Re: [Vundo] cannot get rid of virtumonde/vundo trojan

Author	All Replies
azraders join:2009-06-11	reply to TheJoker Re: [Vundo] cannot get rid of virtumonde/vundo trojan There are some suggestions for cleanup at the top of the thread. I thought they were for those people and not for me. I'm really confused. Can I do those suggestions then to clean up those files I am no longer using?
	to forum · permalink · · 2009-06-14 00:33:48 ·
azraders join:2009-06-11	I have done as directed per your post. I have included post scans as well as the pre-scan you requested with MBAM. Let me know what I need to do next. COMBOFIX: ComboFix 09-06-13.05 - Drader 06/13/2009 20:26.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.201 [GMT -7:00] Running from: c:\documents and settings\Drader\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\bszip.dll c:\windows\system32\drivers\fad.sys . ((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 ))))))))))))))))))))))))))))))) . 2009-06-11 23:25 . 2009-06-11 23:34 -------- d-----w- c:\program files\SpywareBlaster 2009-06-11 23:25 . 2005-08-26 02:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL 2009-06-11 19:59 . 2009-06-11 19:59 -------- d-----w- C:\VundoFix Backups 2009-06-11 19:16 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-11 19:16 . 2009-06-11 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-11 19:16 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-11 04:23 . 2009-06-02 20:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-06-11 01:12 . 2009-06-13 19:39 -------- d--h--w- C:\$AVG8.VAULT$ 2009-06-11 00:28 . 2009-06-11 00:28 -------- d-----w- c:\documents and settings\Drader\Local Settings\Application Data\AVG Security Toolbar 2009-06-11 00:20 . 2009-06-11 00:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-11 00:20 . 2009-06-11 00:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-06-11 00:20 . 2009-06-11 00:20 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-11 00:20 . 2009-06-11 00:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-11 00:19 . 2009-06-14 00:31 -------- d-----w- c:\windows\system32\drivers\Avg 2009-06-11 00:19 . 2009-06-11 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-11 00:19 . 2009-06-11 00:19 -------- d-----w- c:\program files\AVG 2009-06-11 00:19 . 2009-06-11 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-11 00:03 . 2009-06-11 00:03 -------- d-----w- c:\documents and settings\Drader\Application Data\AVG8 2009-06-10 15:17 . 2009-06-10 15:17 310640 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-10 15:02 . 2009-06-10 15:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-06-10 00:58 . 2009-06-10 00:58 -------- d-----w- c:\program files\Windows Defender 2009-06-09 17:08 . 2009-06-09 17:08 -------- d-----w- c:\documents and settings\Drader\Application Data\Malwarebytes 2009-06-09 17:07 . 2009-06-09 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-08 23:10 . 2009-06-08 23:10 -------- d-----w- c:\documents and settings\Drader\Local Settings\Application Data\WMTools Downloaded Files 2009-06-04 14:22 . 2009-06-04 04:10 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-06-04 04:05 . 2009-06-14 02:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-06-04 04:05 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe 2009-05-27 02:28 . 2009-05-27 02:28 -------- d-----w- c:\program files\Musicnotes 2009-05-27 02:25 . 2009-06-08 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes 2009-05-22 02:49 . 2009-05-22 02:49 -------- d-----w- c:\documents and settings\Drader\Application Data\KodakCredentialStore . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-14 02:49 . 2009-05-04 21:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-06-14 01:59 . 2008-12-28 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-06-12 05:57 . 2009-01-29 18:18 1 ----a-w- c:\documents and settings\Drader\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2009-06-11 02:08 . 2008-12-26 17:48 -------- d-----w- c:\documents and settings\Drader\Application Data\AdobeUM 2009-06-09 02:07 . 2008-12-24 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-06-08 23:11 . 2008-12-25 00:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-06-08 23:10 . 2008-12-28 17:56 -------- d-----w- c:\program files\Google 2009-06-08 23:10 . 2008-12-24 17:44 -------- d-----w- c:\documents and settings\Drader\Application Data\Sonic 2009-06-04 04:05 . 2009-01-27 23:16 -------- d-----w- c:\program files\Lavasoft 2009-06-04 04:05 . 2008-12-26 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-05-27 14:36 . 2008-12-24 22:54 310640 ----a-w- c:\documents and settings\Drader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-22 16:51 . 2009-03-04 04:14 848 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-05-12 01:50 . 2009-05-12 01:50 -------- d-----w- c:\documents and settings\Drader\Application Data\Leadertech 2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-05-05 02:11 . 2009-05-04 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache 2009-05-04 21:38 . 2009-05-04 21:38 -------- d-----w- c:\program files\bfgclient 2009-05-04 17:25 . 2009-05-04 17:25 -------- d-----w- c:\documents and settings\Drader\Application Data\Skinux 2009-05-04 16:57 . 2009-05-04 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak 2009-05-04 16:52 . 2009-05-04 16:48 -------- d-----w- c:\program files\Common Files\Kodak 2009-05-04 16:31 . 2009-05-04 16:29 -------- d-----w- c:\program files\Kodak 2009-05-04 16:20 . 2009-05-04 16:20 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe 2009-05-04 16:18 . 2009-05-04 16:13 23510720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\dotnetfx.exe 2009-05-04 16:17 . 2009-05-04 16:17 30720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\netfw.exe 2009-05-04 16:13 . 2009-05-04 16:13 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe 2009-05-04 16:08 . 2009-05-04 16:08 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_a031e62\EasyShrx.Dll 2009-05-04 16:07 . 