Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > can't get on internet

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

can't get on internet

Reply to Message Icon

Name: LadyLeo1971
Date: September 2, 2008 at 08:06:16 Pacific
OS: xp
CPU/Ram: 512 ram
Product: dell
Comment:

Working on friends pc. Removed spyware, trjoans and etc. Could not get online before I did this. Still cannot. Have dsl connection and it works fine. Pinged 4 sent 4 received. Not internet connection. I have the hijackthis log I just ran.
Please help



Sponsored Link
Ads by Google

Response Number 1
Name: jabuck
Date: September 2, 2008 at 14:17:55 Pacific
Reply:

Please post your Hijack This log.


0

Response Number 2
Name: LadyLeo1971
Date: September 2, 2008 at 14:27:38 Pacific
Reply:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:14 PM, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\winlogon.exe
\Ourstorie\shareddocs\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FOR...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FOR...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [0c65d2fa] rundll32.exe "C:\WINDOWS\system32\gcdmlnrs.dll",b
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BM0f56e166] Rundll32.exe "C:\WINDOWS\system32\afrwcqdr.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [spyprodetector] C:\Program Files\Spyware Process Detector\spydetector.exe TRAY
O4 - HKUS\S-1-5-21-1199073985-2335848232-695776775-1012\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'michelle')
O4 - HKUS\S-1-5-21-1199073985-2335848232-695776775-1012\..\Run: [DellSupport-] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'michelle')
O4 - HKUS\S-1-5-18\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0a\AOL.exe" -b (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0a\AOL.exe" -b (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: Armored Attack by pogo - http://game3.pogo.com/v/8.1.7.44/ap...
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/v/8.1.7.44/ap...
O16 - DPF: Bowling by pogo - http://game3.pogo.com/v/8.1.7.44/ap...
O16 - DPF: Canasta by pogo - http://game1.pogo.com/v/8.1.7.44/ap...
O16 - DPF: Command and Conquer Attack Copter by pogo - http://game3.pogo.com/v/8.1.7.44/ap...
O16 - DPF: High Stakes Poker by pogo - http://game3.pogo.com/v/8.1.7.44/ap...
O16 - DPF: Hog Heaven Slots by pogo - http://game3.pogo.com/v/9.0.1.7/app...
O16 - DPF: KenoPop! by pogo - http://game1.pogo.com/v/8.1.8.21/ap...
O16 - DPF: Lottso by pogo - http://game3.pogo.com/v/9.0.1.7/app...
O16 - DPF: Makeover Madness by pogo - http://game3.pogo.com/v/9.0.1.7/app...
O16 - DPF: Pebble Beach 3 Hole Challenge by pogo - http://game1.pogo.com/v/8.1.7.44/ap...
O16 - DPF: PoppaZoppa by pogo - http://game3.pogo.com/v/8.1.7.44/ap...
O16 - DPF: Spades 2 by pogo - http://game1.pogo.com/v/8.1.7.44/ap...
O16 - DPF: Sweet Tooth 2 by Pogo - http://game3.pogo.com/v/8.1.7.44/ap...
O16 - DPF: Texas Hold'em Poker by pogo - http://game3.pogo.com/v/9.0.1.14/ap...
O16 - DPF: Tri-Peaks by pogo - http://game3.pogo.com/v/9.0.3.5/app...
O16 - DPF: Vaults of Atlantis Slots by pogo - http://game3.pogo.com/v/9.0.1.7/app...
O16 - DPF: Word Search Daily by pogo - http://game1.pogo.com/v/8.1.8.23/ap...
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofi...
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.xdrive.com/downloads/std...
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - http://www.worldwinner.com/games/v4...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/sh...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1....
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - http://www.worldwinner.com/games/v4...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

--
End of file - 8125 bytes


0

Response Number 3
Name: jabuck
Date: September 2, 2008 at 15:02:18 Pacific
Reply:

You are still badly infected but try this.

1. Go start > run type cmd and press enter.
2. Then type ipconfig /flushdns (Note, the space between g and / is needed) and press Enter
3. Then type exit and press enter.

If you have a ASDL modem or a router Power both of them down for 30 secs.
Plug them back and reconnect.
That sometimes helps.


0

Response Number 4
Name: LadyLeo1971
Date: September 2, 2008 at 15:11:04 Pacific
Reply:

Thank you worked like a charm.
You couldnt suggest any programs I could run to get this cleaned up better than what Im running could you.
Thanks again so much....you just made my day.


0

Response Number 5
Name: jabuck
Date: September 2, 2008 at 15:32:33 Pacific
Reply:

This tool will remove some of it but we will need to run a different scan after we look at this one.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


0

Related Posts

See More



Response Number 6
Name: LadyLeo1971
Date: September 2, 2008 at 16:34:21 Pacific
Reply:

Malwarebytes' Anti-Malware 1.26
Database version: 1105
Windows 5.1.2600 Service Pack 2

9/2/2008 6:17:02 AM
mbam-log-2008-09-02 (06-17-02).txt

Scan type: Quick Scan
Objects scanned: 56367
Time elapsed: 19 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 42
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 8
Files Infected: 114

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wnf---fu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyvuusT.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMDsTJD.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xgqdea.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{149813cf-afc1-4ac2-a404-b8aa402f323a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomdstjd (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{149813cf-afc1-4ac2-a404-b8aa402f323a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89af306d-356c-46d1-a182-2d2fb362ffd2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{89af306d-356c-46d1-a182-2d2fb362ffd2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{eb315ebd-f7b6-4654-92a4-31484c11b4af} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{eb315ebd-f7b6-4654-92a4-31484c11b4af} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8998b633-38a2-4568-8f24-3dd4ae2b457d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c65d2fa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{149813cf-afc1-4ac2-a404-b8aa402f323a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\microsoft.vc80.mfc\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\microsoft.vc80.crt\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm0f56e166 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyvuust -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyvuust -> Delete on reboot.

