|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
klone/winantivirus pop ups
|
Original Message
|
Name: beandis
Date: October 22, 2006 at 15:59:48 Pacific
Subject: klone/winantivirus pop upsOS: ntCPU/Ram: not sureManufacturer/Model: walmart special compaq |
Comment: i'm getting this all the time. not only that but the pop ups are starting to show up in foxfire which typically blocks them. explorer is constantly opening a pop up and then erroring when i close it... i have avg, bazooka, hijack this (which i only scanned as i don't have the computer brains to figure out what to do with it...) any help would be greatly appreciated! also everytime avg does a scan, it finds more klone viruses which i attempt to put in the vault but i'm not sure its doing the trick as they ALWAYS COME BACK!!!
thanks so much
the cursor is winking at me...i think it likes me...
Report Offensive Message For Removal
|
|
Response Number 2
|
Name: jabuck
Date: October 22, 2006 at 17:20:14 Pacific
|
Reply: Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
 Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: beandis
Date: October 22, 2006 at 17:31:03 Pacific
|
Reply: got the hijack this software as i saw that post elsewhere...hope this helps you help me! Logfile of HijackThis v1.99.1
Scan saved at 8:30:26 PM, on 10/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\YPOPs\YPOPs.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLHostManager.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLServiceHost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLServiceHost.exe
C:\Program Files\Veoh\VeohClientService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Snood\Snood.exe
C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mytscstore.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130709234\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCPitStopEraser] C:\Program Files\PCPitstop\Erase\PCPitStopErase.exe /remindme
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdc...
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {BE964208-66F0-48FB-8F53-0C2BC35A610A} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMe...
O16 - DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMe...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Veoh Client Service - Veoh Networks, Inc. - C:\Program Files\Veoh\VeohClientService.exe the cursor is winking at me...i think it likes me...
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: jabuck
Date: October 22, 2006 at 18:22:59 Pacific
|
Reply: Rename hijackthis.exe as that sometime helps locate the baddies. Go to start> search> files and folders> type in the top space "hijackthis.exe" without the quotes> click search> when it is found in the right pane (looks like a pile of dynamite)>right click on it> click rename> rename it "show.exe" without the quotes> click a blank space on the screen. Then post a new Hijack This log please. Please download ComboFix to the Desktop from this link: http://download.bleepingcomputer.com/sUBs/combofix.exe Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.) Please post the combofix.txt log. After you post the Hijack This and Combofix logs download the following tools. Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode Download and install AVG Anti-Spyware We will need this later in safe mode Be sure to update AVG Anti- Spyware Download Killbox to your desktop from this link Killbox by Option^Explicit. If you already have "Killbox" update to this newer version. We will need it later in safe mode Download “Winhelp2002's “ domain cleaner from this link DelDomains.inf Do not run it yet
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: beandis
Date: October 22, 2006 at 18:32:15 Pacific
|
Reply: Logfile of HijackThis v1.99.1
Scan saved at 9:29:11 PM, on 10/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\YPOPs\YPOPs.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLHostManager.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLServiceHost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLServiceHost.exe
C:\Program Files\Veoh\VeohClientService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Hijackthis\show.exe.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mytscstore.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\vtstr.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\yjyvsopw.dll (file missing)
O2 - BHO: (no name) - {B5A35BE1-5EC9-4A42-83F0-EE1A1970FDEF} - C:\WINDOWS\Fonts\cperg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130709234\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCPitStopEraser] C:\Program Files\PCPitstop\Erase\PCPitStopErase.exe /remindme
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdc...
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {BE964208-66F0-48FB-8F53-0C2BC35A610A} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMe...
