Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I am being told by my virus scans, and my virus warnings that I have a few trojans one is virtual, and another is some cronjob. My antivirus cannot delete or move these. Is there any wat to get rid of these without having to re format the hard drive?
Thanks
Billy
Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified.
Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
0 
Logfile of HijackThis v1.99.1
Scan saved at 9:48:44 PM, on 4/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.exe
C:\Program Files\Microsoft Office\OFFICE11\MSTORDB.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {172DDD1B-2143-4289-8B9C-A729D861F266} - C:\WINDOWS\system32\awtst.dll
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\byxvuts.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\chfmkwnw.dll (file missing)
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmpE1.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7A331278-8D57-4BC9-99DB-C551B3298C74} - C:\WINDOWS\system32\lwienlra.dll
O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\vtuuvut.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\chbetqww.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\sriqtnlb.dll (file missing)
O2 - BHO: (no name) - {f99e793f-366c-4e71-9016-35dcbc71d66f} - C:\WINDOWS\system32\framSNT.dll
O2 - BHO: (no name) - {FDBE9012-63B8-4ACA-9886-4296964A9BD6} - C:\WINDOWS\system32\lwienlra.dll
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\sstutt.dll",realset
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/as...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/as...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.c...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/...
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/insta...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/g...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll
O20 - Winlogon Notify: byxvuts - C:\WINDOWS\SYSTEM32\byxvuts.dll
O20 - Winlogon Notify: cbxwtsr - C:\WINDOWS\SYSTEM32\cbxwtsr.dll
O20 - Winlogon Notify: framSNT - C:\WINDOWS\SYSTEM32\framSNT.dll
O20 - Winlogon Notify: gebxwtu - C:\WINDOWS\SYSTEM32\gebxwtu.dll
O20 - Winlogon Notify: gebywuv - gebywuv.dll (file missing)
O20 - Winlogon Notify: jkkiifc - jkkiifc.dll (file missing)
O20 - Winlogon Notify: nnnnnli - nnnnnli.dll (file missing)
O20 - Winlogon Notify: opnoppq - opnoppq.dll (file missing)
O20 - Winlogon Notify: qommkjk - qommkjk.dll (file missing)
O20 - Winlogon Notify: rqronnn - rqronnn.dll (file missing)
O20 - Winlogon Notify: ssqrqnl - ssqrqnl.dll (file missing)
O20 - Winlogon Notify: tuvsrrq - tuvsrrq.dll (file missing)
O20 - Winlogon Notify: urqomnn - C:\WINDOWS\SYSTEM32\urqomnn.dll
O20 - Winlogon Notify: urqpolk - urqpolk.dll (file missing)
O20 - Winlogon Notify: vtuuvut - vtuuvut.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuurpm - wvuurpm.dll (file missing)
O20 - Winlogon Notify: xxywtsp - C:\WINDOWS\SYSTEM32\xxywtsp.dll
O20 - Winlogon Notify: xxywvst - C:\WINDOWS\SYSTEM32\xxywvst.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
0
looks like you have run Vundofix before but delete the version you have and do the following:
Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.Post the log located at C:Vundofix.txt.
0
VundoFix V6.3.19Checking Java version...
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.Java version is 1.5.0.10
Scan started at 2:47:38 AM 4/22/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\chbetqww.dll
C:\WINDOWS\system32\chfmkwnw.dll
C:\WINDOWS\system32\sriqtnlb.dll
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tstwa.tmp
C:\WINDOWS\system32\vtuuvut.dllBeginning removal...
Attempting to delete C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\awtst.dll Has been deleted!Attempting to delete C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak1 Has been deleted!Attempting to delete C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.bak2 Has been deleted!Attempting to delete C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini Has been deleted!Attempting to delete C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tstwa.ini2 Has been deleted!Attempting to delete C:\WINDOWS\system32\tstwa.tmp
C:\WINDOWS\system32\tstwa.tmp Has been deleted!Performing Repairs to the registry.
Done!
0
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the log it produces and a new Hijack this log please.
