Computing.Net > Forums > Security and Virus > continued virus/trojan/adware probs

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

The Lounge

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

continued virus/trojan/adware probs

Reply to Message Icon
Original Message
Name: moorjh
Date: April 27, 2007 at 12:42:14 Pacific
Subject: continued virus/trojan/adware probs
OS: Windows XP SP2
CPU/Ram: Pentium 4c 2.6GHz/ 1GB RA
Model/Manufacturer: custom
Comment:

Please help. A couple of days ago, I used VundoFix to remove a vundo trojan, but I continue to have problems (though not vundo). No more virus detections, but I get a lot of popups and occasional mystery program shortcuts installed to my desktop.

I run NA VirusScan, Ad-Aware, and Spybot S&D every time I boot, and new detections keep popping up. I've also updated my SpywareBlaster definitions.

Can someone figure out what might be wrong? I can post a HJT logfile if needed. TIA for the help.


Report Offensive Message For Removal


Response Number 1
Name: jabuck
Date: April 27, 2007 at 14:11:59 Pacific
Reply: (edit)

Please post your Hijack This log.


Report Offensive Follow Up For Removal

Response Number 2
Name: moorjh
Date: April 27, 2007 at 14:15:14 Pacific
Reply: (edit)

Logfile of HijackThis v1.99.1
Scan saved at 5:15:09 PM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\UCVPN\cvpnd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\jaoexksd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E0FF74BE-C82D-4DF5-A9ED-2ABAD11F4768} - C:\WINDOWS\system32\geedb.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\JOHNMO~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uc.edu,
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UCVPN\cvpnd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe


Report Offensive Follow Up For Removal

Response Number 3
Name: jabuck
Date: April 27, 2007 at 15:50:29 Pacific
Reply: (edit)

You have no problem but if you have any connectivity problems after removing the 010 item with Hijack This run this program and the winsocks should be restored.

WinsockFix

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Download and install AVG Anti-Spyware We will need this later in safe mode

Be sure to update AVG Anti- Spyware

Download Killbox to your desktop from this link Killbox by Option^Explicit. If you already have "Killbox" update to this newer version. We will need it later in safe mode

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\jaoexksd.dll (file missing)

O2 - BHO: (no name) - {E0FF74BE-C82D-4DF5-A9ED-2ABAD11F4768} - C:\WINDOWS\system32\geedb.dll (file missing)

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\JOHNMO~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

Exit Hijack this but remain in safe mode.

Run Killbox from safe mode. Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\retadpu2000219.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.


Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let us know if you receive this message!).

If your computer does not restart automatically, please restart it manually.


If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click Here to download and run missingfilesetup.exe. Then try Killbox again.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Please post the AVG AntiSpyware report.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.

Run Hijack This> click "open the misc. tool section"> click "open uninstall manager"> click "save list"> click "save"> click "yes"> post that log please.

Update your java as soon as possible, this is how you got infected.

Download the latest version of http://java.sun.com/javase/downloads/index.jsp

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".

Click the "Download" button to the right.

Check the box that says: "Accept License Agreement". The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Close any programs you may have running - especially your web browser.

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.

Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed

. Then from your desktop double-click on jre-1_6_0-windowsi586-p.exe to install the newest version.


Report Offensive Follow Up For Removal

Response Number 4
Name: moorjh
Date: April 27, 2007 at 20:23:31 Pacific
Reply: (edit)

OK, I was able to complete everything in the instructions, except the O10 object in the Hijack This list. It gave me this message:


*******************
HijackThis cannot repair O10 Winsock LSP entries.
You should use LSPFix for that, which is available from http://www.cexx.org/lspfix.htm.

If the O10 item belongs to WebHancer, New.Net or CommonName, Spybot S&D can remove it automatically. Spybot S&D is available from http://www.spybot.info/.
********************


Is this a big deal?

Anyway, I will post the three logs requested (AVG antispyware, Combofix, Hijack This uninstall list).