Folders Infected:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.CRT (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.MFC (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\qoMDsTJD.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xgqdea.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyvuusT.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\Tsuuvyxx.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\Tsuuvyxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtqnkhe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ehknqtwa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ehknqtwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gcdmlnrs.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\srnlmdcg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBuUlLB.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BLlUuBeg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BLlUuBeg.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJArsPJ.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\JPsrAJlm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\JPsrAJlm.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJCSmJA.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AJmSCJlm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AJmSCJlm.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnklLcA.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AcLlknnn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AcLlknnn.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onfymslf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flsmyfno.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qifjaaxc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cxaajfiq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rgxjqqfs.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sfqqjxgr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqPGxUM.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MUxGPqru.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MUxGPqru.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUkjkIb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bIkjkUtv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bIkjkUtv.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wnf---fu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ufkcufnw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ynrhjlpk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kpljhrny.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvcmjtij.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aihvcxms.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cvmabnqy.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvagsdus.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jggeau.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcmxmrur.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nmndkirg.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gelwliny.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kjbuvxox.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntosdisk.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nwdtqhhn.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnolmNE.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cjtsyl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bfmsacdd.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fqodjcxq.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fwekahwx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hwpuhfsn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mapudeao.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mbbilbkd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qokvtbxi.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qtyguvsm.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xqvldwbn.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xudrbkdn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zttwdx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lryscckj.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lxuyfbml.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xbhxxj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eoklyfpa.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ucwtcljn.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\udtsjbmq.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ffysvumh.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bncgupbr.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lhlcubgs.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Local Settings\Temporary Internet Files\Content.IE5\4N6D8LYT\kb767887[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Local Settings\Temporary Internet Files\Content.IE5\P8KF1UXN\kb456456[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 01 - 10_43_37 AM_203.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 01 - 10_44_18 AM_125.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 03 - 09_25_15 AM_375.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 03 - 09_25_57 AM_468.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 04 - 03_30_03 AM_421.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 05 - 03_30_17 AM_609.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 06 - 03_30_10 AM_453.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 07 - 03_30_09 AM_342.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 08 - 03_30_07 AM_156.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 09 - 03_30_12 AM_312.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 10 - 03_30_40 AM_078.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Nov 12 - 03_30_10 AM_578.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 30 - 05_58_56 PM_781.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 30 - 06_00_25 PM_406.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 30 - 07_20_42 PM_718.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 30 - 07_22_57 PM_984.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 30 - 11_19_34 PM_875.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 30 - 11_21_52 PM_703.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 31 - 01_49_53 PM_687.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 31 - 01_50_34 PM_093.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 31 - 04_47_39 AM_343.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 31 - 04_48_16 AM_296.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 31 - 12_55_05 AM_921.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Oct 31 - 12_55_17 AM_046.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Sep 20 - 09_51_57 PM_296.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Sep 20 - 09_52_05 PM_625.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Sep 20 - 11_06_51 PM_791.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Sep 20 - 11_07_37 PM_869.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Sep 21 - 09_38_46 AM_671.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Sep 21 - 09_40_54 AM_843.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Sep 26 - 12_23_45 PM_656.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Log\2007 Sep 26 - 12_26_08 PM_390.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy M\Application Data\RegistrySmart\Registry Backups\2007-09-23_10-13-28.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\RegistrySmart\Log\2007 Sep 21 - 08_19_43 AM_343.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\RegistrySmart\Log\2007 Sep 21 - 08_20_35 AM_687.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fbsunyxb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0f56e166.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0f56e166.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


0

Response Number 7
Name: jabuck
Date: September 2, 2008 at 17:21:08 Pacific
Reply:

Go to start> control panel> add/remove programs and uninstall this program if found:

Spyprodetector , may be called Spyware Process Detector

Your java is out of date and has been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 7 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline, turn off your Eset nod32 Antivirus
2. Run Combofix and save its log.
3. Restart the computer to get your antivirus running
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


0

Response Number 8
Name: LadyLeo1971
Date: September 2, 2008 at 18:40:43 Pacific
Reply:

ComboFix 08-09-01.03 - Kathy M 2008-09-02 8:15:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.272 [GMT -5:00]
Running from: C:\Documents and Settings\michelle\My Documents\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kathy M\Application Data\.#
C:\Documents and Settings\Kathy M\Application Data\.#\MBX@830@A141C8.###
C:\Documents and Settings\Kathy M\Application Data\.#\MBX@830@A141F8.###
C:\Documents and Settings\Kathy M\Application Data\.#\MBX@830@A14228.###
C:\Documents and Settings\Kathy M\Application Data\.#\MBX@B78@A141C8.###
C:\Documents and Settings\Kathy M\Application Data\.#\MBX@B78@A141F8.###
C:\Documents and Settings\Kathy M\Application Data\.#\MBX@B78@A14228.###
C:\Documents and Settings\Kathy M\Application Data\FunWebProducts
C:\Documents and Settings\Kathy M\Application Data\FunWebProducts\Data\Kathy M\avatar.dat
C:\Documents and Settings\Pokerface1204\Application Data\FunWebProducts
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\#SharedObjects\83NJV2PR\bin.clearspring.com
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\#SharedObjects\83NJV2PR\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\#SharedObjects\83NJV2PR\interclick.com
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\#SharedObjects\83NJV2PR\interclick.com\ud.sol
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\#SharedObjects\83NJV2PR\static.youku.com
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\#SharedObjects\83NJV2PR\static.youku.com\v1.0.0237\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\#SharedObjects\83NJV2PR\static.youku.com\v1.0.0268\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\#SharedObjects\83NJV2PR\static.youku.com\v1.0.0270\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\#SharedObjects\83NJV2PR\static.youku.com\v1.0.0272\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Pokerface1204\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\smp.bat
C:\WINDOWS\system32\afrwcqdr.dll
C:\WINDOWS\system32\aglwfjfw.ini
C:\WINDOWS\system32\aiyldids.dll
C:\WINDOWS\system32\ajohxura.ini
C:\WINDOWS\system32\anekpyau.ini
C:\WINDOWS\system32\anekpyau.ini2
C:\WINDOWS\system32\apgcjpdo.dll
C:\WINDOWS\system32\aqowmq.dll
C:\WINDOWS\system32\aszrpx.dll
C:\WINDOWS\system32\bagtjkpo.ini
C:\WINDOWS\system32\bbitvxep.dll
C:\WINDOWS\system32\bjfgdgko.dll
C:\WINDOWS\system32\buhkhuhy.dll
C:\WINDOWS\system32\cduewgkv.dll
C:\WINDOWS\system32\cjvmrjdt.dll
C:\WINDOWS\system32\cqfkbxjq.ini
C:\WINDOWS\system32\cvnvpcqe.dll
C:\WINDOWS\system32\cxldoqej.ini
C:\WINDOWS\system32\datywbbs.dll
C:\WINDOWS\system32\ddrqcr.dll
C:\WINDOWS\system32\dfffeMoq.ini2
C:\WINDOWS\system32\dpdfco.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drmuvijw.dll
C:\WINDOWS\system32\dsngze.dll
C:\WINDOWS\system32\emeibemk.ini
C:\WINDOWS\system32\entfhbyv.ini
C:\WINDOWS\system32\euguqc.dll
C:\WINDOWS\system32\fdnprl.dll
C:\WINDOWS\system32\ffijtz.dll
C:\WINDOWS\system32\fgxrpabn.dll
C:\WINDOWS\system32\fqkksz.dll
C:\WINDOWS\system32\frdqgnkj.dll
C:\WINDOWS\system32\fvkkdjdc.ini
C:\WINDOWS\system32\fxjeodcg.dll
C:\WINDOWS\system32\ggadpnqd.dll
C:\WINDOWS\system32\gwhhqwta.ini
C:\WINDOWS\system32\gwpchpsd.dll
C:\WINDOWS\system32\hatctkya.ini
C:\WINDOWS\system32\hcwyotay.dll
C:\WINDOWS\system32\hglbklyj.dll
C:\WINDOWS\system32\idnyhy.dll
C:\WINDOWS\system32\ijbxld.dll
C:\WINDOWS\system32\jaalupfv.ini
C:\WINDOWS\system32\jfshhybc.dll
C:\WINDOWS\system32\jpsubsvw.dll
C:\WINDOWS\system32\jpwajsdm.dll
C:\WINDOWS\system32\kersrdrw.dll
C:\WINDOWS\system32\kevhllcp.ini
C:\WINDOWS\system32\kpdoke.dll
C:\WINDOWS\system32\kqdxdhtp.ini
C:\WINDOWS\system32\lasjkqwr.dll
C:\WINDOWS\system32\lhtnbuxv.dll
C:\WINDOWS\system32\logagb.dll
C:\WINDOWS\system32\ltgdsgmb.dll
C:\WINDOWS\system32\lunjge.dll
C:\WINDOWS\system32\lvfehpcf.ini
C:\WINDOWS\system32\mtcusurx.dll
C:\WINDOWS\system32\myxdkgvb.ini
C:\WINDOWS\system32\nmuvrlcy.ini
C:\WINDOWS\system32\ogdlrqbw.dll
C:\WINDOWS\system32\oiwuze.dll
C:\WINDOWS\system32\oujpwahn.ini
C:\WINDOWS\system32\pccafv.dll
C:\WINDOWS\system32\pklrynhk.ini
C:\WINDOWS\system32\plryipru.dll
C:\WINDOWS\system32\pvvnuqxd.dll
C:\WINDOWS\system32\qfsyxvkv.ini
C:\WINDOWS\system32\qkphqmup.ini
C:\WINDOWS\system32\qnegpdmf.ini
C:\WINDOWS\system32\QXyIRqss.ini
C:\WINDOWS\system32\rihvwlxr.dll
C:\WINDOWS\system32\riutgj.dll
C:\WINDOWS\system32\rjkkesnw.dll
C:\WINDOWS\system32\rluznn.dll
C:\WINDOWS\system32\ruquzr.dll
C:\WINDOWS\system32\slqpfibr.ini
C:\WINDOWS\system32\tcwpjurl.dll
C:\WINDOWS\system32\tcycbdue.dll
C:\WINDOWS\system32\tkqauvfx.ini
C:\WINDOWS\system32\uantzu.dll
C:\WINDOWS\system32\ugbgstep.dll
C:\WINDOWS\system32\uhuqsbpj.ini
C:\WINDOWS\system32\uunomecx.dll
C:\WINDOWS\system32\uydgquox.dll
C:\WINDOWS\system32\uyeflorl.dll
C:\WINDOWS\system32\vdqlxpax.dll
C:\WINDOWS\system32\vjrwuswh.ini
C:\WINDOWS\system32\vrkqbhik.dll
C:\WINDOWS\system32\vtyvfksi.ini
C:\WINDOWS\system32\vypykpmh.ini
C:\WINDOWS\system32\wavkva.dll
C:\WINDOWS\system32\wkutfvxv.dll
C:\WINDOWS\system32\wtbbpbsw.dll
C:\WINDOWS\system32\wuimknua.dll
C:\WINDOWS\system32\wxbjyvdd.dll
C:\WINDOWS\system32\xevmgxsq.ini
C:\WINDOWS\system32\xkvmlm.dll
C:\WINDOWS\system32\xkwsfp.dll
C:\WINDOWS\system32\xoovts.dll
C:\WINDOWS\system32\xsjuofdp.dll
C:\WINDOWS\system32\xtpsrajw.ini
C:\WINDOWS\system32\xuukimyl.dll
C:\WINDOWS\system32\xxyuumyi.ini
C:\WINDOWS\system32\ybgjhshs.dll
C:\WINDOWS\system32\ybxedsyd.ini
C:\WINDOWS\system32\yGgQYGgh.ini2
C:\WINDOWS\system32\ykinwumn.ini
C:\WINDOWS\system32\yquinino.dll
C:\WINDOWS\system32\ytmtlwnj.dll
C:\WINDOWS\temp\perflib_perfdata_1cc.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-09-02 08:04 . 2008-09-02 08:04 <DIR> d-------- C:\Program Files\Sun
2008-09-02 08:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-02 07:59 . 2008-09-02 08:04 <DIR> d-------- C:\Program Files\Java
2008-09-02 07:59 . 2008-09-02 07:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-02 07:41 . 2008-09-02 07:45 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-09-02 07:24 . 2008-09-02 07:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 05:51 . 2008-09-02 05:51 <DIR> d-------- C:\Documents and Settings\Kathy M\Application Data\Malwarebytes
2008-09-02 05:50 . 2008-09-02 05:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 05:50 . 2008-09-02 05:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-02 05:50 . 2008-09-02 00:26 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 05:50 . 2008-09-02 00:25 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 01:51 . 2008-09-02 01:51 <DIR> dr-h----- C:\Documents and Settings\Kathy M\Application Data\SecuROM