0
"Billy" - 07-04-24 0:47:23 Service Pack 2
ComboFix 07-04-24.2V - Running from: "C:\Documents and Settings\Billy\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\wwejyfom.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((( Files Created from 2007-03-24 to 2007-04-24 ))))))))))))))))))))))))))))))))))
2007-04-24 00:30 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-22 02:47 <DIR> d-------- C:\VundoFix Backups
2007-04-16 02:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-04-16 02:34 77,312 --a------ C:\WINDOWS\ua2.dll
2007-04-14 19:40 <DIR> d-------- C:\DOCUME~1\Billy\APPLIC~1\Bitdefender
2007-04-14 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-04-14 16:43 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-04-14 16:29 26,714 --a------ C:\WINDOWS\system32\xxywtsp.dll
2007-04-14 16:04 26,714 --a------ C:\WINDOWS\system32\xxywvst.dll
2007-04-14 04:32 26,714 --a------ C:\WINDOWS\system32\gebxwtu.dll
2007-04-14 01:12 26,714 --a------ C:\WINDOWS\system32\cbxwtsr.dll
2007-04-13 18:57 26,714 --a------ C:\WINDOWS\system32\byxvuts.dll
2007-04-13 18:52 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-13 18:20 26,714 --a------ C:\WINDOWS\system32\urqomnn.dll
2007-04-06 19:06 <DIR> d-------- C:\WINDOWS\system32\bak
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-15 19:32 3058 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-14 20:14 913408 --a------ C:\WINDOWS\system32\xreglib.dll
2007-04-14 17:00 -------- d-------- C:\Program Files\vbtucopy
2007-04-14 17:00 -------- d-------- C:\Program Files\spyhealer
2007-04-14 16:59 -------- d-------- C:\Program Files\quicktime
2007-04-14 16:59 -------- d-------- C:\Program Files\morpheus
2007-04-14 16:58 -------- d-------- C:\Program Files\microsoft intellitype pro
2007-04-14 16:58 -------- d-------- C:\Program Files\microsoft intellipoint
2007-04-14 16:53 -------- d-------- C:\Program Files\lexmark x5100 series
2007-03-30 14:56 223 --a------ C:\WINDOWS\freedom.backup.dat
2007-03-08 00:21 23392 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-04 00:05 -------- d-------- C:\DOCUME~1\Billy\APPLIC~1\morpheus
2007-03-03 23:26 -------- d--h----- C:\Program Files\installshield installation information
2007-03-03 18:50 -------- d-------- C:\Program Files\messenger
2007-03-03 18:23 -------- d-------- C:\Program Files\faxtools
2007-03-03 18:23 -------- d-------- C:\Program Files\expressit s.e. 2.1
2007-02-06 22:56 325 --a------ C:\WINDOWS\initialize.bat
2007-02-04 00:37 2560 --a------ C:\WINDOWS\_msrstrt.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} C:\WINDOWS\system32\byxvuts.dll
{601ED020-FB6C-11D3-87D8-0050DA59922B} C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
{787DD02E-FCB4-4C39-AA6B-63AEA9A6FC9E} C:\WINDOWS\system32\awtst.dll [x]
{7A331278-8D57-4BC9-99DB-C551B3298C74} C:\WINDOWS\system32\lwienlra.dll [x]
{FDBE9012-63B8-4ACA-9886-4296964A9BD6} C:\WINDOWS\system32\lwienlra.dll [x][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VBTUCopy"="C:\\Program Files\\VBTUCopy\\VBTUCopy.exe /a /f"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"SoundMan"="SOUNDMAN.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\Ahead\\data\\Xtras\\mssysmgr.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C47A9554-195A-4769-9B13-04F15B450A39}"=""
"{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607}"=""HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvuts
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwtsr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxwtu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebywuv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkiifc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnnli
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnoppq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommkjk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqronnn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrqnl
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsrrq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqomnn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpolk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvut
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuurpm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywtsp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywvst[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="sockspy.dll"HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dvd43_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\dvd43\\dvd43_tray.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zango"
"hkey"="HKLM"
"command"="\"c:\\program files\\zango\\zango.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
********************************************************************catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-24 00:53:07
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************Completion time: 07-04-24 0:53:16
C:\ComboFix-quarantined-files.txt ... 07-04-24 00:53
0
Logfile of HijackThis v1.99.1
Scan saved at 4:02:55 AM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wlurfmoe.dll
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\byxvuts.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {787DD02E-FCB4-4C39-AA6B-63AEA9A6FC9E} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {7A331278-8D57-4BC9-99DB-C551B3298C74} - C:\WINDOWS\system32\lwienlra.dll (file missing)
O2 - BHO: (no name) - {EC8356C4-10DE-4F6C-B40B-7A7740DAF1A1} - C:\WINDOWS\system32\gebyv.dll
O2 - BHO: (no name) - {FDBE9012-63B8-4ACA-9886-4296964A9BD6} - C:\WINDOWS\system32\tsqdkkia.dll
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\RunOnce: [AntiRK] "C:\Program Files\Softwin\BitDefender10\TaskSys.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/as...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/as...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.c...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/...