O16 - DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMe...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: cperg - C:\WINDOWS\Fonts\cperg.dll
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Veoh Client Service - Veoh Networks, Inc. - C:\Program Files\Veoh\VeohClientService.exe Compaq_Owner - 06-10-22 21:29:47.28 Service Pack 2
ComboFix 06.10.19 - Running from: "D:\" ((((((((((((((((((((((((((((((( Files Created from 2006-09-22 to 2006-10-22 ))))))))))))))))))))))))))))))))))
2006-09-26 05:26 143,380 --a------ C:\WINDOWS\system32\hqujnjcx.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-22 21:29 -------- d-------- C:\Program Files\Hijackthis
2006-10-22 18:05 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-22 17:39 -------- d-------- C:\Program Files\Veoh
2006-10-18 19:28 4614 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-10-17 19:45 -------- d-------- C:\Program Files\LimeWire
2006-10-17 19:45 -------- d-------- C:\Program Files\Incomplete
2006-10-08 16:56 -------- d-------- C:\Program Files\Bazooka Scanner
2006-10-06 20:48 -------- d-------- C:\Program Files\Virtools
2006-10-01 08:25 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-26 05:26 -------- d-------- C:\Program Files\VSToolbar
2006-09-26 05:26 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SearchToolbarCorp
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 17:46 -------- d-------- C:\Program Files\Yahoo! Games
2006-09-01 18:04 102420 --a------ C:\WINDOWS\system32\ndgdavqb.dll
2006-08-31 16:53 102420 --a------ C:\WINDOWS\system32\pgrgunau.dll
2006-08-30 06:46 102420 --a------ C:\WINDOWS\system32\rlrkqjkk.dll
2006-08-29 13:51 13844 --a------ C:\WINDOWS\system32\jnajpvtn.exe
2006-08-29 13:51 102420 --a------ C:\WINDOWS\system32\ejcvrhoq.dll
2006-08-28 13:49 13844 --a------ C:\WINDOWS\system32\gdbnhnfr.exe
2006-08-28 13:49 102420 --a------ C:\WINDOWS\system32\rnbchrax.dll
2006-08-27 13:48 13844 --a------ C:\WINDOWS\system32\uskigflc.exe
2006-08-27 13:48 102420 --a------ C:\WINDOWS\system32\fcadfdcj.dll
2006-08-26 13:47 13844 --a------ C:\WINDOWS\system32\urexwhfa.exe
2006-08-26 13:47 102420 --a------ C:\WINDOWS\system32\yimqecem.dll
2006-08-25 13:46 13844 --a------ C:\WINDOWS\system32\heqelftm.exe
2006-08-25 13:46 102420 --a------ C:\WINDOWS\system32\oqdombry.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 12:43 13844 --a------ C:\WINDOWS\system32\ubbbjoek.exe
2006-08-24 12:43 102420 --a------ C:\WINDOWS\system32\vqpsavwe.dll
2006-08-23 12:43 13844 --a------ C:\WINDOWS\system32\ypdtshqu.exe
2006-08-23 12:43 102420 --a------ C:\WINDOWS\system32\gqothrot.dll
2006-08-22 11:40 13844 --a------ C:\WINDOWS\system32\kuvaexjh.exe
2006-08-22 11:40 102420 --a------ C:\WINDOWS\system32\xndaqqgc.dll
2006-08-21 11:38 102420 --a------ C:\WINDOWS\system32\fupseoxv.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-20 09:25 102420 --a------ C:\WINDOWS\system32\mriwmpog.dll
2006-08-19 15:07 102420 --a------ C:\WINDOWS\system32\exmixjmp.dll
2006-08-18 11:04 102420 --a------ C:\WINDOWS\system32\qdxtfncn.dll
2006-08-17 21:25 102420 --a------ C:\WINDOWS\system32\ebbmchio.dll
2006-08-16 17:19 102420 --a------ C:\WINDOWS\system32\xuienuhr.dll
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-15 04:55 102420 --a------ C:\WINDOWS\system32\ivclupbh.dll
2006-08-13 22:08 28672 --a------ C:\WINDOWS\system32\f3PSSavr.scr
2006-08-13 18:49 102420 --a------ C:\WINDOWS\system32\onbmhycc.dll
2006-08-12 17:46 102420 --a------ C:\WINDOWS\system32\umxcolwl.dll
2006-08-12 10:43 102420 --a------ C:\WINDOWS\system32\tbscjrwk.dll
2006-08-11 10:42 102420 --a------ C:\WINDOWS\system32\hninquvl.dll
2006-08-10 09:40 102420 --a------ C:\WINDOWS\system32\bbisaofc.dll
2006-08-09 06:10 102420 --a------ C:\WINDOWS\system32\olotvxgr.dll
2006-08-03 13:11 102420 --a------ C:\WINDOWS\system32\tcgptgru.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AOLCC"="\"C:\\Program Files\\AOL Computer Check-Up\\ACCAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"Lexmark 3100 Series"="\"C:\\Program Files\\Lexmark 3100 Series\\lxbrbmgr.exe\""
"WT GameChannel"="C:\\Program Files\\WildTangent\\Apps\\GameChannel.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1130709234\\ee\\AOLHostManager.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"PCPitStopEraser"="C:\\Program Files\\PCPitstop\\Erase\\PCPitStopErase.exe /remindme"
"My Web Search Bar"="rundll32 C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSBAR.DLL,S"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,df,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDriveAutoRun"=hex:00,02,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cperg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstr [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Completion time: 06-10-22 21:31:07.31
C:\ComboFix.txt ... 06-10-22 21:31
here you go...you guys are THE BEST!!! thank you so much for all your help
the cursor is winking at me...i think it likes me...