2008-09-01 21:05 . 2008-09-01 21:05 <DIR> d-------- C:\Documents and Settings\michelle\Application Data\GTek
2008-09-01 21:04 . 2005-07-18 00:05 <DIR> d-------- C:\Documents and Settings\michelle\Application Data\Jasc Software Inc
2008-09-01 21:03 . 2005-07-18 00:14 <DIR> d-------- C:\Documents and Settings\michelle\Application Data\Symantec
2008-09-01 21:03 . 2008-09-01 21:03 <DIR> d-------- C:\Documents and Settings\michelle
2008-09-01 20:51 . 2008-09-02 07:31 <DIR> d-------- C:\Program Files\Spyware Process Detector
2008-09-01 20:50 . 2008-09-01 20:50 <DIR> d-------- C:\Program Files\ACW
2008-09-01 20:47 . 2004-08-04 00:56 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-09-01 20:47 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-09-01 20:45 . 2001-08-17 13:28 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2008-09-01 20:44 . 2001-08-17 13:28 765,884 --a------ C:\WINDOWS\system32\dllcache\usrti.sys
2008-09-01 20:43 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-09-01 20:42 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2008-09-01 20:41 . 2001-08-17 14:01 241,664 --a------ C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-09-01 20:40 . 2001-08-17 14:56 172,768 --a------ C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-09-01 20:39 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2008-09-01 20:38 . 2004-08-04 05:00 456,704 --a------ C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-09-01 20:37 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2008-09-01 20:36 . 2001-08-17 22:36 386,560 --a------ C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-09-01 20:35 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-09-01 20:34 . 2004-08-04 00:56 397,056 --a------ C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-09-01 20:33 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-09-01 20:32 . 2004-08-04 00:56 363,520 --a------ C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-09-01 20:31 . 2004-08-04 00:56 259,328 --a------ C:\WINDOWS\system32\dllcache\perm3dd.dll
2008-09-01 20:30 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-09-01 20:29 . 2001-08-17 12:50 198,144 --a------ C:\WINDOWS\system32\dllcache\nv3.sys
2008-09-01 20:28 . 2001-08-17 12:11 128,000 --a------ C:\WINDOWS\system32\dllcache\n100325.sys
2008-09-01 20:27 . 2004-08-04 05:00 1,875,968 --a------ C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-09-01 20:26 . 2001-08-17 12:50 320,384 --a------ C:\WINDOWS\system32\dllcache\mgaum.sys
2008-09-01 20:25 . 2004-08-04 05:00 1,158,818 --a------ C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-09-01 20:24 . 2001-08-17 22:36 242,176 --a------ C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-09-01 20:23 . 2004-08-04 05:00 471,102 --a------ C:\WINDOWS\system32\dllcache\imskdic.dll
2008-09-01 20:22 . 2004-08-04 05:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-09-01 20:21 . 2001-08-17 22:36 324,608 --a------ C:\WINDOWS\system32\dllcache\hpojwia.dll
2008-09-01 20:20 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-09-01 20:19 . 2001-08-17 12:14 444,416 --a------ C:\WINDOWS\system32\dllcache\fpcibase.sys
2008-09-01 20:18 . 2001-08-17 12:17 629,952 --a------ C:\WINDOWS\system32\dllcache\eqn.sys
2008-09-01 20:17 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-09-01 20:16 . 2001-08-17 22:36 614,429 --a------ C:\WINDOWS\system32\dllcache\digiview.exe
2008-09-01 20:15 . 2004-08-04 05:00 1,677,824 --a------ C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-09-01 20:14 . 2001-08-17 13:28 714,698 --a------ C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2008-09-01 20:13 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-09-01 20:12 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-09-01 20:11 . 2004-05-13 00:39 876,653 --a------ C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-09-01 20:10 . 2003-03-24 16:52 20,540 --a------ C:\WINDOWS\system32\dllcache\admin.dll
2008-09-01 20:10 . 2003-03-24 16:52 16,439 --a------ C:\WINDOWS\system32\dllcache\admin.exe
2008-09-01 18:45 . 2008-09-01 18:45 <DIR> d-------- C:\ERDNT
2008-09-01 03:19 . 2008-09-01 03:19 <DIR> d-------- C:\Program Files\ESET
2008-09-01 03:19 . 2008-09-01 03:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-09-01 00:54 . 2008-09-02 00:54 1,194 ---hs---- C:\WINDOWS\system32\uwivftpm.ini
2008-08-31 19:12 . 2008-08-31 19:25 509 --a------ C:\WINDOWS\SysMech6.INI
2008-08-31 06:38 . 2008-08-31 06:38 4,096 --a------ C:\Volume{52C8E4FE-B853-42c1-9528-92978438BBF3}
2008-08-31 06:38 . 2008-08-31 19:38 4,096 --a------ C:\[u]0[/u]1F60800-D0F4738C
2008-08-31 06:36 . 2008-08-31 06:36 <DIR> d-------- C:\Program Files\Common Files\Kaspersky Lab
2008-08-31 06:35 . 2008-08-31 06:35 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-31 06:34 . 2005-09-24 03:31 1,778,688 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-08-31 06:34 . 2005-09-23 15:26 88,192 --a------ C:\WINDOWS\system32\drivers\IoloFltr.sys
2008-08-31 06:34 . 2005-09-12 21:18 30,942 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-08-31 06:34 . 2005-09-12 21:20 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-08-31 06:34 . 2004-05-29 06:15 9,728 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2008-08-31 03:46 . 2008-08-31 03:46 <DIR> d-------- C:\Documents and Settings\Kathy M\Application Data\VSRevoGroup
2008-08-30 23:58 . 2008-08-30 23:58 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-08-30 20:11 . 2008-08-31 20:56 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-08-30 11:55 . 2008-08-30 20:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-30 11:55 . 2008-08-30 11:55 <DIR> d-------- C:\Program Files\CCleaner
2008-08-30 11:55 . 2008-08-30 11:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-30 11:55 . 2008-08-30 11:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-08-29 11:50 . 2008-08-30 11:49 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-29 10:41 . 2008-08-30 11:50 <DIR> d-------- C:\michelle
2008-08-29 10:13 . 2008-08-29 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt
2008-08-29 09:12 . 2008-09-02 07:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-29 08:18 . 2008-08-30 12:01 1,074 ---hs---- C:\WINDOWS\system32\ahentpwu.ini
2008-08-27 03:50 . 2008-08-30 11:52 <DIR> d-------- C:\Documents and Settings\Pokerface1204\Application Data\SPORE Creature Creator
2008-08-27 03:43 . 2008-09-02 01:40 <DIR> d-------- C:\Program Files\Electronic Arts
2008-08-21 14:24 . 2008-08-30 11:54 <DIR> d-------- C:\Program Files\Microsoft Games
2008-08-20 19:23 . 2008-08-29 06:23 1,306 ---hs---- C:\WINDOWS\system32\stycuokw.ini
2008-08-08 16:57 . 2008-08-31 00:17 0 --a------ C:\WINDOWS\system32\null