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/insta...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: byxvuts - C:\WINDOWS\SYSTEM32\byxvuts.dll
O20 - Winlogon Notify: cbxwtsr - C:\WINDOWS\SYSTEM32\cbxwtsr.dll
O20 - Winlogon Notify: gebxwtu - C:\WINDOWS\SYSTEM32\gebxwtu.dll
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll
O20 - Winlogon Notify: gebywuv - gebywuv.dll (file missing)
O20 - Winlogon Notify: jkkiifc - jkkiifc.dll (file missing)
O20 - Winlogon Notify: nnnnnli - nnnnnli.dll (file missing)
O20 - Winlogon Notify: opnoppq - opnoppq.dll (file missing)
O20 - Winlogon Notify: qommkjk - qommkjk.dll (file missing)
O20 - Winlogon Notify: rqronnn - rqronnn.dll (file missing)
O20 - Winlogon Notify: ssqrqnl - ssqrqnl.dll (file missing)
O20 - Winlogon Notify: tuvsrrq - tuvsrrq.dll (file missing)
O20 - Winlogon Notify: urqomnn - C:\WINDOWS\SYSTEM32\urqomnn.dll
O20 - Winlogon Notify: urqpolk - urqpolk.dll (file missing)
O20 - Winlogon Notify: vtuuvut - vtuuvut.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuurpm - wvuurpm.dll (file missing)
O20 - Winlogon Notify: xxywtsp - C:\WINDOWS\SYSTEM32\xxywtsp.dll
O20 - Winlogon Notify: xxywvst - C:\WINDOWS\SYSTEM32\xxywvst.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
0
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop
2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFiles to delete:
C:\WINDOWS\ua2.dll
C:\WINDOWS\system32\bdod.bin
C:\WINDOWS\system32\xxywtsp.dll C:\WINDOWS\system32\xxywvst.dll C:\WINDOWS\system32\gebxwtu.dll C:\WINDOWS\system32\cbxwtsr.dll C:\WINDOWS\system32\byxvuts.dll
C:\WINDOWS\system32\urqomnn.dll
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\byxvuts.dll
C:\WINDOWS\system32\lwienlra.dll
C:\WINDOWS\system32\wlurfmoe.dll
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\tsqdkkia.dll
C:\WINDOWS\system32\lsasss.exeXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe modeDownload and install AVG Anti-Spyware We will need this later in safe mode
Be sure to update AVG Anti- Spyware
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wlurfmoe.dll
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\byxvuts.dll
O2 - BHO: (no name) - {787DD02E-FCB4-4C39-AA6B-63AEA9A6FC9E} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {7A331278-8D57-4BC9-99DB-C551B3298C74} - C:\WINDOWS\system32\lwienlra.dll (file missing)
O2 - BHO: (no name) - {EC8356C4-10DE-4F6C-B40B-7A7740DAF1A1} - C:\WINDOWS\system32\gebyv.dll
O2 - BHO: (no name) - {FDBE9012-63B8-4ACA-9886-4296964A9BD6} - C:\WINDOWS\system32\tsqdkkia.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O20 - Winlogon Notify: byxvuts - C:\WINDOWS\SYSTEM32\byxvuts.dll
O20 - Winlogon Notify: cbxwtsr - C:\WINDOWS\SYSTEM32\cbxwtsr.dll
O20 - Winlogon Notify: gebxwtu - C:\WINDOWS\SYSTEM32\gebxwtu.dll
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll
O20 - Winlogon Notify: gebywuv - gebywuv.dll (file missing)
O20 - Winlogon Notify: jkkiifc - jkkiifc.dll (file missing)
O20 - Winlogon Notify: nnnnnli - nnnnnli.dll (file missing)
O20 - Winlogon Notify: opnoppq - opnoppq.dll (file missing)
O20 - Winlogon Notify: qommkjk - qommkjk.dll (file missing)
O20 - Winlogon Notify: rqronnn - rqronnn.dll (file missing)
O20 - Winlogon Notify: ssqrqnl - ssqrqnl.dll (file missing)
O20 - Winlogon Notify: tuvsrrq - tuvsrrq.dll (file missing)
O20 - Winlogon Notify: urqomnn - C:\WINDOWS\SYSTEM32\urqomnn.dll
O20 - Winlogon Notify: urqpolk - urqpolk.dll (file missing)
O20 - Winlogon Notify: vtuuvut - vtuuvut.dll (file missing)
O20 - Winlogon Notify: wvuurpm - wvuurpm.dll (file missing)
O20 - Winlogon Notify: xxywtsp - C:\WINDOWS\SYSTEM32\xxywtsp.dll
O20 - Winlogon Notify: xxywvst - C:\WINDOWS\SYSTEM32\xxywvst.dll
Exit Hijack This but remain in safe mode.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Post thr AVG report, a new combofix log and a new Hijack This log please.
0
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mjqarkun*******************
Script file located at: \??\C:\Program Files\ugbhpmao.txt
Script file opened successfully.Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\ua2.dll deleted successfully.
File C:\WINDOWS\system32\bdod.bin deleted successfully.
Could not open file C:\WINDOWS\system32\xxywtsp.dll C:\WINDOWS\system32\xxywvst.dll C:\WINDOWS\system32\gebxwtu.dll C:\WINDOWS\system32\cbxwtsr.dll C:\WINDOWS\system32\byxvuts.dll for deletion
Deletion of file C:\WINDOWS\system32\xxywtsp.dll C:\WINDOWS\system32\xxywvst.dll C:\WINDOWS\system32\gebxwtu.dll C:\WINDOWS\system32\cbxwtsr.dll C:\WINDOWS\system32\byxvuts.dll failed!Could not process line:
C:\WINDOWS\system32\xxywtsp.dll C:\WINDOWS\system32\xxywvst.dll C:\WINDOWS\system32\gebxwtu.dll C:\WINDOWS\system32\cbxwtsr.dll C:\WINDOWS\system32\byxvuts.dll
Status: 0xc0000033File C:\WINDOWS\system32\urqomnn.dll deleted successfully.
File C:\WINDOWS\system32\awtst.dll not found!
Deletion of file C:\WINDOWS\system32\awtst.dll failed!Could not process line:
C:\WINDOWS\system32\awtst.dll
Status: 0xc0000034File C:\WINDOWS\system32\byxvuts.dll deleted successfully.
File C:\WINDOWS\system32\lwienlra.dll not found!
Deletion of file C:\WINDOWS\system32\lwienlra.dll failed!Could not process line:
C:\WINDOWS\system32\lwienlra.dll
Status: 0xc0000034File C:\WINDOWS\system32\wlurfmoe.dll deleted successfully.
File C:\WINDOWS\system32\gebyv.dll deleted successfully.
File C:\WINDOWS\system32\tsqdkkia.dll deleted successfully.
File C:\WINDOWS\system32\lsasss.exe not found!