2009-05-04 16:07 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.9.20.1.dll 2009-05-04 16:07 . 2009-05-04 16:08 2499984 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_a031e62\Setup.exe 2009-05-04 16:06 . 2009-05-04 16:06 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.2.25.1.dll 2009-04-29 04:46 . 2004-08-04 10:00 666624 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:46 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-04-26 19:27 . 2009-04-26 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-04-26 15:00 . 2009-04-26 06:41 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-04-17 12:26 . 2004-08-04 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-04 10:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-04-13 21:54 . 2009-04-13 21:54 1878984 ----a-w- c:\documents and settings\Drader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe 2009-03-29 15:25 . 2004-08-10 18:13 78199 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat 2009-03-19 16:56 . 2009-03-19 16:56 129 ----a-w- c:\documents and settings\Drader\Local Settings\Application Data\fusioncache.dat 2009-03-19 16:51 . 2009-03-19 16:51 164 ----a-w- c:\windows\install.dat 2009-03-18 00:42 . 2009-03-18 00:42 503808 ----a-w- c:\documents and settings\Drader\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-70d9f237-n\msvcp71.dll 2009-03-18 00:42 . 2009-03-18 00:42 499712 ----a-w- c:\documents and settings\Drader\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-70d9f237-n\jmc.dll 2009-03-18 00:42 . 2009-03-18 00:42 348160 ----a-w- c:\documents and settings\Drader\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-70d9f237-n\msvcr71.dll 2009-03-18 00:41 . 2009-02-24 19:30 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-03-18 00:37 . 2009-03-18 00:37 152576 ----a-w- c:\documents and settings\Drader\Application Data\Sun\Java\jre1.6.0_12\lzma.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-02 20:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-18 148888] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-11 00:20 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Drader^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk] path=c:\documents and settings\Drader\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/27/2009 4:22 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/10/2009 5:20 PM 327688] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/10/2009 5:20 PM 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/10/2009 5:19 PM 908568] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/10/2009 5:19 PM 298776] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] S2 gupdate1c99dc76a3bc708;Google Update Service (gupdate1c99dc76a3bc708);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2009 12:20 PM 133104] S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [1/4/2009 12:00 PM 33752] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1005904] . Contents of the 'Scheduled Tasks' folder 2009-06-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:10] 2009-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] 2009-06-14 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-28 21:58] 2009-06-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-05 19:19] 2009-06-14 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20] . - - - - ORPHANS REMOVED - - - - HKLM-Run-goyapipemu - c:\windows\system32\viyorawi.dll HKLM-Run-54712828 - c:\windows\system32\kuwokilo.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.lds.org/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.dell4me.com/myway uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net Rootkit scan 2009-06-13 20:34 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1464) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\CF21898.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\SYSTEM32\wscntfy.exe . ************************************************************************ . Completion time: 2009-06-14 20:38 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-14 03:38 Pre-Run: 23,424,643,072 bytes free Post-Run: 23,421,034,496 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 210 --- E O F --- 2009-06-13 09:19 MBAM POST SCAN Malwarebytes' Anti-Malware 1.37 Database version: 2273 Windows 5.1.2600 Service Pack 3 6/13/2009 9:20:25 PM mbam-log-2009-06-13 (21-20-25).txt Scan type: Quick Scan Objects scanned: 85940 Time elapsed: 4 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HIJACKTHIS POST SCAN Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:51:48 PM, on 6/13/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Drader\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: ».mcafee.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe -- End of file - 6608 bytes MBAM PRE-SCAN (BEFORE COMBO FIX) Malwarebytes' Anti-Malware 1.37 Database version: 2273 Windows 5.1.2600 Service Pack 3 6/13/2009 4:57:41 PM mbam-log-2009-06-13 (16-57-41).txt Scan type: Quick Scan Objects scanned: 88078 Time elapsed: 10 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goyapipemu (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54712828 (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
	to forum · permalink · · 2009-06-14 00:49:05 ·
azraders join:2009-06-11	I have done a reboot and the following were found: Hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:01:22 PM, on 6/13/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Documents and Settings\Drader\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [goyapipemu] Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s O4 - HKLM\..\Run: [54712828] rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: ».mcafee.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe -- End of file - 6792 bytes MBAM Malwarebytes' Anti-Malware 1.37 Database version: 2273 Windows 5.1.2600 Service Pack 3 6/13/2009 10:00:38 PM mbam-log-2009-06-13 (21-59-52).txt after reboot Scan type: Quick Scan Objects scanned: 85890 Time elapsed: 4 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goyapipemu (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54712828 (Trojan.Vundo.H) -> No action taken. Registry Data Items Infected: (No malicious items detected) I think it is still there