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: jabuck
Date: October 22, 2006 at 18:49:28 Pacific
|
Reply: Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Then post the Vundofix log located at C:\Vundofix.txt please.
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: beandis
Date: October 22, 2006 at 19:14:55 Pacific
|
Reply: had to do it twice...as it missed one apparently on restart. is that going to fix this beastly box?
VundoFix V6.2.6
Checking Java version... Java version is 1.4.2.3 Scan started at 9:56:20 PM 10/22/2006 Listing files found while scanning.... C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\gdbnhnfr.exe
C:\WINDOWS\system32\heqelftm.exe
C:\WINDOWS\system32\hqujnjcx.exe
C:\WINDOWS\system32\jnajpvtn.exe
C:\WINDOWS\system32\kuvaexjh.exe
C:\WINDOWS\system32\ubbbjoek.exe
C:\WINDOWS\system32\urexwhfa.exe
C:\WINDOWS\system32\uskigflc.exe
C:\WINDOWS\system32\ypdtshqu.exe
C:\WINDOWS\Fonts\cperg.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\Fonts\grepc.ini
C:\WINDOWS\Fonts\grepc.bak1
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.ini2
C:\WINDOWS\system32\rtstv.tmp Beginning removal... Attempting to delete C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\ddcyy.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\gdbnhnfr.exe
C:\WINDOWS\system32\gdbnhnfr.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\heqelftm.exe
C:\WINDOWS\system32\heqelftm.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\hqujnjcx.exe
C:\WINDOWS\system32\hqujnjcx.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\jnajpvtn.exe
C:\WINDOWS\system32\jnajpvtn.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\kuvaexjh.exe
C:\WINDOWS\system32\kuvaexjh.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\ubbbjoek.exe
C:\WINDOWS\system32\ubbbjoek.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\urexwhfa.exe
C:\WINDOWS\system32\urexwhfa.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\uskigflc.exe
C:\WINDOWS\system32\uskigflc.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\ypdtshqu.exe
C:\WINDOWS\system32\ypdtshqu.exe Has been deleted! Attempting to delete C:\WINDOWS\Fonts\cperg.dll
C:\WINDOWS\Fonts\cperg.dll Could not be deleted. Attempting to delete C:\WINDOWS\Fonts\grepc.ini
C:\WINDOWS\Fonts\grepc.ini Has been deleted! Attempting to delete C:\WINDOWS\Fonts\grepc.bak1
C:\WINDOWS\Fonts\grepc.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rtstv.ini2
C:\WINDOWS\system32\rtstv.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rtstv.tmp
C:\WINDOWS\system32\rtstv.tmp Has been deleted! Performing Repairs to the registry.
Done! VundoFix V6.2.6 Checking Java version... Java version is 1.4.2.3 Scan started at 10:02:19 PM 10/22/2006 Listing files found while scanning.... C:\WINDOWS\system32\vtstr.dll Beginning removal... VundoFix V6.2.6 Checking Java version... Java version is 1.4.2.3 Scan started at 10:06:20 PM 10/22/2006 Listing files found while scanning.... C:\WINDOWS\system32\vtstr.dll Beginning removal... Performing Repairs to the registry.
Done!
the cursor is winking at me...i think it likes me...
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
Name: beandis
Date: October 22, 2006 at 19:24:00 Pacific
|
Reply: also i can't get killbox to download, the page won't open. don't know if that is going to be a problem the cursor is winking at me...i think it likes me...