Deletion of file C:\WINDOWS\system32\lsasss.exe failed!Could not process line:
C:\WINDOWS\system32\lsasss.exe
Status: 0xc0000034
Completed script processing.*******************
Finished! Terminate.
0
"Billy" - 07-04-25 20:18:07 Service Pack 2 [SAFE MODE]
ComboFix 07-04-24.2V - Running from: "C:\Documents and Settings\Billy\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\jvvnwilm.dll
C:\WINDOWS\system32\sgvxgswc.dll
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\ddayw.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *((((((((((((((((((((((((((((((( Files Created from 2007-03-25 to 2007-04-25 ))))))))))))))))))))))))))))))))))
2007-04-25 01:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-25 01:50 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-04-25 01:48 <DIR> d-------- C:\avenger
2007-04-24 21:11 1,380,326 ---hs---- C:\WINDOWS\system32\vybeg.ini2
2007-04-24 01:55 1,378,319 ---hs---- C:\WINDOWS\system32\vybeg.bak1
2007-04-24 00:30 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-22 02:47 <DIR> d-------- C:\VundoFix Backups
2007-04-16 02:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-04-14 19:40 <DIR> d-------- C:\DOCUME~1\Billy\APPLIC~1\Bitdefender
2007-04-14 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-04-14 16:29 26,714 --a------ C:\WINDOWS\system32\xxywtsp.dll
2007-04-14 16:04 26,714 --a------ C:\WINDOWS\system32\xxywvst.dll
2007-04-14 04:32 26,714 --a------ C:\WINDOWS\system32\gebxwtu.dll
2007-04-14 01:12 26,714 --a------ C:\WINDOWS\system32\cbxwtsr.dll
2007-04-13 18:52 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-06 19:06 <DIR> d-------- C:\WINDOWS\system32\bak
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-24 05:46 -------- d-------- C:\Program Files\morpheus
2007-04-15 19:32 3058 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-14 20:14 913408 --a------ C:\WINDOWS\system32\xreglib.dll
2007-04-14 17:00 -------- d-------- C:\Program Files\vbtucopy
2007-04-14 17:00 -------- d-------- C:\Program Files\spyhealer
2007-04-14 16:59 -------- d-------- C:\Program Files\quicktime
2007-04-14 16:58 -------- d-------- C:\Program Files\microsoft intellitype pro
2007-04-14 16:58 -------- d-------- C:\Program Files\microsoft intellipoint
2007-04-14 16:53 -------- d-------- C:\Program Files\lexmark x5100 series
2007-03-30 14:56 223 --a------ C:\WINDOWS\freedom.backup.dat
2007-03-08 00:21 23392 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-04 00:05 -------- d-------- C:\DOCUME~1\Billy\APPLIC~1\morpheus
2007-03-03 23:26 -------- d--h----- C:\Program Files\installshield installation information
2007-03-03 18:50 -------- d-------- C:\Program Files\messenger
2007-03-03 18:23 -------- d-------- C:\Program Files\faxtools
2007-03-03 18:23 -------- d-------- C:\Program Files\expressit s.e. 2.1
2007-02-06 22:56 325 --a------ C:\WINDOWS\initialize.bat
2007-02-04 00:37 2560 --a------ C:\WINDOWS\_msrstrt.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\wlurfmoe.dll [x]
{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} C:\WINDOWS\system32\cbxwtsr.dll
{43B489D4-132A-466E-BF21-695ACE11DFB9} C:\WINDOWS\system32\gebyv.dll [x]
{601ED020-FB6C-11D3-87D8-0050DA59922B} C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
{787DD02E-FCB4-4C39-AA6B-63AEA9A6FC9E} C:\WINDOWS\system32\awtst.dll [x]
{7A331278-8D57-4BC9-99DB-C551B3298C74} C:\WINDOWS\system32\lwienlra.dll [x]
{FDBE9012-63B8-4ACA-9886-4296964A9BD6} C:\WINDOWS\system32\tsqdkkia.dll [x][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VBTUCopy"="C:\\Program Files\\VBTUCopy\\VBTUCopy.exe /a /f"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"SoundMan"="SOUNDMAN.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\Ahead\\data\\Xtras\\mssysmgr.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C47A9554-195A-4769-9B13-04F15B450A39}"=""
"{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvuts
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwtsr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxwtu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebywuv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkiifc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnnli
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnoppq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommkjk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqronnn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrqnl
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsrrq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqomnn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpolk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvut
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuurpm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywtsp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywvst[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="sockspy.dll"HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dvd43_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\dvd43\\dvd43_tray.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zango"
"hkey"="HKLM"
"command"="\"c:\\program files\\zango\\zango.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
********************************************************************catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-25 20:29:06
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************Completion time: 07-04-25 20:30:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-25 20:30
C:\ComboFix2.txt ... 07-04-24 00:53
0
AVG Anti-Spyware - Scan Report
+ Created at: 8:13:31 PM 4/25/2007+ Scan result:
HKU\S-1-5-21-1390067357-1993962763-682003330-1003_Classes\Interface\{8148A489-F54E-4D74-B6F3-81901D0AA54A}\TypeLib\\Version -> Adware.ActivityMonitor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\actskn45.ocx -> Downloader.IstBar : Cleaned with backup (quarantined).