	to forum · permalink · · 2009-06-14 01:28:56 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	I'm not so sure that the actual infection is still there, or if it's simply that there was a problem removing the related registry keys. It appears that the files related to the vundo infection are gone. Please follow the below instructions in the order listed. To clear the Java Runtime Environment (JRE) cache: - Click Start > Control Panel. - Double-click the Java icon in the control panel. -The Java Control Panel appears. - Click Settings under Temporary Internet Files. -The Temporary Files Settings dialog box appears. - Click Delete Files. -The Delete Temporary Files dialog box appears. -There are two options on this window to clear the cache. - Applications and Applets - Trace and Log Files - Click OK on Delete Temporary Files window. -Note: This deletes all the Downloaded Applications and Applets from the cache. - Click OK on Temporary Files Settings window. - Close the Java Control Panel Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities. Updating Java: - Download the latest version of Java Runtime Environment (JRE) 6. - Scroll down to where it says "Java SE Runtime Environment (JRE), JRE 6 Update 14". - Click the "Download" button to the right. - In the Window that opens, select Windows, and check the "agree" box and click "Continue". - Click on the link to download Windows Offline Installation and save to your desktop. - Close any programs you may have running - especially your web browser. - Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java. - Check any item with Java Runtime Environment (JRE or J2SE) in the name. - Examples of older versions in Add or Remove Programs: -- Java 2 Runtime Environment, SE v1.4.2 -- J2SE Runtime Environment 5.0 -- J2SE Runtime Environment 5.0 Update 2 - Click the Remove or Change/Remove button. - Repeat as many times as necessary to remove each Java versions. - Reboot your computer once all Java components are removed. - Then from your desktop double-click on jre-6u14-windows-i586-p.exe that you downloaded to install the newest version. I recommend going to Control Panel's Add or Remove Programs and uninstalling anything connected to Big Fish Games If you uninstall it as recommended, then delete the following two folders if still there: Reconfigure Windows XP to show hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". Uncheck the "Hide protected operating system files (recommended)" option. Uncheck the "Hide file extensions for known file types" option. Click Yes to confirm. Click OK. Using Windows Explorer, delete the following folders if still there: c:\documents and settings\All Users\Application Data\BigFishGamesCache c:\program files\bfgclient Now you need to hide the files you un-hid earlier: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading unselect "Show hidden files and folders". Check the "Hide protected operating system files (recommended)" option. Click Yes to confirm. Click OK. Now reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter. To return to normal mode just restart your computer as you normally would. Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there): O4 - HKLM\..\Run: [goyapipemu] Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s O4 - HKLM\..\Run: [54712828] rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked. Restart your system. We need to make sure you have the most recent version of ComboFix. Delete your current copy of ComboFix.exe. Download ComboFix© by sUBs from one of these links: http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe Save the file to your Desktop. - Close any open browsers. - Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering. - Double click on ComboFix.exe & follow the prompts. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it will save a log. Please include the contents of the log at C:\ComboFix.txt in your next reply. Please Run Malwarebytes' Anti-Malware. - Click the Update tab. - Click Check for Updates. - If an update is found, it will download and install. - Click the Scanner tab. - Select "Perform Quick Scan", then click Scan. - The scan may take some time to finish,so please be patient. - When the scan is complete, click OK, then Show Results to view the results. - Make sure that everything is checked, and click Remove Selected. - When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note) - The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. - Copy & Paste the entire report in your next reply along with a fresh HijackThis log. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Please go to VirusTotal and submit the following file for a scan and post the detection results (I don't need the "additional information") in your next reply: c:\windows\system32\MSSTDFMT.DLL Please post a new HijackThis log, the log from ComboFix (combofix.txt), the log from MBAM, the results of scanning the file at VirusTotal, and note any errors encountered. -- Proud ASAP member since 2005
	to forum · permalink · · 2009-06-14 10:44:25 ·