Report Offensive Follow Up For Removal

Response Number 5
Name: moorjh
Date: April 27, 2007 at 20:26:45 Pacific
Reply: (edit)

"**** *****" - 07-04-27 23:12:25 Service Pack 2 [SAFE MODE]
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\**** *****\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\JOHNMO~1
C:\qoobox\purity\C\DOCUME~1\JOHNMO~1\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\JOHNMO~1\APPLIC~1\SEMBLY~1
C:\qoobox\purity\C\DOCUME~1\JOHNMO~1\APPLIC~1\SSTEM3~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))


2007-04-27 22:22 <DIR> d-------- C:\!KillBox
2007-04-27 22:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-26 19:27 <DIR> d-------- C:\WINDOWS\iiqf
2007-04-26 19:27 <DIR> d-------- C:\Program Files\Common Files\iiqf
2007-04-26 19:12 <DIR> d--hs---- C:\WINDOWS\Sm9obiBNb29yZQ
2007-04-24 23:05 <DIR> d-------- C:\VundoFix Backups
2007-04-24 13:50 1,382,840 ---hs---- C:\WINDOWS\system32\bdeeg.bak2
2007-04-24 12:17 1,382,565 ---hs---- C:\WINDOWS\system32\abadd.bak1
2007-04-24 12:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ErrorProtector Free
2007-04-19 22:27 <DIR> d-------- C:\Program Files\foobar2000
2007-04-19 22:27 <DIR> d-------- C:\DOCUME~1\JOHNMO~1\APPLIC~1\foobar2000
2007-04-08 09:39 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-08 09:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-06 23:53 <DIR> d-------- C:\WINDOWS\ASTULogTemp
2007-03-28 00:32 <DIR> d-------- C:\Program Files\Windows Mobile DST07 Updates
2007-03-27 23:51 <DIR> d-------- C:\Program Files\MSECache


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-27 22:06 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2007-04-27 21:07 -------- d-------- C:\DOCUME~1\JOHNMO~1\APPLIC~1\utorrent
2007-04-27 00:05 -------- d-------- C:\Program Files\spywareblaster
2007-03-28 00:25 -------- d-------- C:\Program Files\microsoft activesync
2007-03-28 00:03 2528 --a------ C:\DOCUME~1\JOHNMO~1\APPLIC~1\$_hpcst$.hpc
2007-03-27 07:57 -------- d---s---- C:\Program Files\xfire
2007-03-27 07:37 -------- d-------- C:\DOCUME~1\JOHNMO~1\APPLIC~1\xfire
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 08:45 -------- d-------- C:\Program Files\utorrent
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 14:00 -------- d-------- C:\Program Files\world of warcraft
2007-02-23 00:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 00:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundFusion"="RunDll32 hercplgs.cpl,BootEntryPoint"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"HGTXPEI"="C:\\WINDOWS\\System32\\FirstReboot.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\tbmon.exe\""
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"hpfsched"="C:\\WINDOWS\\hpfsched.exe"
"Acrobat Assistant 8.0"="\"C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe\""
@=""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\Wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\AcroTray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^University Of Cincinnati VPN Client.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\University Of Cincinnati VPN Client.lnk"
"backup"="C:\\WINDOWS\\pss\\University Of Cincinnati VPN Client.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\UCVPN\\IPSECD~1.EXE \"-run_only_if_connected\" \"-auto_initiation\""
"item"="University Of Cincinnati VPN Client"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^**** *****^Start Menu^Programs^Startup^Skyscape smARTupdate.lnk]
"path"="C:\\Documents and Settings\\**** *****\\Start Menu\\Programs\\Startup\\Skyscape smARTupdate.lnk"
"backup"="C:\\WINDOWS\\pss\\Skyscape smARTupdate.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Skyscape\\SMARTU~1.EXE "
"item"="Skyscape smARTupdate"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="launchpd"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ATIRW"
"hkey"="HKCU"
"command"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6dfd7ce0-bb5e-11da-be74-00508df191e0}]
Shell\AutoRun\command G:\JDSecure\Windows\JDSecure20.exe

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-27 23:14:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-27 23:14:19
C:\ComboFix-quarantined-files.txt ... 07-04-27 23:14


Report Offensive Follow Up For Removal


Response Number 6
Name: moorjh
Date: April 27, 2007 at 20:27:54 Pacific
Reply: (edit)


AVG Anti-Spyware - Scan Report


+ Created at: 11:10:51 PM 4/27/2007

+ Scan result:

C:\VundoFix Backups\jkklmlk.dll.bad -> Adware.Virtumonde : Cleaned.
C:\VundoFix Backups\urqrpol.dll.bad -> Adware.Virtumonde : Cleaned.
C:\Documents and Settings\John Moore\Local Settings\Temp\temp.fr982C\Programs\webhdll.dll -> Adware.WebHancer : Cleaned.
C:\WINDOWS\b129.exe -> Adware.WebHancer : Cleaned.
C:\System Volume Information\_restore{1248AAFE-640A-43EC-8316-DA649BAA3184}\RP795\A0129256.exe -> Downloader.Agent.bls : Cleaned.
C:\WINDOWS\retadpu2000219.exe.tmp -> Downloader.Agent.bls : Cleaned.
C:\Documents and Settings\John Moore\Local Settings\Temp\sdexe.exe -> Downloader.PurityScan.ee : Cleaned.
C:\WINDOWS\b104.exe -> Downloader.Small.buy : Cleaned.
C:\Program Files\Common Files\iiqf\iiqfd\vocabulary -> Downloader.TSUpdate.j : Cleaned.
C:\WINDOWS\b103.exe -> Downloader.TSUpdate.o : Cleaned.
:mozilla.83:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.86:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.87:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.88:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.91:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.92:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.93:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.801:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.374:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.375:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.802:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.715:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.166:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.167:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.168:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.169:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.170:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.171:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.172:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.173:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.174:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.27:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.28:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.29:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.30:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.505:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.506:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.285:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.286:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.287:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.288:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.306:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.307:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.761:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.762:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.39:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.40:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.847:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.308:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.309:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.310:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.312:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.313:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.318:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.145:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.146:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.151:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.152:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.153:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.154:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.155:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.156:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.157:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.158:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.159:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.160:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.161:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.162:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.163:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.164:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.165:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.176:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.177:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.178:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.179:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.180:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.181:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.182:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.183:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.184:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.185:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.186:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.716:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.209:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.210:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.211:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.212:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.213:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.216:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.311:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.314:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.315:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.316:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.317:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.319:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.686:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Vortexmediagroup : Cleaned.
:mozilla.745:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.709:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.289:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.290:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.291:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.292:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.293:C:\Documents and Settings\John Moore\Application Data\Mozilla\Firefox\Profiles\default.mkb\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\Sm9obiBNb29yZQ\mA6Cv21hvZ6Vtk.vbs -> Trojan.Small : Cleaned.


::Report end



Report Offensive Follow Up For Removal

Response Number 7
Name: moorjh
Date: April 27, 2007 at 20:28:59 Pacific
Reply: (edit)

UNINSTALL LIST:

µTorrent
3DMark03
3DMark05
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Acrobat 8 Professional - English, Français, Deutsch
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Alt-Tab Task Switcher Powertoy for Windows XP
Anapod Explorer (remove only)
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.4
AVG Anti-Spyware 7.5
AviSynth 2.5
BitTorrent 3.4.2
DAO
DivX 4.12 Codec
DivX Player
DivX Web Player
Doom 3
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Epocrates Essentials for Pocket PC
Fable - The Lost Chapters
FEAR
foobar2000 v0.9.4.2
Fraps
Gamesurround Fortissimo III
Guild Wars
Hardware Doctor
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP DeskJet 810C Series (Remove only)
Intel Application Accelerator RAID Edition
Intel(R) PRO Network Adapters and Drivers
iPod Agent 0.8.1.1
iPod for Windows User Guide
iPod System Software Updater 2.1
iPod Updater 2004-11-15
iTunes
Java(TM) SE Runtime Environment 6 Update 1
Kazaa Lite K++ v2.4.3
LimeWire 4.9.23
Logitech Harmony Remote Software
Logitech SetPoint
Macromedia Shockwave Player
MadOnion.com/3DMark2001 SE
McAfee VirusScan Enterprise
MCAT CD Companion
Microsoft .NET Framework 1.1
Microsoft ActiveSync
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5.0.11)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
ObjectDock Plus
Opera
PowerDVD PRO EX
Prime95
PrintServer Utilities
PSP Video 9 1.37
QuickTime
RealPlayer
Roxio Easy Media Creator 7 Basic DVD Edition
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SiSoftware Sandra Standard 2004.SP1 (CNET Edition)
SpeechRedist
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Steam
Stedman's Medical Dictionary for the Health Professions and Nursing 1.0
Time Zone Data Update Tool for Microsoft Office Outlook
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Viewpoint Manager (Remove Only)
VPN Client
WinAce Archiver
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Mobile Daylight Saving Time 2007 Updates
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
World of Warcraft
Xbox 360 Controller for Windows
Xfire (remove only)
XLink Kai Evolution 7
XviD MPEG-4 Video Codec



Report Offensive Follow Up For Removal

Response Number 8
Name: jabuck
Date: April 27, 2007 at 20:56:17 Pacific
Reply: (edit)

The 010 is part of xfire, a gaming tool, it should not cause any problems.

Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Files to delete:
C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\abadd.bak1

Folders to delete:
C:\WINDOWS\iiqf
C:\Program Files\Common Files\iiqf
C:\WINDOWS\Sm9obiBNb29yZQ

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply and post a new Hijack This log and a new combofix log.