:mozilla.127:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.262:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.66:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.67:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.68:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.69:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.70:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.71:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@bidzcom.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@blockbuster.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@buzznet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@tcompany.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@7search[1].txt -> TrackingCookie.7search : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@dssatlascreditgroup.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@getmusicfree.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@grouplotto.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@pan.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@prizeamerica.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@psu.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.177:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.23:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.24:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.25:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.80:C:\RECYCLER\NPROTECT\00052604.MOZ -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.81:C:\RECYCLER\NPROTECT\00052607.MOZ -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.82:C:\RECYCLER\NPROTECT\00052609.MOZ -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.83:C:\RECYCLER\NPROTECT\00052661.MOZ -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.83:C:\RECYCLER\NPROTECT\00052665.MOZ -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.86:C:\RECYCLER\NPROTECT\00052668.MOZ -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.98:C:\RECYCLER\NPROTECT\00052701.MOZ -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.98:C:\RECYCLER\NPROTECT\00052704.MOZ -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.98:C:\RECYCLER\NPROTECT\00052716.MOZ -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.160:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.161:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.162:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.167:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.169:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.170:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.171:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@track.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.90:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.91:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.92:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.93:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.94:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@advertising[4].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00052701.MOZ -> TrackingCookie.Atdmt : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00052704.MOZ -> TrackingCookie.Atdmt : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00052716.MOZ -> TrackingCookie.Atdmt : Cleaned.
:mozilla.89:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.173:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.287:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.6:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.7:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.8:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.9:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@casalemedia[3].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.60:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.277:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@cpvfeed[3].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.73:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.155:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.116:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.117:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.118:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@fastclick[3].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@findwhat[2].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.35:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.193:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.194:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.297:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.50:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.51:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@ehg-legacy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@ehg-minglematch.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@ehg-playboy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@ehg-veohnetworksinc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@infinite-ads[1].txt -> TrackingCookie.Infinite-ads : Cleaned.
:mozilla.274:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.36:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.95:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.107:C:\RECYCLER\NPROTECT\00052701.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.107:C:\RECYCLER\NPROTECT\00052704.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.107:C:\RECYCLER\NPROTECT\00052716.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.122:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.123:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.89:C:\RECYCLER\NPROTECT\00052604.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.90:C:\RECYCLER\NPROTECT\00052607.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.91:C:\RECYCLER\NPROTECT\00052609.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.92:C:\RECYCLER\NPROTECT\00052661.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.92:C:\RECYCLER\NPROTECT\00052665.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.95:C:\RECYCLER\NPROTECT\00052668.MOZ -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.126:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.128:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.87:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.88:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned.
:mozilla.103:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.104:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.105:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.106:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.107:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@counter1.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.146:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.147:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.148:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.149:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.150:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.187:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.188:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.189:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.119:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.120:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.136:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.140:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.141:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@anad.tacoda[3].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.217:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.218:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.219:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.220:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.221:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.222:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.223:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.142:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.10:C:\RECYCLER\NPROTECT\00052609.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00052661.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00052668.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.23:C:\RECYCLER\NPROTECT\00052701.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.23:C:\RECYCLER\NPROTECT\00052704.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.32:C:\RECYCLER\NPROTECT\00052716.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.85:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.8:C:\RECYCLER\NPROTECT\00052665.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.9:C:\RECYCLER\NPROTECT\00052607.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@free.wegcash[2].txt -> TrackingCookie.Wegcash : Cleaned.
:mozilla.113:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.114:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.156:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.157:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.158:C:\Documents and Settings\Billy\Application Data\Mozilla\Firefox\Profiles\bhwom0eb.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.26:C:\RECYCLER\NPROTECT\00052604.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.27:C:\RECYCLER\NPROTECT\00052604.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.27:C:\RECYCLER\NPROTECT\00052607.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00052604.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00052607.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00052609.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00052607.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00052609.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00052661.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00052665.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00052609.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00052661.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00052665.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00052661.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00052665.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.32:C:\RECYCLER\NPROTECT\00052668.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.33:C:\RECYCLER\NPROTECT\00052668.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.34:C:\RECYCLER\NPROTECT\00052668.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.44:C:\RECYCLER\NPROTECT\00052701.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.44:C:\RECYCLER\NPROTECT\00052704.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.45:C:\RECYCLER\NPROTECT\00052701.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.45:C:\RECYCLER\NPROTECT\00052704.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.46:C:\RECYCLER\NPROTECT\00052701.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.46:C:\RECYCLER\NPROTECT\00052704.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.53:C:\RECYCLER\NPROTECT\00052716.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.54:C:\RECYCLER\NPROTECT\00052716.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.55:C:\RECYCLER\NPROTECT\00052716.MOZ -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Billy\Cookies\billy@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
::Report end
0
Logfile of HijackThis v1.99.1
Scan saved at 8:42:52 PM, on 4/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wlurfmoe.dll (file missing)
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\cbxwtsr.dll
O2 - BHO: (no name) - {43B489D4-132A-466E-BF21-695ACE11DFB9} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {787DD02E-FCB4-4C39-AA6B-63AEA9A6FC9E} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {7A331278-8D57-4BC9-99DB-C551B3298C74} - C:\WINDOWS\system32\lwienlra.dll (file missing)
O2 - BHO: (no name) - {E456328E-0562-4B08-873B-6B161BDF300F} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: (no name) - {FDBE9012-63B8-4ACA-9886-4296964A9BD6} - C:\WINDOWS\system32\tsqdkkia.dll (file missing)
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\xuaardtf.dll",realset
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/as...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/as...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.c...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/...