azraders join:2009-06-11	Hello there, I followed the instructions per your last post. Here are the scans: hijackthissafemode: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:39:18 AM, on 6/14/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Drader\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »bfc.myway.com/search/de_srchlft.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = »www.dell.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe -- End of file - 5752 bytes ***************************** Combofix ComboFix 09-06-13.09 - Drader 06/14/2009 11:19.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.193 [GMT -7:00] Running from: c:\documents and settings\Drader\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 ))))))))))))))))))))))))))))))) . 2009-06-14 17:15 . 2009-06-14 17:15 152576 ----a-w- c:\documents and settings\Drader\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-11 23:25 . 2009-06-11 23:34 -------- d-----w- c:\program files\SpywareBlaster 2009-06-11 23:25 . 2005-08-26 02:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL 2009-06-11 19:59 . 2009-06-11 19:59 -------- d-----w- C:\VundoFix Backups 2009-06-11 19:16 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-11 19:16 . 2009-06-11 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-11 19:16 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-11 04:23 . 2009-06-02 20:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-06-11 01:12 . 2009-06-14 14:59 -------- d--h--w- C:\$AVG8.VAULT$ 2009-06-11 00:28 . 2009-06-11 00:28 -------- d-----w- c:\documents and settings\Drader\Local Settings\Application Data\AVG Security Toolbar 2009-06-11 00:20 . 2009-06-11 00:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-11 00:20 . 2009-06-11 00:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-06-11 00:20 . 2009-06-11 00:20 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-11 00:20 . 2009-06-11 00:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-11 00:19 . 2009-06-14 14:23 -------- d-----w- c:\windows\system32\drivers\Avg 2009-06-11 00:19 . 2009-06-11 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-11 00:19 . 2009-06-11 00:19 -------- d-----w- c:\program files\AVG 2009-06-11 00:19 . 2009-06-11 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-11 00:03 . 2009-06-11 00:03 -------- d-----w- c:\documents and settings\Drader\Application Data\AVG8 2009-06-10 15:17 . 2009-06-10 15:17 310640 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-10 15:02 . 2009-06-10 15:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-06-10 00:58 . 2009-06-10 00:58 -------- d-----w- c:\program files\Windows Defender 2009-06-09 17:08 . 2009-06-09 17:08 -------- d-----w- c:\documents and settings\Drader\Application Data\Malwarebytes 2009-06-09 17:07 . 2009-06-09 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-08 23:10 . 2009-06-08 23:10 -------- d-----w- c:\documents and settings\Drader\Local Settings\Application Data\WMTools Downloaded Files 2009-06-04 14:22 . 2009-06-04 04:10 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-06-04 04:05 . 2009-06-14 02:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-06-04 04:05 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe 2009-05-27 02:28 . 2009-05-27 02:28 -------- d-----w- c:\program files\Musicnotes 2009-05-27 02:25 . 2009-06-08 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes 2009-05-22 02:49 . 2009-05-22 02:49 -------- d-----w- c:\documents and settings\Drader\Application Data\KodakCredentialStore . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-14 18:06 . 2009-01-29 18:18 1 ----a-w- c:\documents and settings\Drader\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2009-06-14 17:20 . 2009-02-24 19:30 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-06-14 17:15 . 2008-12-24 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-06-14 02:49 . 2009-05-04 21:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-06-14 01:59 . 2008-12-28 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-06-11 02:08 . 2008-12-26 17:48 -------- d-----w- c:\documents and settings\Drader\Application Data\AdobeUM 2009-06-08 23:11 . 2008-12-25 00:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-06-08 23:10 . 2008-12-28 17:56 -------- d-----w- c:\program files\Google 2009-06-08 23:10 . 2008-12-24 17:44 -------- d-----w- c:\documents and settings\Drader\Application Data\Sonic 2009-06-04 04:05 . 2009-01-27 23:16 -------- d-----w- c:\program files\Lavasoft 2009-06-04 04:05 . 2008-12-26 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-05-27 14:36 . 2008-12-24 22:54 310640 ----a-w- c:\documents and settings\Drader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-22 16:51 . 2009-03-04 04:14 848 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-05-12 01:50 . 2009-05-12 01:50 -------- d-----w- c:\documents and settings\Drader\Application Data\Leadertech 2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-05-04 17:25 . 2009-05-04 17:25 -------- d-----w- c:\documents and settings\Drader\Application Data\Skinux 2009-05-04 16:57 . 2009-05-04 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak 2009-05-04 16:52 . 2009-05-04 16:48 -------- d-----w- c:\program files\Common Files\Kodak 2009-05-04 16:31 . 2009-05-04 16:29 -------- d-----w- c:\program files\Kodak 2009-05-04 16:20 . 2009-05-04 16:20 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe 2009-05-04 16:18 . 2009-05-04 16:13 23510720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\dotnetfx.exe 2009-05-04 16:17 . 2009-05-04 16:17 30720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\netfw.exe 2009-05-04 16:13 . 2009-05-04 16:13 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe 2009-05-04 16:08 . 2009-05-04 16:08 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_a031e62\EasyShrx.Dll 2009-05-04 16:07 . 2009-05-04 16:07 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.9.20.1.dll 2009-05-04 16:07 . 2009-05-04 16:08 2499984 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_a031e62\Setup.exe 2009-05-04 16:06 . 2009-05-04 16:06 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.2.25.1.dll 2009-04-29 04:46 . 2004-08-04 10:00 666624 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:46 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-04-26 19:27 . 2009-04-26 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-04-26 15:00 . 2009-04-26 06:41 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-04-17 12:26 . 2004-08-04 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-04 10:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-04-13 21:54 . 2009-04-13 21:54 1878984 ----a-w- c:\documents and settings\Drader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe 2009-03-29 15:25 . 