Next, Run Hijack This> click "open the misc. tool section"> click "open uninstall manager"> click "save list"> click "save"> click "yes"> post that log please.

You java is out of date and should be updated as soon as possible. Download the latest version of http://java.sun.com/javase/downloads/index.jsp

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".

Click the "Download" button to the right.

Check the box that says: "Accept License Agreement". The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Close any programs you may have running - especially your web browser.

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.

Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed

. Then from your desktop double-click on jre-1_6_0-windowsi586-p.exe to install the newest version.


Report Offensive Follow Up For Removal

Response Number 9
Name: moorjh
Date: April 28, 2007 at 05:50:11 Pacific
Reply: (edit)

Ok, here goes. First, the Avenger log, followed by the Hijack This log, ComboFix log, and Hijack This uninstall list. My JRE was already updated.


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pmbbfwkb

*******************

Script file located at: \??\C:\Program Files\ssibeeei.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\bdeeg.bak2 deleted successfully.
File C:\WINDOWS\system32\abadd.bak1 deleted successfully.
Folder C:\WINDOWS\iiqf deleted successfully.
Folder C:\Program Files\Common Files\iiqf deleted successfully.
Folder C:\WINDOWS\Sm9obiBNb29yZQ deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Report Offensive Follow Up For Removal

Response Number 10
Name: moorjh
Date: April 28, 2007 at 05:51:04 Pacific
Reply: (edit)

Logfile of HijackThis v1.99.1
Scan saved at 8:43:45 AM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\UCVPN\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uc.edu,
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UCVPN\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe



Report Offensive Follow Up For Removal

Response Number 11
Name: moorjh
Date: April 28, 2007 at 05:51:53 Pacific
Reply: (edit)

"John Moore" - 07-04-28 8:44:56 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\John Moore\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\JOHNMO~1
C:\qoobox\purity\C\DOCUME~1\JOHNMO~1\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\JOHNMO~1\APPLIC~1\SEMBLY~1
C:\qoobox\purity\C\DOCUME~1\JOHNMO~1\APPLIC~1\SSTEM3~1


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-28 ))))))))))))))))))))))))))))))))))


2007-04-28 08:40 <DIR> d-------- C:\avenger
2007-04-27 23:14 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-27 22:22 <DIR> d-------- C:\!KillBox
2007-04-27 22:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-24 23:05 <DIR> d-------- C:\VundoFix Backups
2007-04-24 12:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ErrorProtector Free
2007-04-19 22:27 <DIR> d-------- C:\Program Files\foobar2000
2007-04-19 22:27 <DIR> d-------- C:\DOCUME~1\JOHNMO~1\APPLIC~1\foobar2000
2007-04-08 09:39 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-08 09:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-06 23:53 <DIR> d-------- C:\WINDOWS\ASTULogTemp
2007-03-28 00:32 <DIR> d-------- C:\Program Files\Windows Mobile DST07 Updates


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 00:54 -------- d-------- C:\DOCUME~1\JOHNMO~1\APPLIC~1\utorrent
2007-04-27 22:06 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2007-04-27 00:05 -------- d-------- C:\Program Files\spywareblaster
2007-03-28 00:25 -------- d-------- C:\Program Files\microsoft activesync
2007-03-28 00:03 2528 --a------ C:\DOCUME~1\JOHNMO~1\APPLIC~1\$_hpcst$.hpc
2007-03-27 23:51 -------- d-------- C:\Program Files\msecache
2007-03-27 07:57 -------- d---s---- C:\Program Files\xfire
2007-03-27 07:37 -------- d-------- C:\DOCUME~1\JOHNMO~1\APPLIC~1\xfire
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 08:45 -------- d-------- C:\Program Files\utorrent
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 14:00 -------- d-------- C:\Program Files\world of warcraft
2007-02-23 00:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 00:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundFusion"="RunDll32 hercplgs.cpl,BootEntryPoint"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"HGTXPEI"="C:\\WINDOWS\\System32\\FirstReboot.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\tbmon.exe\""
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"hpfsched"="C:\\WINDOWS\\hpfsched.exe"
"Acrobat Assistant 8.0"="\"C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe\""
@=""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\Wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\AcroTray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^University Of Cincinnati VPN Client.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\University Of Cincinnati VPN Client.lnk"
"backup"="C:\\WINDOWS\\pss\\University Of Cincinnati VPN Client.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\UCVPN\\IPSECD~1.EXE \"-run_only_if_connected\" \"-auto_initiation\""
"item"="University Of Cincinnati VPN Client"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John Moore^Start Menu^Programs^Startup^Skyscape smARTupdate.lnk]
"path"="C:\\Documents and Settings\\John Moore\\Start Menu\\Programs\\Startup\\Skyscape smARTupdate.lnk"
"backup"="C:\\WINDOWS\\pss\\Skyscape smARTupdate.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Skyscape\\SMARTU~1.EXE "
"item"="Skyscape smARTupdate"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="launchpd"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ATIRW"
"hkey"="HKCU"
"command"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6dfd7ce0-bb5e-11da-be74-00508df191e0}]
Shell\AutoRun\command G:\JDSecure\Windows\JDSecure20.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-28 08:47:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-28 8:47:23
C:\ComboFix-quarantined-files.txt ... 07-04-28 08:47
C:\ComboFix2.txt ... 07-04-27 23:14