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 10:46 --------- d--h--w C:\Documents and Settings\Kathy M\Application Data\GTek
2008-09-02 06:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-02 02:04 --------- d-----w C:\Program Files\Web Publish
2008-09-01 02:30 --------- d-----w C:\Program Files\Google
2008-09-01 02:10 --------- d-----w C:\Program Files\Yahoo!
2008-08-31 11:34 --------- d-----w C:\Program Files\iolo
2008-08-31 08:42 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-31 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-08-31 08:38 --------- d-----w C:\Program Files\IncrediMail
2008-08-30 16:54 --------- d-----w C:\Program Files\Common
2008-08-30 16:53 --------- d-----w C:\Documents and Settings\Kathy M\Application Data\iolo
2008-08-30 16:52 --------- d-----w C:\Documents and Settings\Kathy M\Application Data\ArcSoft
2008-08-30 00:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-26 04:55 --------- d-----w C:\Program Files\Modem Helper
2008-08-24 14:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-21 14:33 --------- d-----w C:\Program Files\NovaLogic
2008-08-18 22:29 23 ----a-w C:\Documents and Settings\Kathy M\jagex_runescape_preferences.dat
2008-08-03 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-19 02:59 --------- d-----w C:\Documents and Settings\Kathy M\Application Data\Yahoo!
2008-07-19 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-19 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-19 02:58 --------- d-----w C:\Program Files\Your Company Name
2008-07-19 02:58 --------- d-----w C:\Program Files\Virtual Assistant
2008-07-19 02:58 --------- d-----w C:\Program Files\Symantec
2008-07-19 02:58 --------- d-----w C:\Program Files\Nova Development
2008-07-19 02:58 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-19 02:58 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-07-19 02:58 --------- d-----w C:\Program Files\DSC Driver
2008-07-19 02:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-19 02:58 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-07-19 02:58 --------- d-----w C:\Program Files\Common Files\Jasc Software Inc
2008-07-07 19:56 --------- d-----w C:\Documents and Settings\Kathy M\Application Data\Ulead Systems
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 438359]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kaspersky Anti-Hacker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kaspersky Anti-Hacker.lnk
backup=C:\WINDOWS\pss\Kaspersky Anti-Hacker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
--a------ 2005-09-24 03:36 1245696 C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemGuardAlerter]
--a------ 2005-09-24 03:39 672256 C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"dvpapi"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"MyWebSearchService"=2 (0x2)
"LexBceS"=2 (0x2)
"kavsvc"=2 (0x2)
"IOLO_SRV"=2 (0x2)
"ioloSystemService"=2 (0x2)
"ioloFileInfoList"=2 (0x2)
"IDriverT"=3 (0x3)
"DSBrokerService"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"%PROVIDERID%"="bin\sprtcmd.exe" /P %PROVIDERID%
"0c65d2fa"=rundll32.exe "C:\WINDOWS\system32\onfymslf.dll",b
"BM0f56e166"=Rundll32.exe "C:\WINDOWS\system32\cduewgkv.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiHacker]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1183611985\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 IoloFilter;IoloFilter;C:\WINDOWS\system32\drivers\IoloFltr.sys [2005-09-23 88192]
R0 Klpf;Klpf;C:\WINDOWS\system32\drivers\Klpf.sys [2005-08-04 25139]
R0 Klpid;Klpid;C:\WINDOWS\system32\drivers\Klpid.sys [2005-08-04 31862]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312]
S2 spydetector;spydetector;C:\Program Files\Spyware Process Detector\spydetector.sys [ ]
S4 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [ ]
S4 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [ ]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-spyprodetector - C:\Program Files\Spyware Process Detector\spydetector.exe
HKLM-Run-%PROVIDERID% - bin\sprtcmd.exe
HKU-Default-Run-AOL Fast Start - C:\Program Files\AOL 9.0a\AOL.exe
MSConfigStartUp-0c65d2fa - C:\WINDOWS\system32\onfymslf.dll
MSConfigStartUp-KAVPersonal50 - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kathy M\Application Data\Mozilla\Firefox\Profiles\tg94f5rv.default\
.
.
------- File Associations (Beta) -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 08:26:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
.
**************************************************************************
.
Completion time: 2008-09-02 8:33:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-02 13:33:52