2004-08-10 18:13 78199 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat 2009-03-19 16:56 . 2009-03-19 16:56 129 ----a-w- c:\documents and settings\Drader\Local Settings\Application Data\fusioncache.dat 2009-03-19 16:51 . 2009-03-19 16:51 164 ----a-w- c:\windows\install.dat . ((((((((((((((((((((((((((((( SnapShot@2009-06-14_03.34.25 ))))))))))))))))))))))))))))))))))))))))) . + 2009-06-14 17:43 . 2009-06-14 17:43 16384 c:\windows\Temp\Perflib_Perfdata_1e0.dat - 2009-03-18 00:42 . 2009-03-18 00:41 148888 c:\windows\SYSTEM32\javaws.exe + 2009-06-14 17:20 . 2009-06-14 17:20 148888 c:\windows\SYSTEM32\javaws.exe + 2009-06-14 17:20 . 2009-06-14 17:20 144792 c:\windows\SYSTEM32\javaw.exe - 2009-03-18 00:42 . 2009-03-18 00:41 144792 c:\windows\SYSTEM32\javaw.exe + 2009-06-14 17:20 . 2009-06-14 17:20 144792 c:\windows\SYSTEM32\java.exe - 2009-03-18 00:42 . 2009-03-18 00:41 144792 c:\windows\SYSTEM32\java.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-02 20:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-28 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-14 148888] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-11 00:20 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Drader^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk] path=c:\documents and settings\Drader\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/27/2009 4:22 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/10/2009 5:20 PM 327688] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/10/2009 5:20 PM 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/10/2009 5:19 PM 908568] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/10/2009 5:19 PM 298776] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] S2 gupdate1c99dc76a3bc708;Google Update Service (gupdate1c99dc76a3bc708);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2009 12:20 PM 133104] S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [1/4/2009 12:00 PM 33752] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1005904] . Contents of the 'Scheduled Tasks' folder 2009-06-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:10] 2009-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] 2009-06-14 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-28 21:58] 2009-06-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-05 19:19] 2009-06-14 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.lds.org/ uSearch Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.dell4me.com/myway uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - c:\documents and settings\Drader\Application Data\Mozilla\Firefox\Profiles\jrslb912.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\documents and settings\Drader\Application Data\Mozilla\Firefox\Profiles\jrslb912.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll . ******************************************* catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net Rootkit scan 2009-06-14 11:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3812) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-06-14 11:29 ComboFix-quarantined-files.txt 2009-06-14 18:28 ComboFix2.txt 2009-06-14 03:38 Pre-Run: 23,446,327,296 bytes free Post-Run: 23,438,544,896 bytes free 201 --- E O F --- 2009-06-13 09:19 ******************************** MBAM after combo fix Malwarebytes' Anti-Malware 1.37 Database version: 2277 Windows 5.1.2600 Service Pack 3 6/14/2009 11:46:09 AM mbam-log-2009-06-14 (11-46-09).txt Scan type: Quick Scan Objects scanned: 60954 Time elapsed: 3 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) ************************************ Hijackthis post combo fix Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:48:46 AM, on 6/14/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Drader\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: ».mcafee.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe -- End of file - 6745 bytes ***************************************** virustotal File MSSTDFMT.DLL received on 2009.06.14 19:03:15 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/40 (0%) Loading server information... Your file is queued in position: 1. Estimated start time is between 43 and 62 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.18 2009.06.14 - AhnLab-V3 5.0.0.2 2009.06.14 - AntiVir 7.9.0.187 2009.06.14 - Antiy-AVL 2.0.3.1 2009.06.12 - Authentium 5.1.2.4 2009.06.13 - Avast 4.8.1335.0 2009.06.14 - AVG 8.5.0.339 2009.06.14 - BitDefender 7.2 2009.06.14 - CAT-QuickHeal 10.00 2009.06.13 - ClamAV 0.94.1 2009.06.14 - Comodo 1328 2009.06.14 - DrWeb 5.0.0.12182 2009.06.14 - eSafe 7.0.17.0 2009.06.11 - eTrust-Vet 31.6.6556 2009.06.12 - F-Prot 4.4.4.56 2009.06.13 - F-Secure 8.0.14470.0 2009.06.13 - Fortinet 3.117.0.0 2009.06.14 - GData 19 2009.06.14 - Ikarus T3.1.1.59.0 2009.06.14 - K7AntiVirus 7.10.762 2009.06.12 - Kaspersky 7.0.0.125 2009.06.14 - McAfee 5646 2009.06.14 - McAfee+Artemis 5646 2009.06.14 - McAfee-GW-Edition 6.7.6 2009.06.14 - Microsoft 1.4701 2009.06.14 - NOD32 4153 2009.06.14 - Norman 6.01.09 2009.06.12 - nProtect 2009.1.8.0 2009.06.14 - Panda 10.0.0.14 2009.06.14 - PCTools 4.4.2.0 2009.06.12 - Prevx 3.0 2009.06.14 - Rising 21.33.62.00 2009.06.14 - Sophos 4.42.0 2009.06.14 - Sunbelt 3.2.1858.2 2009.06.14 - Symantec 1.4.4.12 2009.06.14 - TheHacker 6.3.4.3.345 2009.06.13 - TrendMicro 8.950.0.1092 2009.06.12 - VBA32 3.12.10.7 2009.06.14 - ViRobot 2009.6.13.1785 2009.06.13 - VirusBuster 4.6.5.0 2009.06.14 - I rebooted after all of the above. I did not find any pop ups, although i did still see those trojan type files like goyapipmu , Unchecked, in the startup menu. Is there a way to get rid of these or does it even mean anything. I am a little worried about starting up spybot. Im afraid it will ask about those files. Also, you asked me to delete all files related to bigfishgames. I'm okay with getting rid of it. My son downloaded it and was playing it. Tell me about it if you can and why it is bad. How do I know which games my kids can play? I have told him not to play any games at this point. My daughter likes the pbs.org games as well as barbie.com. Is there harm in these? I have also heard facebook is bad all the way around. My other daughter likes that. is there a safe way to do that or should I ban her on facebook alltogether as well? I would appreciate all your help with those questions. It would be nice for you to recommend a link that I can visit that will teach me what is safe and what is not. Let me know if it is safe to start up all my malware/ antivirus when you can. So far this has been helpful. azraders