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: jabuck
Date: October 22, 2006 at 20:17:36 Pacific
|
Reply: Try Killbox from this link http://killbox.net/ Go to start> control panel> add/remove programs and scroll down to and uninstall any of these programs if found: MyWebSearch Anything "MyWeb" Run Deldomains. To execute this file right click the desktop icon and select Install from the menu. Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account.
Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked": R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mytscstore.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\vtstr.dll (file missing) O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\yjyvsopw.dll (file missing)
O2 - BHO: (no name) - {B5A35BE1-5EC9-4A42-83F0-EE1A1970FDEF} - C:\WINDOWS\Fonts\cperg.dll O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba... O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://www.umediaserver.net/bin/UMe... O16 - DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMe... O20 - Winlogon Notify: cperg - C:\WINDOWS\Fonts\cperg.dll
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing) Exit Hijack This but remain in safe mode Run Killbox from safe mode. Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\Fonts\cperg.dll C:\Program Files\VSToolbar\VSToolBar.dll C:\Program Files\VSToolbar\ C:\WINDOWS\system32\hqujnjcx.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let us know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click Here to download and run missingfilesetup.exe. Then try Killbox again.
Open notepad (Start Menu > Run > Type notepad and press "ok". Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4 [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cperg
] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstr]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop. Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes. Reboot into safe mode. Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared. AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side. Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop). Reboot to normal mode. Post the AVG Antivirus report on your desktop, a new combofix log and a new Hijack This log please.
Report Offensive Follow Up For Removal
|
|
Response Number 10
|
Name: beandis
Date: October 23, 2006 at 13:05:35 Pacific
|
Reply: Compaq_Owner - 06-10-23 16:02:15.37 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-09-23 to 2006-10-23 ))))))))))))))))))))))))))))))))))
No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-23 16:01 -------- d-------- C:\Program Files\Hijackthis
2006-10-23 15:53 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-23 15:52 -------- d-------- C:\Program Files\Veoh
2006-10-18 19:28 4614 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-10-17 19:45 -------- d-------- C:\Program Files\LimeWire
2006-10-17 19:45 -------- d-------- C:\Program Files\Incomplete
2006-10-08 16:56 -------- d-------- C:\Program Files\Bazooka Scanner
2006-10-06 20:48 -------- d-------- C:\Program Files\Virtools
2006-10-01 08:25 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-26 05:26 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SearchToolbarCorp
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 17:46 -------- d-------- C:\Program Files\Yahoo! Games
2006-09-01 18:04 102420 --a------ C:\WINDOWS\system32\ndgdavqb.dll
2006-08-31 16:53 102420 --a------ C:\WINDOWS\system32\pgrgunau.dll
2006-08-30 06:46 102420 --a------ C:\WINDOWS\system32\rlrkqjkk.dll
2006-08-29 13:51 102420 --a------ C:\WINDOWS\system32\ejcvrhoq.dll
2006-08-28 13:49 102420 --a------ C:\WINDOWS\system32\rnbchrax.dll
2006-08-27 13:48 102420 --a------ C:\WINDOWS\system32\fcadfdcj.dll
2006-08-26 13:47 102420 --a------ C:\WINDOWS\system32\yimqecem.dll
2006-08-25 13:46 102420 --a------ C:\WINDOWS\system32\oqdombry.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 12:43 102420 --a------ C:\WINDOWS\system32\vqpsavwe.dll
2006-08-23 12:43 102420 --a------ C:\WINDOWS\system32\gqothrot.dll
2006-08-22 11:40 102420 --a------ C:\WINDOWS\system32\xndaqqgc.dll
2006-08-21 11:38 102420 --a------ C:\WINDOWS\system32\fupseoxv.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-20 09:25 102420 --a------ C:\WINDOWS\system32\mriwmpog.dll
2006-08-19 15:07 102420 --a------ C:\WINDOWS\system32\exmixjmp.dll
2006-08-18 11:04 102420 --a------ C:\WINDOWS\system32\qdxtfncn.dll
2006-08-17 21:25 102420 --a------ C:\WINDOWS\system32\ebbmchio.dll
2006-08-16 17:19 102420 --a------ C:\WINDOWS\system32\xuienuhr.dll
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-15 04:55 102420 --a------ C:\WINDOWS\system32\ivclupbh.dll
