2007-04-04 20:23	--------	d--h-----	C:\Program Files\installshield installation information
2007-04-04 20:21	--------	d--------	C:\Program Files\yahoo!
2007-04-04 20:15	--------	d--------	C:\Program Files\sonic
2007-04-04 20:12	--------	d--------	C:\Program Files\quicken
2007-04-04 19:59	--------	d--------	C:\Program Files\opera
2007-04-04 19:56	--------	d--------	C:\Program Files\jasc software inc
2007-04-04 10:25	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\opera
2007-04-04 10:23	--------	d--------	C:\Program Files\orb networks
2007-04-01 08:48	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\installshield
2007-04-01 08:47	--------	d--------	C:\Program Files\wal-mart music downloads store
2007-03-31 23:31	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\apple computer
2007-03-31 22:49	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\smith micro
2007-03-31 22:39	--------	d--------	C:\Program Files\verizon wireless
2007-03-31 21:14	--------	d--------	C:\Program Files\sierra wireless
2007-03-30 17:27	--------	d--------	C:\Program Files\msn messenger
2007-03-30 12:39	--------	d--------	C:\DOCUME~1\WARREN~1\APPLIC~1\winpatrol
2007-03-30 12:34	--------	d--------	C:\Program Files\billp studios
2007-03-29 21:46	--------	d--------	C:\Program Files\seekmo programs
2007-03-29 21:46	--------	d--------	C:\Program Files\Common Files\winantivirus pro 2007
2007-03-29 21:13	0	-rahs----	C:\MSDOS.SYS
2007-03-29 21:13	0	-rahs----	C:\IO.SYS
2007-03-29 14:33	4	-r-hs----	C:\MSDOS.BIN
2007-03-29 14:18	--------	d--------	C:\Program Files\sony
2007-03-28 20:40	--------	d--------	C:\Program Files\viewpoint
2007-03-28 20:18	--------	d--------	C:\Program Files\gemmaster
2007-03-28 18:50	87248	--a------	C:\DOCUME~1\WARREN~1\APPLIC~1\winantiviruspro2007freeinstall[1].exe
2007-03-20 19:16	--------	d--------	C:\Program Files\Common Files\viewpoint
2007-03-17 09:43	292864	--a------	C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:36	577536	--a------	C:\WINDOWS\system32\user32.dll
2007-03-08 11:36	40960	--a------	C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36	281600	--a------	C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47	1843584	--a------	C:\WINDOWS\system32\win32k.sys
2007-02-10 13:28	664	--a------	C:\WINDOWS\system32\d3d9caps.dat

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}	C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"RegSweep"="\"C:\\Program Files\\RegSweep\\RegSweep.exe\" -boot"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -scheduler"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command	F:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e5843b6-74bb-11da-9ca0-0014a5ae35c1}]
Shell\AutoRun\command	F:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a112ced4-9c20-11db-9cb2-0016d42e32b3}]
Shell\AutoRun\command	F:\setupSNK.exe

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 23:42:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-06 23:42:11
C:\ComboFix-quarantined-files.txt ... 07-05-06 23:42
C:\ComboFix2.txt ... 07-05-06 22:45
C:\ComboFix3.txt ... 07-05-06 22:35


----------



## JSntgRvr (Jul 1, 2003)

Hi, *wjordan87* 

We still have some entries concerning *WinAntivirus Pro*.

Download *Superantispyware (SAS)*

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click *Yes*.
Under *Configuration and Preferences*, click the *Preferences* button.
Click the *Scanning Control *tab.
Under *Scanner Options *make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Please leave the others unchecked.
Click the Close button to leave the control center screen.

On the main screen, under *Scan for Harmful Software *click *Scan your computer*.
On the left check *C:\Fixed Drive*.
On the right, under *Complete Scan*, choose *Perform Complete Scan*.
Click *Next* to start the scan. *Please be patient while it scans your computer*.
After the scan is complete a summary box will appear. Click *OK*.
Make sure everything in the white box has a check next to it, then click *Next*.
It will quarantine what it found and if it asks if you want to reboot, click *Yes*.
To retrieve the removal information, please do the following:
After reboot, double-click the *SUPERAntispyware* icon on your desktop.
Click Preferences. Click the Statistics/Logs tab.
Under Scanner Logs, double-click *SUPERAntiSpyware* Scan Log.
It will open in your default text editor (such as Notepad/Wordpad).
Please highlight everything in the notepad, then right-click and choose copy.

Click close and close again to exit the program.
Please paste that information in your next reply along with a fresh *HijackThis log*.