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/insta...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: byxvuts - byxvuts.dll (file missing)
O20 - Winlogon Notify: cbxwtsr - C:\WINDOWS\SYSTEM32\cbxwtsr.dll
O20 - Winlogon Notify: gebxwtu - C:\WINDOWS\SYSTEM32\gebxwtu.dll
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll (file missing)
O20 - Winlogon Notify: gebywuv - gebywuv.dll (file missing)
O20 - Winlogon Notify: jkkiifc - jkkiifc.dll (file missing)
O20 - Winlogon Notify: nnnnnli - nnnnnli.dll (file missing)
O20 - Winlogon Notify: opnoppq - opnoppq.dll (file missing)
O20 - Winlogon Notify: qommkjk - qommkjk.dll (file missing)
O20 - Winlogon Notify: rqronnn - rqronnn.dll (file missing)
O20 - Winlogon Notify: ssqrqnl - ssqrqnl.dll (file missing)
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O20 - Winlogon Notify: tuvsrrq - tuvsrrq.dll (file missing)
O20 - Winlogon Notify: urqomnn - urqomnn.dll (file missing)
O20 - Winlogon Notify: urqpolk - urqpolk.dll (file missing)
O20 - Winlogon Notify: vtuuvut - vtuuvut.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuurpm - wvuurpm.dll (file missing)
O20 - Winlogon Notify: xxywtsp - C:\WINDOWS\SYSTEM32\xxywtsp.dll
O20 - Winlogon Notify: xxywvst - C:\WINDOWS\SYSTEM32\xxywvst.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
0
Run Hijack this, close all browsers and windows except Hijack this, place a check to the left of the following items and press "fix checked":
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wlurfmoe.dll (file missing)
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\cbxwtsr.dll
O2 - BHO: (no name) - {43B489D4-132A-466E-BF21-695ACE11DFB9} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: (no name) - {787DD02E-FCB4-4C39-AA6B-63AEA9A6FC9E} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {7A331278-8D57-4BC9-99DB-C551B3298C74} - C:\WINDOWS\system32\lwienlra.dll (file missing)
O2 - BHO: (no name) - {E456328E-0562-4B08-873B-6B161BDF300F} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: (no name) - {FDBE9012-63B8-4ACA-9886-4296964A9BD6} - C:\WINDOWS\system32\tsqdkkia.dll (file missing)
O20 - Winlogon Notify: byxvuts - byxvuts.dll (file missing)
O20 - Winlogon Notify: cbxwtsr - C:\WINDOWS\SYSTEM32\cbxwtsr.dll
O20 - Winlogon Notify: gebxwtu - C:\WINDOWS\SYSTEM32\gebxwtu.dll
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll (file missing)
O20 - Winlogon Notify: gebywuv - gebywuv.dll (file missing)
O20 - Winlogon Notify: jkkiifc - jkkiifc.dll (file missing)
O20 - Winlogon Notify: nnnnnli - nnnnnli.dll (file missing)
O20 - Winlogon Notify: opnoppq - opnoppq.dll (file missing)
O20 - Winlogon Notify: qommkjk - qommkjk.dll (file missing)
O20 - Winlogon Notify: rqronnn - rqronnn.dll (file missing)
O20 - Winlogon Notify: ssqrqnl - ssqrqnl.dll (file missing)
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O20 - Winlogon Notify: tuvsrrq - tuvsrrq.dll (file missing)
O20 - Winlogon Notify: urqomnn - urqomnn.dll (file missing)
O20 - Winlogon Notify: urqpolk - urqpolk.dll (file missing)
O20 - Winlogon Notify: vtuuvut - vtuuvut.dll (file missing)
O20 - Winlogon Notify: wvuurpm - wvuurpm.dll (file missing)
O20 - Winlogon Notify: xxywtsp - C:\WINDOWS\SYSTEM32\xxywtsp.dll
O20 - Winlogon Notify: xxywvst - C:\WINDOWS\SYSTEM32\xxywvst.dll
After removing the above items with Hijack This post a new Hijack This log and a new combofix log please.
0
my laptop got a trojan virus called trojan horse generic2.downloader. i wish to know if there is any removal tool or solution to remove that virus. the virus keep appear wherever i insert usb disk / pen drive into my laptop. n AVG antivirus is not able to remove it either..thank for any help or advice there
0
None of the above names show up in my hijack scan. I have copied the hijack log again.
Logfile of HijackThis v1.99.1
Scan saved at 1:34:18 AM, on 4/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\xuaardtf.dll",realset
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/as...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/as...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.c...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/...