2006-08-13 18:49 102420 --a------ C:\WINDOWS\system32\onbmhycc.dll
2006-08-12 17:46 102420 --a------ C:\WINDOWS\system32\umxcolwl.dll
2006-08-12 10:43 102420 --a------ C:\WINDOWS\system32\tbscjrwk.dll
2006-08-11 10:42 102420 --a------ C:\WINDOWS\system32\hninquvl.dll
2006-08-10 09:40 102420 --a------ C:\WINDOWS\system32\bbisaofc.dll
2006-08-09 06:10 102420 --a------ C:\WINDOWS\system32\olotvxgr.dll
2006-08-03 13:11 102420 --a------ C:\WINDOWS\system32\tcgptgru.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AOLCC"="\"C:\\Program Files\\AOL Computer Check-Up\\ACCAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"Lexmark 3100 Series"="\"C:\\Program Files\\Lexmark 3100 Series\\lxbrbmgr.exe\""
"WT GameChannel"="C:\\Program Files\\WildTangent\\Apps\\GameChannel.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1130709234\\ee\\AOLHostManager.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"PCPitStopEraser"="C:\\Program Files\\PCPitstop\\Erase\\PCPitStopErase.exe /remindme"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,df,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDriveAutoRun"=hex:00,02,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cperg [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Completion time: 06-10-23 16:03:59.60
C:\ComboFix.txt ... 06-10-23 16:03
C:\ComboFix2.txt ... 06-10-23 13:25
C:\ComboFix3.txt ... 06-10-22 21:31 Logfile of HijackThis v1.99.1
Scan saved at 4:01:56 PM, on 10/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Veoh\VeohClientService.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLHostManager.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLServiceHost.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Hijackthis\show.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5088C627-0116-4A4B-BAAA-D6D2F02DD609} - C:\WINDOWS\Fonts\cperg.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\yjyvsopw.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130709234\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCPitStopEraser] C:\Program Files\PCPitstop\Erase\PCPitStopErase.exe /remindme
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdc...
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {BE964208-66F0-48FB-8F53-0C2BC35A610A} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMe...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: cperg - C:\WINDOWS\Fonts\cperg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Veoh Client Service - Veoh Networks, Inc. - C:\Program Files\Veoh\VeohClientService.exe cant get the avg save to save...but it didn't bring up any viruses
the cursor is winking at me...i think it likes me...
Report Offensive Follow Up For Removal
|
|
Response Number 11
|
Name: jabuck
Date: October 23, 2006 at 14:55:17 Pacific
|
Reply: Did you install this program: VirtualExpander You are still infected with Vundo but the computer is looking better. Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip 1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop
2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Files to delete:
C:\WINDOWS\Fonts\cperg.dll XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply Next, empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Boot into safe mode Run Hijack This and remove these items: O2 - BHO: (no name) - {5088C627-0116-4A4B-BAAA-D6D2F02DD609} - C:\WINDOWS\Fonts\cperg.dll O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdc... O16 - DPF: {BE964208-66F0-48FB-8F53-0C2BC35A610A} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMe... O20 - Winlogon Notify: cperg - C:\WINDOWS\Fonts\cperg.dll
Exit Hijack This but remain in safe mode Run Killbox again from safe mode. Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\system32\ndgdavqb.dll C:\WINDOWS\system32\pgrgunau.dll C:\WINDOWS\system32\rlrkqjkk.dll C:\WINDOWS\system32\ejcvrhoq.dll C:\WINDOWS\system32\rnbchrax.dll C:\WINDOWS\system32\fcadfdcj.dll C:\WINDOWS\system32\yimqecem.dll C:\WINDOWS\system32\oqdombry.dll C:\WINDOWS\system32\vqpsavwe.dll C:\WINDOWS\system32\gqothrot.dll C:\WINDOWS\system32\xndaqqgc.dll C:\WINDOWS\system32\fupseoxv.dll C:\WINDOWS\system32\mriwmpog.dll C:\WINDOWS\system32\exmixjmp.dll C:\WINDOWS\system32\qdxtfncn.dll C:\WINDOWS\system32\ebbmchio.dll C:\WINDOWS\system32\xuienuhr.dll C:\WINDOWS\system32\ivclupbh.dll C:\WINDOWS\system32\onbmhycc.dll
C:\WINDOWS\system32\umxcolwl.dll
C:\WINDOWS\system32\tbscjrwk.dll
C:\WINDOWS\system32\hninquvl.dll
C:\WINDOWS\system32\bbisaofc.dll
C:\WINDOWS\system32\olotvxgr.dll
C:\WINDOWS\system32\tcgptgru.dll Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button. Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let us know if you receive this message!).