Pre-Run: 19,144,663,040 bytes free
Post-Run: 19,316,527,104 bytes free

387 --- E O F --- 2008-09-02 12:45:26


0

Response Number 9
Name: jabuck
Date: September 2, 2008 at 19:16:02 Pacific
Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\uwivftpm.ini
C:\WINDOWS\system32\ahentpwu.ini
C:\WINDOWS\system32\stycuokw.ini
C:\WINDOWS\system32\cduewgkv.dll
C:\WINDOWS\system32\onfymslf.dll

Driver::
spydetector

Folder::
C:\Program Files\Spyware Process Detector

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MyWebSearchService"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"0c65d2fa"=-
"BM0f56e166"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Post a new Combofix log, follow the same instructions as you did in response #7.


0

Response Number 10
Name: LadyLeo1971
Date: September 3, 2008 at 05:26:07 Pacific
Reply:

ComboFix 08-09-01.05 - Kathy M 2008-09-02 18:55:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.240 [GMT -5:00]
Running from: C:\Documents and Settings\Kathy M\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kathy M\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
[i] ADS - svchost.exe: deleted 68 bytes in 1 streams. [/i]
[i] ADS - ntoskrnl.exe: deleted 36 bytes in 1 streams. [/i]
[i] ADS - explorer.exe: deleted 68 bytes in 1 streams. [/i]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Spyware Process Detector
C:\Program Files\Spyware Process Detector\spydetector.db1
C:\Program Files\Spyware Process Detector\spydetector.db2
C:\WINDOWS\system32\ahentpwu.ini
C:\WINDOWS\system32\stycuokw.ini
C:\WINDOWS\system32\uwivftpm.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SPYDETECTOR
-------\Service_spydetector


((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-02 09:01 . 2008-09-02 09:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-02 09:01 . 2008-09-02 09:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-02 08:04 . 2008-09-02 08:04 <DIR> d-------- C:\Program Files\Sun
2008-09-02 08:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-02 07:59 . 2008-09-02 08:04 <DIR> d-------- C:\Program Files\Java
2008-09-02 07:59 . 2008-09-02 07:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-02 07:41 . 2008-09-02 07:45 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-09-02 07:24 . 2008-09-02 07:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 05:51 . 2008-09-02 05:51 <DIR> d-------- C:\Documents and Settings\Kathy M\Application Data\Malwarebytes
2008-09-02 05:50 . 2008-09-02 05:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 05:50 . 2008-09-02 05:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-02 05:50 . 2008-09-02 00:26 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 05:50 . 2008-09-02 00:25 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 01:51 . 2008-09-02 01:51 <DIR> dr-h----- C:\Documents and Settings\Kathy M\Application Data\SecuROM
2008-09-01 21:05 . 2008-09-01 21:05 <DIR> d-------- C:\Documents and Settings\michelle\Application Data\GTek
2008-09-01 21:04 . 2005-07-18 00:05 <DIR> d-------- C:\Documents and Settings\michelle\Application Data\Jasc Software Inc
2008-09-01 21:03 . 2005-07-18 00:14 <DIR> d-------- C:\Documents and Settings\michelle\Application Data\Symantec
2008-09-01 21:03 . 2008-09-01 21:03 <DIR> d-------- C:\Documents and Settings\michelle
2008-09-01 20:50 . 2008-09-01 20:50 <DIR> d-------- C:\Program Files\ACW
2008-09-01 20:47 . 2004-08-04 00:56 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-09-01 20:47 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-09-01 20:45 . 2001-08-17 13:28 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2008-09-01 20:44 . 2001-08-17 13:28 765,884 --a------ C:\WINDOWS\system32\dllcache\usrti.sys
2008-09-01 20:43 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-09-01 20:42 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2008-09-01 20:41 . 2001-08-17 14:01 241,664 --a------ C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-09-01 20:40 . 2001-08-17 14:56 172,768 --a------ C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-09-01 20:39 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2008-09-01 20:38 . 2004-08-04 05:00 456,704 --a------ C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-09-01 20:37 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2008-09-01 20:36 . 2001-08-17 22:36 386,560 --a------ C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-09-01 20:35 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-09-01 20:34 . 2004-08-04 00:56 397,056 --a------ C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-09-01 20:33 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-09-01 20:32 . 2004-08-04 00:56 363,520 --a------ C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-09-01 20:31 . 2004-08-04 00:56 259,328 --a------ C:\WINDOWS\system32\dllcache\perm3dd.dll
2008-09-01 20:30 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-09-01 20:29 . 2001-08-17 12:50 198,144 --a------ C:\WINDOWS\system32\dllcache\nv3.sys
2008-09-01 20:28 . 2001-08-17 12:11 128,000 --a------ C:\WINDOWS\system32\dllcache\n100325.sys
2008-09-01 20:27 . 2004-08-04 05:00 1,875,968 --a------ C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-09-01 20:26 . 2001-08-17 12:50 320,384 --a------ C:\WINDOWS\system32\dllcache\mgaum.sys
2008-09-01 20:25 . 2004-08-04 05:00 1,158,818 --a------ C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-09-01 20:24 . 2001-08-17 22:36 242,176 --a------ C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-09-01 20:23 . 2004-08-04 05:00 471,102 --a------ C:\WINDOWS\system32\dllcache\imskdic.dll
2008-09-01 20:22 . 2004-08-04 05:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-09-01 20:21 . 2001-08-17 22:36 324,608 --a------ C:\WINDOWS\system32\dllcache\hpojwia.dll
2008-09-01 20:20 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-09-01 20:19 . 2001-08-17 12:14 444,416 --a------ C:\WINDOWS\system32\dllcache\fpcibase.sys
2008-09-01 20:18 . 2001-08-17 12:17 629,952 --a------ C:\WINDOWS\system32\dllcache\eqn.sys
2008-09-01 20:17 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-09-01 20:16 . 2001-08-17 22:36 614,429 --a------ C:\WINDOWS\system32\dllcache\digiview.exe
2008-09-01 20:15 . 2004-08-04 05:00 1,677,824 --a------ C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-09-01 20:14 . 2001-08-17 13:28 714,698 --a------ C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2008-09-01 20:13 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-09-01 20:12 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-09-01 20:11 . 2004-05-13 00:39 876,653 --a------ C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-09-01 20:10 . 2003-03-24 16:52 20,540 --a------ C:\WINDOWS\system32\dllcache\admin.dll
2008-09-01 20:10 . 2003-03-24 16:52 16,439 --a------ C:\WINDOWS\system32\dllcache\admin.exe
2008-09-01 18:45 . 2008-09-01 18:45 <DIR> d-------- C:\ERDNT
2008-09-01 03:19 . 2008-09-01 03:19 <DIR> d-------- C:\Program Files\ESET
2008-09-01 03:19 . 2008-09-01 03:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-31 19:12 . 2008-08-31 19:25 509 --a------ C:\WINDOWS\SysMech6.INI
2008-08-31 06:38 . 2008-08-31 06:38 4,096 --a------ C:\Volume{52C8E4FE-B853-42c1-9528-92978438BBF3}
2008-08-31 06:38 . 2008-08-31 19:38 4,096 --a------ C:\[u]0[/u]1F60800-D0F4738C
2008-08-31 06:36 . 2008-09-02 08:56 <DIR> d-------- C:\Program Files\Common Files\Kaspersky Lab
2008-08-31 06:35 . 2008-09-02 08:56 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-31 03:46 . 2008-08-31 03:46 <DIR> d-------- C:\Documents and Settings\Kathy M\Application Data\VSRevoGroup
2008-08-30 23:58 . 2008-08-30 23:58 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-08-30 20:11 . 2008-08-31 20:56 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-08-30 11:55 . 2008-08-30 20:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-30 11:55 . 2008-08-30 11:55 <DIR> d-------- C:\Program Files\CCleaner
2008-08-30 11:55 . 2008-08-30 11:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-30 11:55 . 2008-08-30 11:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-08-29 11:50 . 2008-08-30 11:49 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-29 10:41 . 2008-08-30 11:50 <DIR> d-------- C:\michelle
2008-08-29 10:13 . 2008-08-29 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt
2008-08-29 09:12 . 2008-09-02 07:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-27 03:50 . 2008-08-30 11:52 <DIR> d-------- C:\Documents and Settings\Pokerface1204\Application Data\SPORE Creature Creator
2008-08-27 03:43 . 2008-09-02 01:40 <DIR> d-------- C:\Program Files\Electronic Arts
2008-08-21 14:24 . 2008-08-30 11:54 <DIR> d-------- C:\Program Files\Microsoft Games
2008-08-08 16:57 . 2008-08-31 00:17 0 --a------ C:\WINDOWS\system32\null