	to forum · permalink · · 2009-06-14 16:59:44 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	quote: I rebooted after all of the above. I did not find any pop ups, although i did still see those trojan type files like goyapipmu , Unchecked, in the startup menu. Is there a way to get rid of these or does it even mean anything. I'm not sure where you mean you see it. I no longer see the entries in any of your logs. quote: I am a little worried about starting up spybot. Im afraid it will ask about those files. If you mean TeaTimer, when you start it back up, if it says there were changes, tell it to allow the changes. quote: Also, you asked me to delete all files related to bigfishgames. I'm okay with getting rid of it. My son downloaded it and was playing it. Tell me about it if you can and why it is bad. I've seen it apparently associated with adware. quote: My daughter likes the pbs.org games as well as barbie.com. Is there harm in these? They should be fine. quote: I have also heard facebook is bad all the way around. Facebook isn't bad in itself, it's just that there's a lot of malware that targets it. If there is a graphic or video that tries to load but can't, and tells you that it needs to download a CODEC to view it, don't do that, and I would be very wary of instant messaging there or at any social networking site, and don't open URL's that are sent in an IM. I would also be careful about posting personal information there or at any social networking site. Any site that's popular (not just social networking sites) can end up being targeted to be compromized because it brings more potential victims, and malware is all about the money. quote: Let me know if it is safe to start up all my malware/ antivirus when you can. So far this has been helpful. You can start TeaTimer back up now if you want, and your antivirus should be running as I see it in your last log. quote: It would be nice for you to recommend a link that I can visit that will teach me what is safe and what is not. There are several help forums that also teach people how to remove malware. Two forums that do that are Spywareinfoforum.com and BleepingComputer. Go to start > run and copy and paste next command in the field: ComboFix /u Make sure there's a space between Combofix and / Then hit enter. This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again. Please post a new HijackThis log. -- Proud ASAP member since 2005
	to forum · permalink · · 2009-06-14 21:15:50 ·
azraders join:2009-06-11	Last Hijackthislog: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:48:50 PM, on 6/14/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Drader\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: ».mcafee.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe -- End of file - 6778 bytes Quote: "I rebooted after all of the above. I did not find any pop ups, although i did still see those trojan type files like goyapipmu , Unchecked, in the startup menu. Is there a way to get rid of these or does it even mean anything." I was referring to the System configuration utility in the startup menu. Maybe it won't affect anything though. Thanks for everything. Especially the answers to all the questions. That was awesome! How did you get to be someone that helps people with stuff like this? Do you go to school in computers. I have wondered if I need to go learn this stuff and how I would do it. Thanks again, AZraders
	to forum · permalink · · 2009-06-14 21:54:12 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	said by azraders : I was referring to the System configuration utility in the startup menu. Maybe it won't affect anything though. Oh, you mean with the MSCONFIG utility. Go to Start > Run, and in the run line type MSCONFIG, and when it starts, click the General tab, click Normal Startup, and click OK. When prompted, do not reboot. Please post a new HijackThis log. How did you get to be someone that helps people with stuff like this? I learned at Spywareinfoforum. You can sign up for Boot Camp there through the link I left above. -- Proud ASAP member since 2005
	to forum · permalink · · 2009-06-15 05:36:04 ·
azraders join:2009-06-11	Here is the last hijackthis after running a msconfig in normal start up. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:45:16 AM, on 6/15/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Drader\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [goyapipemu] Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [CPM57421bb4] Rundll32.exe "c:\windows\system32\mimegepa.dll",a O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" O4 - HKLM\..\Run: [54712828] rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: ».mcafee.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) - O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) - O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) - O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe -- End of file - 10255 bytes