----------



## wjordan87 (May 7, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/07/2007 at 05:42 PM

Application Version : 3.7.1018

Core Rules Database Version : 3232
Trace Rules Database Version: 1243

Scan type : Complete Scan
Total Scan Time : 00:49:34

Memory items scanned : 470
Memory threats detected : 0
Registry items scanned : 6090
Registry threats detected : 29
File items scanned : 37798
File threats detected : 35

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{8900348F-7C22-40DE-A8B6-955DB2A8E89D}
HKCR\CLSID\{8900348F-7C22-40DE-A8B6-955DB2A8E89D}
HKCR\CLSID\{8900348F-7C22-40DE-A8B6-955DB2A8E89D}\InprocServer32
HKCR\CLSID\{8900348F-7C22-40DE-A8B6-955DB2A8E89D}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSQR.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{EF4F6FFB-DF2F-49A8-8684-42D5CE6209B8}
HKCR\CLSID\{EF4F6FFB-DF2F-49A8-8684-42D5CE6209B8}
HKCR\CLSID\{EF4F6FFB-DF2F-49A8-8684-42D5CE6209B8}\InprocServer32
HKCR\CLSID\{EF4F6FFB-DF2F-49A8-8684-42D5CE6209B8}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVVW.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BYXVWUR.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MLJIHII.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP304\A0099523.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP304\A0099541.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][1].txt
C:\Documents and Settings\Warren Jordan\Cookies\[email protected][1].txt
C:\Documents and Settings\Warren Jordan\Cookies\[email protected][2].txt
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][2].txt
C:\Documents and Settings\Warren Jordan\Cookies\[email protected][1].txt
C:\Documents and Settings\Warren Jordan\Cookies\[email protected][2].txt
C:\Documents and Settings\Warren Jordan\Cookies\[email protected][1].txt
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][2].txt
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][1].txt
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][2].txt
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][1].txt
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][1].txt
C:\Documents and Settings\Warren Jordan\Cookies\[email protected][1].txt
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][2].txt
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][2].txt
C:\Documents and Settings\Warren Jordan\Cookies\[email protected][1].txt
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][1].txt
C:\Documents and Settings\Warren Jordan\Cookies\warren [email protected][1].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKCR\UWAP7.PCheck.1
HKCR\UWAP7.PCheck.1\CurVer
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\InprocServer32
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\InprocServer32#ThreadingModel
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\ProgID
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\Programmable
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\VersionIndependentProgID
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\0
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\0\win32
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\FLAGS
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\HELPDIR
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749}
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749}\ProxyStubClsid
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749}\ProxyStubClsid32
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749}\TypeLib
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749}\TypeLib#Version
C:\WINDOWS\system32\stera.job
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\UWA7P\Quar
C:\WINDOWS\..\UWA7P
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP234\A0030270.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP234\A0030280.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP234\A0030290.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP239\A0030478.EXE

Adware.180solutions/Seekmo
HKCR\AppId\SeekmoTB.DLL
HKCR\AppId\SeekmoTB.DLL#AppID
C:\Program Files\Seekmo Programs

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\DOCUMENTS AND SETTINGS\WARREN JORDAN\APPLICATION DATA\WINANTIVIRUSPRO2007FREEINSTALL[1].EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP234\A0030291.EXE

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:15:58 PM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Warren Jordan\Local Settings\Temporary Internet Files\Content.IE5\HWKLE4P1\HiJackThis_v2[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {817E9040-0839-432B-BB8F-0C2D23D950D9} - (no file)
O2 - BHO: (no name) - {DA59AA7F-C148-41DB-9740-1F5D76047556} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8580 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *wjordan87* 

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {817E9040-0839-432B-BB8F-0C2D23D950D9} - (no file)
O2 - BHO: (no name) - {DA59AA7F-C148-41DB-9740-1F5D76047556} - (no file)

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

You have entries of two Antivirus Program, *AntiVir PersonalEdition *and *AVG*.

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time.

There are basically two types of these programs:
*On-Access* and *On-Demand*

*On-Access Scanners*
As the name implies, are scanners that run in the background all the time the PC is turned on and running. The main function of an On-Access scanner is to monitor activity on your machine.

*On-Demand Scanners*
As the name implies, are scanners that only run when you ask them to.
Such as: Online Scans and scanners that run on your machine but are not actively scanning your machine.

Remove one of these programs.

The rest of the log looks clear. *How is the computer doing?*


----------



## wjordan87 (May 7, 2007)

Done. Thanks for all your help, it was 'much' needed.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *wjordan87*. 

Congratulations.
















Update your *Java*. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Ugrading Java*: 

Download the latest version of *Java Runtime Environment (JRE) 6u1*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Create a Restore point*:

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------