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 13:51 --------- d-----w C:\Program Files\iolo
2008-09-02 10:46 --------- d--h--w C:\Documents and Settings\Kathy M\Application Data\GTek
2008-09-02 06:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-02 02:04 --------- d-----w C:\Program Files\Web Publish
2008-09-01 02:30 --------- d-----w C:\Program Files\Google
2008-09-01 02:10 --------- d-----w C:\Program Files\Yahoo!
2008-08-31 08:42 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-31 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-08-31 08:38 --------- d-----w C:\Program Files\IncrediMail
2008-08-30 16:54 --------- d-----w C:\Program Files\Common
2008-08-30 16:53 --------- d-----w C:\Documents and Settings\Kathy M\Application Data\iolo
2008-08-30 16:52 --------- d-----w C:\Documents and Settings\Kathy M\Application Data\ArcSoft
2008-08-30 00:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-26 04:55 --------- d-----w C:\Program Files\Modem Helper
2008-08-24 14:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-21 14:33 --------- d-----w C:\Program Files\NovaLogic
2008-08-18 22:29 23 ----a-w C:\Documents and Settings\Kathy M\jagex_runescape_preferences.dat
2008-08-03 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-19 02:59 --------- d-----w C:\Documents and Settings\Kathy M\Application Data\Yahoo!
2008-07-19 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-19 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-19 02:58 --------- d-----w C:\Program Files\Your Company Name
2008-07-19 02:58 --------- d-----w C:\Program Files\Virtual Assistant
2008-07-19 02:58 --------- d-----w C:\Program Files\Symantec
2008-07-19 02:58 --------- d-----w C:\Program Files\Nova Development
2008-07-19 02:58 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-19 02:58 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-07-19 02:58 --------- d-----w C:\Program Files\DSC Driver
2008-07-19 02:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-19 02:58 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-07-19 02:58 --------- d-----w C:\Program Files\Common Files\Jasc Software Inc
2008-07-07 19:56 --------- d-----w C:\Documents and Settings\Kathy M\Application Data\Ulead Systems
.

((((((((((((((((((((((((((((( snapshot@2008-09-02_ 8.33.12.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-02 23:59:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 438359]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kaspersky Anti-Hacker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kaspersky Anti-Hacker.lnk
backup=C:\WINDOWS\pss\Kaspersky Anti-Hacker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"dvpapi"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"LexBceS"=2 (0x2)
"kavsvc"=2 (0x2)
"IOLO_SRV"=2 (0x2)
"ioloSystemService"=2 (0x2)
"ioloFileInfoList"=2 (0x2)
"IDriverT"=3 (0x3)
"DSBrokerService"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"%PROVIDERID%"="bin\sprtcmd.exe" /P %PROVIDERID%

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1183611985\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312]
S0 IoloFilter;IoloFilter;C:\WINDOWS\system32\drivers\IoloFltr.sys [ ]
S4 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [ ]
S4 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [ ]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SMSystemAnalyzer - C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
MSConfigStartUp-SystemGuardAlerter - C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 19:10:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
.
**************************************************************************
.
Completion time: 2008-09-02 19:17:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-03 00:17:28
ComboFix2.txt 2008-09-02 13:34:01

Pre-Run: 19,841,785,856 bytes free
Post-Run: 19,824,259,072 bytes free

230 --- E O F --- 2008-09-02 12:45:26

can this infection get into the other three computers I run off this modem?
I wished I understood these programs your using better so I could clean up my 16 year olds computer. Thats the next one I have to clean. Thank you for so much help.


0

Response Number 11
Name: LadyLeo1971
Date: September 3, 2008 at 10:35:07 Pacific
Reply:

I noticed this morning that her antivirus is still catching Virtumonde and quarantine it. I thought I should let you know.

Thanks so much for all the support.


0

Response Number 12
Name: jabuck
Date: September 3, 2008 at 14:22:46 Pacific
Reply:

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.