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/insta...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
0
"Billy" - 07-04-29 1:35:58 Service Pack 2
ComboFix 07-04-24.2V - Running from: "C:\Documents and Settings\Billy\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\aejqarnw.dll
C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.bak2
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\rrqss.tmp
C:\WINDOWS\system32\ssqrr.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))
2007-04-29 01:13 131,604 --a------ C:\WINDOWS\system32\uypbxbxn.dll
2007-04-25 20:36 132,660 --a------ C:\WINDOWS\system32\xuaardtf.dll
2007-04-25 01:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-25 01:50 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-04-25 01:48 <DIR> d-------- C:\avenger
2007-04-24 21:11 1,380,326 ---hs---- C:\WINDOWS\system32\vybeg.ini2
2007-04-24 01:55 1,378,319 ---hs---- C:\WINDOWS\system32\vybeg.bak1
2007-04-24 00:30 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-22 02:47 <DIR> d-------- C:\VundoFix Backups
2007-04-16 02:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-04-14 19:40 <DIR> d-------- C:\DOCUME~1\Billy\APPLIC~1\Bitdefender
2007-04-14 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-04-14 16:29 26,714 --a------ C:\WINDOWS\system32\xxywtsp.dll
2007-04-14 16:04 26,714 --a------ C:\WINDOWS\system32\xxywvst.dll
2007-04-14 04:32 26,714 --a------ C:\WINDOWS\system32\gebxwtu.dll
2007-04-14 01:12 26,714 --a------ C:\WINDOWS\system32\cbxwtsr.dll
2007-04-13 18:52 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-06 19:06 <DIR> d-------- C:\WINDOWS\system32\bak
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-24 05:46 -------- d-------- C:\Program Files\morpheus
2007-04-15 19:32 3058 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-14 20:14 913408 --a------ C:\WINDOWS\system32\xreglib.dll
2007-04-14 17:00 -------- d-------- C:\Program Files\vbtucopy
2007-04-14 17:00 -------- d-------- C:\Program Files\spyhealer
2007-04-14 16:59 -------- d-------- C:\Program Files\quicktime
2007-04-14 16:58 -------- d-------- C:\Program Files\microsoft intellitype pro
2007-04-14 16:58 -------- d-------- C:\Program Files\microsoft intellipoint
2007-04-14 16:53 -------- d-------- C:\Program Files\lexmark x5100 series
2007-03-30 14:56 223 --a------ C:\WINDOWS\freedom.backup.dat
2007-03-08 00:21 23392 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-04 00:05 -------- d-------- C:\DOCUME~1\Billy\APPLIC~1\morpheus
2007-03-03 23:26 -------- d--h----- C:\Program Files\installshield installation information
2007-03-03 18:50 -------- d-------- C:\Program Files\messenger
2007-03-03 18:23 -------- d-------- C:\Program Files\faxtools
2007-03-03 18:23 -------- d-------- C:\Program Files\expressit s.e. 2.1
2007-02-06 22:56 325 --a------ C:\WINDOWS\initialize.bat
2007-02-04 00:37 2560 --a------ C:\WINDOWS\_msrstrt.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} C:\WINDOWS\system32\cbxwtsr.dll
{43B489D4-132A-466E-BF21-695ACE11DFB9} C:\WINDOWS\system32\gebyv.dll [x]
{601ED020-FB6C-11D3-87D8-0050DA59922B} C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
{787DD02E-FCB4-4C39-AA6B-63AEA9A6FC9E} C:\WINDOWS\system32\awtst.dll [x]
{7A331278-8D57-4BC9-99DB-C551B3298C74} C:\WINDOWS\system32\lwienlra.dll [x]
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\aejqarnw.dll [x]
{FDBE9012-63B8-4ACA-9886-4296964A9BD6} C:\WINDOWS\system32\uypbxbxn.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VBTUCopy"="C:\\Program Files\\VBTUCopy\\VBTUCopy.exe /a /f"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"SoundMan"="SOUNDMAN.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\xuaardtf.dll\",realset"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\Ahead\\data\\Xtras\\mssysmgr.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C47A9554-195A-4769-9B13-04F15B450A39}"=""
"{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvuts
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwtsr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxwtu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebywuv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkiifc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnnli
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnoppq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommkjk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqronnn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrqnl
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsrrq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqomnn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpolk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvut
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuurpm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywtsp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywvst[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="sockspy.dll"HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dvd43_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\dvd43\\dvd43_tray.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zango"
"hkey"="HKLM"
"command"="\"c:\\program files\\zango\\zango.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
********************************************************************catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-29 01:49:50
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************Completion time: 07-04-29 1:51:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-29 01:51
C:\ComboFix2.txt ... 07-04-25 20:30
C:\ComboFix3.txt ... 07-04-24 00:53
0
Go to start> control panel> add/remove programs and uninstall these programs:
BearShare
Zango (or anything with Zango in it)
Run Hijack this and remove this item:
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\xuaardtf.dll",realset
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop
2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFiles to delete:
C:\WINDOWS\system32\uypbxbxn.dll
C:\WINDOWS\system32\xuaardtf.dll
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\xxywtsp.dll
C:\WINDOWS\system32\xxywvst.dll
C:\WINDOWS\system32\gebxwtu.dll
C:\WINDOWS\system32\cbxwtsr.dll
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvuts]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwtsr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxwtu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyv]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebywuv]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkiifc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnnli]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnoppq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommkjk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqronnn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrqnl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsrrq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqomnn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpolk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvut]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuurpm]
[-HKEY_CAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywtsp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywvst]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXGo to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Post a new Hijack This log and a new combofix log please.
0
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qxcvdaql*******************
Script file located at: \??\C:\cxldtdgk.txt
Script file opened successfully.Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\uypbxbxn.dll deleted successfully.
File C:\WINDOWS\system32\xuaardtf.dll deleted successfully.
File C:\WINDOWS\system32\vybeg.ini2 deleted successfully.