	to forum · permalink · · 2009-06-15 10:47:30 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following: 1) Run Spybot-S&D 2) Go to the Mode menu, and make sure "Advanced Mode" is selected 3) On the left hand side, choose Tools -> Resident 4) Uncheck "Resident TeaTimer" and OK any prompts When everything is done and your log is clean again, you can enable it again. If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it. Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make. Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. After all of the fixes are complete it is very important that you enable Real-time Protection again. Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there): O4 - HKLM\..\Run: [goyapipemu] Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s O4 - HKLM\..\Run: [CPM57421bb4] Rundll32.exe "c:\windows\system32\mimegepa.dll",a O4 - HKLM\..\Run: [54712828] rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) - O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) - O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) - Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked. Reconfigure Windows XP to show hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". Uncheck the "Hide protected operating system files (recommended)" option. Uncheck the "Hide file extensions for known file types" option. Click Yes to confirm. Click OK. Using Windows Explorer, locate the following files, and delete them if still there (they are probably gone): C:\WINDOWS\system32\viyorawi.dll c:\windows\system32\mimegepa.dll C:\WINDOWS\system32\kuwokilo.dll Now you need to hide the files you un-hid earlier: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading unselect "Show hidden files and folders". Check the "Hide protected operating system files (recommended)" option. Click Yes to confirm. Click OK. You appear to possibly have disabled your installation of McAfee rather than uninstalled it. It needs to be uninstalled as you have AVG also installed. If you have uninstalled it, you should run this uninstaller to remove leftover entries. Download and run the McAfee Consumer Products Removal tool (MCPR.exe). Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, and 2007 and 2008 versions of McAfee consumer products. - McAfee Security Center - McAfee VirusScan - McAfee Personal Firewall Plus - McAfee Privacy Service - McAfee SpamKiller - McAfee Wireless Network Security - McAfee SiteAdvisor - McAfee Data Backup - McAfee Network Manager - McAfee Easy Network - McAfee AntiSpyware[/list] Download the removal tool from »download.mcafee.com/products/lic···MCPR.exe - Click Save and save the file to any folder on the computer. - Navigate to the folder where the file is saved. - Double-click MCPR.exe. Note: Windows Vista users must right-click MCPR.exe and select Run as Administrator. - Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed. Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear. After the second window appears, the program will begin the cleanup. - Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window: The machine must reboot to complete the un-installation. Reboot now? [y.n] - Press Y on the keyboard. - Wait for the computer to restart. All McAfee products are now removed from your computer. These McAfee removal instructions can be found at »service.mcafee.com/FAQDocument.a···TS100507 Please post a new HijackThis log and note any errors encountered. -- Proud ASAP member since 2005
	to forum · permalink · · 2009-06-15 13:29:41 ·
azraders join:2009-06-11	Thanks for the help! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:06:02 AM, on 6/15/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Documents and Settings\Drader\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: ».mcafee.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe -- End of file - 9799 bytes I'm glad to see the files finally deleted alltogether. One last thing if I may? Since I've done these last few steps, the computer is running slower. Is that because we put the msconfig on normal startup? I think everything is running now. OR do I have other problems that need addressing regarding cleaning up of files? If it the latter, please direct me to a forum where I can learn how to better optimize the drive and speed. thanks so much for your time. I really appreciate the help you have rendered. My computer thanks you too! After a week and a half dealing with this junk... I'm ready for a vacation! azraders
	to forum · permalink · · 2009-06-15 14:14:03 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	You have quite a few items that you had previously disabled with MSCONFIG. You can disable them again, but they needed to be viewable to be able to delete the bad items. There are other ways to get rid of several of them, and one that still isn't gone. Please disable TeaTimer by doing the following: 1) Run Spybot-S&D 2) Go to the Mode menu, and make sure "Advanced Mode" is selected 3) On the left hand side, choose Tools -> Resident 4) Uncheck "Resident TeaTimer" and OK any prompts When everything is done and your log is clean again, you can enable it again. If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it. Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make. Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. After all of the fixes are complete it is very important that you enable Real-time Protection again. Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries: O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - You can optionally check the following entry. This entry is used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out: O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked. That takes care of that one. You were disabling Ad-Watch with MSCONFIG. Instead, just turn it off in the program, and it won't be running as an item that you may want to disable. However, you already have Spybot Search & Destroy, and Windows Defender. I would simply uninstall Ad-Aware as redundant You are running both Google Toolbar, and Yahoo! Toolbar. I would uninstall one of them. Do you really use either? Uninstall the one you use the least (uninstalling the Yahoo! software will probably give the biggest effect). For the rest, instead of using MSCONFIG, You might want to take a look at this page created by miekiemoes, one of the Global Moderators here, on slow systems, and some