If your computer does not restart automatically, please restart it manually. Open notepad (Start Menu > Run > Type notepad and press "ok". Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4 [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cperg]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop. Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes. Post a new combofix log and a new Hijack This log please.
Report Offensive Follow Up For Removal
|
|
Response Number 12
|
Name: beandis
Date: October 23, 2006 at 19:20:16 Pacific
|
Reply: Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\olikjptt ******************* Script file located at: \??\C:\WINDOWS\system32\exdikgin.txt
Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\Fonts\cperg.dll deleted successfully. Completed script processing. ******************* Finished! Terminate. Logfile of HijackThis v1.99.1
Scan saved at 10:18:13 PM, on 10/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Veoh\VeohClientService.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLServiceHost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\Common Files\AOL\1130709234\ee\AOLServiceHost.exe
C:\Program Files\YPOPs\YPOPs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\show.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\yjyvsopw.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130709234\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCPitStopEraser] C:\Program Files\PCPitstop\Erase\PCPitStopErase.exe /remindme
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Veoh Client Service - Veoh Networks, Inc. - C:\Program Files\Veoh\VeohClientService.exe Compaq_Owner - 06-10-23 22:19:21.79 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-09-23 to 2006-10-23 ))))))))))))))))))))))))))))))))))
No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-23 22:18 -------- d-------- C:\Program Files\Hijackthis
2006-10-23 22:15 -------- d-------- C:\Program Files\Veoh
2006-10-23 22:15 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-18 19:28 4614 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-10-17 19:45 -------- d-------- C:\Program Files\LimeWire
2006-10-17 19:45 -------- d-------- C:\Program Files\Incomplete
2006-10-08 16:56 -------- d-------- C:\Program Files\Bazooka Scanner
2006-10-06 20:48 -------- d-------- C:\Program Files\Virtools
2006-10-01 08:25 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-26 05:26 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SearchToolbarCorp
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 17:46 -------- d-------- C:\Program Files\Yahoo! Games
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AOLCC"="\"C:\\Program Files\\AOL Computer Check-Up\\ACCAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"Lexmark 3100 Series"="\"C:\\Program Files\\Lexmark 3100 Series\\lxbrbmgr.exe\""
"WT GameChannel"="C:\\Program Files\\WildTangent\\Apps\\GameChannel.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1130709234\\ee\\AOLHostManager.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"PCPitStopEraser"="C:\\Program Files\\PCPitstop\\Erase\\PCPitStopErase.exe /remindme"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,df,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDriveAutoRun"=hex:00,02,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Completion time: 06-10-23 22:19:57.90
C:\ComboFix.txt ... 06-10-23 22:19
C:\ComboFix2.txt ... 06-10-23 16:03
C:\ComboFix3.txt ... 06-10-23 13:25
the cursor is winking at me...i think it likes me...
Report Offensive Follow Up For Removal
|
|
Response Number 13
|
Name: jabuck
Date: October 23, 2006 at 20:08:13 Pacific
|
Reply: Run Hijack This once more and remove this item: O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\yjyvsopw.dll (file missing) Then your Hijack tHis log is clean. As soon as possible download the latest version of http://java.sun.com/javase/downloads/index.jsp Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed . Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version. You should add "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
Report Offensive Follow Up For Removal
|
|
Response Number 14
|
Name: beandis
Date: October 24, 2006 at 05:44:26 Pacific
|
Reply: thank you SO much, i can't believe how great this machine is now running. do you realize that i had way more help from you, than the "help" i received from compaq/hp! i will definitely recommend your site to others having problems with their computers. for someone who really doesn't understand all the slashes, tildes, and jibberish of the computer world, you really got me through that virus/pop up mess without any meltdowns by me or the computer! thank you sooo much!
the cursor is winking at me...i think it likes me...
Report Offensive Follow Up For Removal
|
|
Response Number 15
|
Name: jabuck
Date: October 24, 2006 at 14:12:14 Pacific
|
Reply: Glad we could help.
| |