File C:\WINDOWS\system32\vybeg.bak1 deleted successfully.
File C:\WINDOWS\system32\xxywtsp.dll deleted successfully.
File C:\WINDOWS\system32\xxywvst.dll deleted successfully.
File C:\WINDOWS\system32\gebxwtu.dll deleted successfully.
File C:\WINDOWS\system32\cbxwtsr.dll deleted successfully.Completed script processing.
*******************
Finished! Terminate.
0
Logfile of HijackThis v1.99.1
Scan saved at 8:37:08 PM, on 4/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\leoarjga.dll",realset
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/as...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/as...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.c...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/...
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/insta...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
0
"Billy" - 07-04-30 20:39:18 Service Pack 2
ComboFix 07-04-24.2V - Running from: "C:\Documents and Settings\Billy\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Billy\Desktop\internet.lnk
((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-30 ))))))))))))))))))))))))))))))))))
2007-04-30 20:31 <DIR> d-------- C:\avenger
2007-04-30 20:26 132,660 --a------ C:\WINDOWS\system32\leoarjga.dll
2007-04-30 20:21 284,244 ---hs---- C:\WINDOWS\system32\geebc.dll
2007-04-30 20:21 1,368,440 ---hs---- C:\WINDOWS\system32\cbeeg.bak1
2007-04-25 01:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-25 01:50 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-04-24 00:30 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-22 02:47 <DIR> d-------- C:\VundoFix Backups
2007-04-16 02:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-04-14 19:40 <DIR> d-------- C:\DOCUME~1\Billy\APPLIC~1\Bitdefender
2007-04-14 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-04-13 18:52 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-06 19:06 <DIR> d-------- C:\WINDOWS\system32\bak
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-30 20:25 -------- d-------- C:\Program Files\morpheus
2007-04-15 19:32 3058 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-14 20:14 913408 --a------ C:\WINDOWS\system32\xreglib.dll
2007-04-14 17:00 -------- d-------- C:\Program Files\vbtucopy
2007-04-14 17:00 -------- d-------- C:\Program Files\spyhealer
2007-04-14 16:59 -------- d-------- C:\Program Files\quicktime
2007-04-14 16:58 -------- d-------- C:\Program Files\microsoft intellitype pro
2007-04-14 16:58 -------- d-------- C:\Program Files\microsoft intellipoint
2007-04-14 16:53 -------- d-------- C:\Program Files\lexmark x5100 series
2007-03-30 14:56 223 --a------ C:\WINDOWS\freedom.backup.dat
2007-03-08 00:21 23392 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-03 23:26 -------- d--h----- C:\Program Files\installshield installation information
2007-03-03 18:50 -------- d-------- C:\Program Files\messenger
2007-03-03 18:23 -------- d-------- C:\Program Files\faxtools
2007-03-03 18:23 -------- d-------- C:\Program Files\expressit s.e. 2.1
2007-02-06 22:56 325 --a------ C:\WINDOWS\initialize.bat
2007-02-04 00:37 2560 --a------ C:\WINDOWS\_msrstrt.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} C:\WINDOWS\system32\cbxwtsr.dll [x]
{43B489D4-132A-466E-BF21-695ACE11DFB9} C:\WINDOWS\system32\gebyv.dll [x]
{4487AB6A-1C9A-4FEB-8D02-C618995F9F9D} C:\WINDOWS\system32\geebc.dll
{601ED020-FB6C-11D3-87D8-0050DA59922B} C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
{787DD02E-FCB4-4C39-AA6B-63AEA9A6FC9E} C:\WINDOWS\system32\awtst.dll [x]
{7A331278-8D57-4BC9-99DB-C551B3298C74} C:\WINDOWS\system32\lwienlra.dll [x]
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\aejqarnw.dll [x]
{FDBE9012-63B8-4ACA-9886-4296964A9BD6} C:\WINDOWS\system32\uypbxbxn.dll [x][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VBTUCopy"="C:\\Program Files\\VBTUCopy\\VBTUCopy.exe /a /f"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"SoundMan"="SOUNDMAN.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\leoarjga.dll\",realset"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\Ahead\\data\\Xtras\\mssysmgr.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C47A9554-195A-4769-9B13-04F15B450A39}"=""
"{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywtsp[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="sockspy.dll"HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dvd43_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\dvd43\\dvd43_tray.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zango"
"hkey"="HKLM"
"command"="\"c:\\program files\\zango\\zango.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
********************************************************************catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-30 20:44:30
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************Completion time: 07-04-30 20:44:37
C:\ComboFix-quarantined-files.txt ... 07-04-30 20:44
C:\ComboFix2.txt ... 07-04-29 01:51
C:\ComboFix3.txt ... 07-04-25 20:30
0
Go to add/remove proframs and uninstall this program if found:
Spyheal or Spyhealer.
Run Avenger again and delete these files (must be single spaced in Avenger):
C:\WINDOWS\system32\leoarjga.dll
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\bdod.bin
Run Hijack this and remove these items:
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\leoarjga.dll",realset
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"InfoData"=-[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywtsp]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Please download Dr Web CureIt to your desktop from this link ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives.
A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable.
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log on your desktop and a new Hijack this log please.
0
I get the following error code in avenger when I do the manual script and click on the green go.
error:selected file doesn't seem to be a valid script.
I copied and single spaced like you.Please advise.
Thanks
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