Report Offensive Follow Up For Removal

Response Number 12
Name: moorjh
Date: April 28, 2007 at 05:52:23 Pacific
Reply: (edit)

µTorrent
3DMark03
3DMark05
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Acrobat 8 Professional - English, Français, Deutsch
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Alt-Tab Task Switcher Powertoy for Windows XP
Anapod Explorer (remove only)
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.4
AVG Anti-Spyware 7.5
AviSynth 2.5
BitTorrent 3.4.2
DAO
DivX 4.12 Codec
DivX Player
DivX Web Player
Doom 3
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Epocrates Essentials for Pocket PC
Fable - The Lost Chapters
FEAR
foobar2000 v0.9.4.2
Fraps
Gamesurround Fortissimo III
Guild Wars
Hardware Doctor
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP DeskJet 810C Series (Remove only)
Intel Application Accelerator RAID Edition
Intel(R) PRO Network Adapters and Drivers
iPod Agent 0.8.1.1
iPod for Windows User Guide
iPod System Software Updater 2.1
iPod Updater 2004-11-15
iTunes
Java(TM) SE Runtime Environment 6 Update 1
Kazaa Lite K++ v2.4.3
LimeWire 4.9.23
Logitech Harmony Remote Software
Logitech SetPoint
Macromedia Shockwave Player
MadOnion.com/3DMark2001 SE
McAfee VirusScan Enterprise
MCAT CD Companion
Microsoft .NET Framework 1.1
Microsoft ActiveSync
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5.0.11)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
ObjectDock Plus
Opera
PowerDVD PRO EX
Prime95
PrintServer Utilities
PSP Video 9 1.37
QuickTime
RealPlayer
Roxio Easy Media Creator 7 Basic DVD Edition
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SiSoftware Sandra Standard 2004.SP1 (CNET Edition)
SpeechRedist
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Steam
Stedman's Medical Dictionary for the Health Professions and Nursing 1.0
Time Zone Data Update Tool for Microsoft Office Outlook
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Viewpoint Manager (Remove Only)
VPN Client
WinAce Archiver
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Mobile Daylight Saving Time 2007 Updates
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
World of Warcraft
Xbox 360 Controller for Windows
Xfire (remove only)
XLink Kai Evolution 7
XviD MPEG-4 Video Codec



Report Offensive Follow Up For Removal

Response Number 13
Name: jabuck
Date: April 28, 2007 at 07:50:46 Pacific
Reply: (edit)

Your version of limewire is most likely spyware infected. You should uninstall it and get the newest version as it is claimed not to be infected. Frostwire is supposed to be malware free but uses more memory than limewire.

Your Hijack This log is clean. You can delete/unistall any of the programs we used to clean the computer.

Also please delete these folders:

C:\!KillBox

C:\VundoFix Backups

C:\qoobox

C:\DOCUME~1\ALLUSE~1\APPLIC~1\ErrorProtector Free

How is the computer operating?



Report Offensive Follow Up For Removal

Response Number 14
Name: moorjh
Date: April 28, 2007 at 21:24:50 Pacific
Reply: (edit)

The computer is running great. I haven't had any problems. Thanks for the help!



Report Offensive Follow Up For Removal

Response Number 15
Name: jabuck
Date: April 29, 2007 at 06:50:17 Pacific
Reply: (edit)

Glad we could help.


Report Offensive Follow Up For Removal






Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: continued virus/trojan/adware probs

Comments:
            
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



Have you ever used OpenOffice?

Yes, as my main suite.
Yes, occationally.
Yes, but only once.
No, never.


View Results

Poll Finishes In 5 Days.
Discuss in The Lounge


use of disk defragmenter?

Recording data

Share Interet XP to 2000

Bootable cd and start SIW

western digital 80GB HD problem.

All Posts Awaiting Rep