0

Response Number 13
Name: LadyLeo1971
Date: September 3, 2008 at 15:09:04 Pacific
Reply:

I have used Kaspersky before but I uninstalled it. I can not get it to run it tells me I need to enable the add on. Im not sure which one to run. then I get : You need to install Java version 1.5 or later to run Kaspersy Online Scanner 7.0


0

Response Number 14
Name: LadyLeo1971
Date: September 3, 2008 at 15:17:53 Pacific
Reply:

Its working now. I figured it out.
I will submit the file when its done.


Can I use these same instructions you have given me to get vertrumonde off my daughters machine. I posted a little earlier today on hers.


0

Response Number 15
Name: jabuck
Date: September 3, 2008 at 15:23:56 Pacific
Reply:

No, the procedure is simalar but there will be different files on the other computer and we need a Hijack This log to help with the procedure.


0

Response Number 16
Name: LadyLeo1971
Date: September 3, 2008 at 15:46:28 Pacific
Reply:

I posted her hijack this log on her post. Her post is titled: Have Virtumonde
She is losing memory bad. I hope someone will be able to help with that one, so she dont mess up my pc....

I will be back with that Kaspersky log soon.
Thank you again for all your help.


0

Response Number 17
Name: jabuck
Date: September 3, 2008 at 16:01:11 Pacific
Reply:

The moderator will delete that post because the Hijack This log was posted without a request.

Once deleted repost, no logs yet please only state the problem on the computer.


0

Response Number 18
Name: LadyLeo1971
Date: September 3, 2008 at 16:04:44 Pacific
Reply:

I reposted with out the log. I forgot. I posted it this time as Virus and Losing RAM.

Oops...

Keep working with it..it can be fixed...


0

Response Number 19
Name: LadyLeo1971
Date: September 3, 2008 at 20:12:30 Pacific
Reply:

----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 3, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 03, 2008 20:17:25
Records in database: 1188827
----------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 59738
Threat name: 19
Infected objects: 41
Suspicious objects: 0
Duration of the scan: 04:27:57


File name / Threat name / Threats count
C:\Documents and Settings\Pokerface1204\My Documents\XPantivirus2008_v77011819.exe Infected: Trojan.Win32.FraudPack.gen 1
C:\Program Files\BadgeHelp\Backspin\Backspin.exe Infected: Backdoor.Win32.MSNMaker.cf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\aiyldids.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.coo 1
C:\QooBox\Quarantine\C\WINDOWS\system32\apgcjpdo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bzp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\aqowmq.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cqz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\aszrpx.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bzp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bbitvxep.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.coc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bjfgdgko.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ckp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\cvnvpcqe.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dae 1
C:\QooBox\Quarantine\C\WINDOWS\system32\datywbbs.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cqo 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ddrqcr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cdb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dsngze.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.coc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\euguqc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dfg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fdnprl.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cle 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ffijtz.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.csr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fgxrpabn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.csr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fqkksz.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dae 1
C:\QooBox\Quarantine\C\WINDOWS\system32\frdqgnkj.dll.vir Infected: Trojan.Win32.Monder.gqa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\idnyhy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.coo 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ijbxld.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.chq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jfshhybc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cpu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jpsubsvw.dll.vir Infected: Trojan.Win32.Monder.gqa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jpwajsdm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.chq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kpdoke.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dfh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lasjkqwr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dfg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ltgdsgmb.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cdb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lunjge.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dae 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pccafv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cpu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\plryipru.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.csr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rihvwlxr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dfh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rjkkesnw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cle 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rluznn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.clv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tcwpjurl.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.clv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\uantzu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cqo 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wkutfvxv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cpu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wtbbpbsw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dae 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xkvmlm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cpu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xkwsfp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ckp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xoovts.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.csr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ybgjhshs.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cqz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ytmtlwnj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.afqp 1

The selected area was scanned.

Keep working with it..it can be fixed...


0

Response Number 20
Name: LadyLeo1971
Date: September 4, 2008 at 07:07:44 Pacific
Reply:

She purchased System Mechanic 7 Pro. Should I go ahead and put it in with the KASPERSKY that comes with it and get rid of the ESET NOD32 Antivirus? Or should I wait till we are done?

Keep working with it..it can be fixed...


0

Response Number 21
Name: jabuck
Date: September 4, 2008 at 14:38:49 Pacific
Reply:

This will uninstall/damage this program but you should remove it and reinstall it later if wanted:
BadgeHelp (pogo cheat codes)


Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Documents and Settings\Pokerface1204\My Documents\XPantivirus2008_v77011819.exe

Folder::
C:\Program Files\BadgeHelp

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Lets us know how the compter is operating?


0

Response Number 22
Name: LadyLeo1971
Date: September 4, 2008 at 15:24:22 Pacific
Reply:

Seems to be running great. I am going to send it back to her at let them test drive it. If I have any more issues I will bring it back over here and we will go from there.
But, one question She purchased System Mechanic 7 Pro. It has KASPERSKY that comes with it is it better than the free ESET NOD32 Antivirus?

Keep working with it..it can be fixed...


0

Response Number 23
Name: jabuck
Date: September 4, 2008 at 15:37:08 Pacific
Reply:

I would keep Eset.

Go to start> run> type in combofix /u (note the space after combofix) then press enter. Give it a minute. This will uninstall Combofix.

Go to start>control panel> add/remove programs and uninstall Hijack This.

Keep the other programs.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.


0

Response Number 24
Name: LadyLeo1971
Date: September 4, 2008 at 15:50:57 Pacific
Reply:

The lady Im working on this for told me to tell you thank you so much for taking the time to help me. That she will avoid alot of the sites I told her to.
Thanks again so much if she has issues I will be back. Hopefully not though.
Thanks,
LadyLeo

Keep working with it..it can be fixed...


0

Response Number 25
Name: jabuck
Date: September 4, 2008 at 16:04:53 Pacific
Reply:

Glad we could help.


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: can't get on internet
Can't get on internet and virus www.computing.net/answers/security/cant-get-on-internet-and-virus-/11745.html

Help, I can't get on line becuse of www.computing.net/answers/security/help-i-cant-get-on-line-becuse-of/7230.html

Please Help Can't get rid of trojan www.computing.net/answers/security/please-help-cant-get-rid-of-trojan/15843.html