things you can try to do to try to improve it: »users.telenet.be/bluepatchy/miek···ter.html I would particularly look at using RubberDucky's StartUpLite (from the same people that brought you MBAM). This will display all unnecessary startup entries - so actually, everything it displays there is not necessary to start up with Windows. Create a Restore Point •Go to Start > Programs > Accessories > System Tools > System Restore •Select Create a Restore Point and then Next. •In the box for "Restore point description", enter a descriptive name and press Create •When the "Restore Point Created" window appears, click Close Run Disk Cleanup •Go to Start > Run and type the below line: cleanmgr •Click OK •If you have more than one drive, select the drive Windows is installed on •Click OK •When Disk Cleanup opens, select the More Options tab •In the System Restore section (bottom of window), click Cleanup •In the confirmation window that opens, click Yes[ Now click on the Disk Cleanup tab and select the following items: •Downloaded Program Files •Temporary Internet Files •Recycle Bin •Temporary Files Click OK in the confirmation window, select Yes (Disk Cleanup will close). Please post a new HijackThis log. How is the system running now? -- Proud ASAP member since 2005
	to forum · permalink · · 2009-06-15 18:45:23 ·
azraders join:2009-06-11	Hi there. I did the clean up. It is a toss up. Some times I can browse from page to page in a few seconds and that has improved. what I notice is it takes my browsers about 20-30 seconds to load. Maybe this will work itself out. thanks for all the help. It was much appreciated!! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:17:20 AM, on 6/16/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\dell\bldbubg.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Drader\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file) O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: ».mcafee.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) - O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) - O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe -- End of file - 9405 bytes
	to forum · permalink · · 2009-06-16 10:26:25 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	You have more empty entries to remove. Please disable TeaTimer by doing the following: 1) Run Spybot-S&D 2) Go to the Mode menu, and make sure "Advanced Mode" is selected 3) On the left hand side, choose Tools -> Resident 4) Uncheck "Resident TeaTimer" and OK any prompts When everything is done and your log is clean again, you can enable it again. If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it. Please don't forget this step to disable teatimer. Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make. Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. After all of the fixes are complete it is very important that you enable Real-time Protection again. Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there): O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) - O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) - Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked. quote: Some times I can browse from page to page in a few seconds and that has improved. what I notice is it takes my browsers about 20-30 seconds to load. Did you follow the recommendation to use StartupLite to disable the entries that you had previously disabled with MSCONFIG? That may help once you do that. You are also still running Internet Explorer 6. I would update to at least version 7, and then any adidtional security updates found at Windows Update after you do that. If you find IE7 slower, you can Google "speedup IE7" and you will find sites like »reliancepc.com/menu/tips/IE7tuning/index.php and »www.consumingexperience.com/2007···r-7.html that help with attempting to speed up IE7. Please post a new HijackThis log and note any errors encountered. -- Proud ASAP member since 2005
	to forum · permalink · · 2009-06-16 19:11:51 ·
azraders join:2009-06-11	O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) - O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) - I originally deleted these but I had to re install java because after the last hijackthis and reboot, my math program wouldn't work. It told me I needed the plug in for Java. So I downloaded it again. I am not sure but think the bottom two are related to running the program. The top one may be related because I deleted it initially and I saw it back in the hijackthis log. I'm not sure what to do now. If you are positive they have nothing to do with the java I need for my math program, I'll delete them again. Let me know.
	to forum · permalink · · 2009-06-16 19:37:19 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	You can leave them, as their being there won't cause a problem. What was the math program that needed them? There are several free utilities you can use to help keep malware off your system: A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at »www.mvps.org/winhelp2002/hosts.htm. A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at »www.javacoolsoftware.com/products.html. I recommend reading Tony Klein's article So How did I get Infected in the First Place? at »www.spywareinfoforum.com/index.p···ic=60955 Does your problem appear resolved? -- Proud ASAP member since 2005
	to forum · permalink · · 2009-06-16 20:52:07 ·
azraders join:2009-06-11	yes, I do not seem to have the trojans I first reported. thank you for all you've done. I do have spywareblaster. The math program I use on the internet is Aleks.com. It is the program that the community college requires me to use for school. azraders
	to forum · permalink · · 2009-06-17 09:45:45 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	Thanks for the info and best of luck keeping the system clean. -- Proud ASAP member since 2005
	to forum · permalink · · 2009-06-20 11:46:24 ·


Saturday, 28-Nov 06:10:40	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF