Hjt Log[RESOLVED]

Lurch987

By Lurch987,
in Malware Removal

 Share Followers 0

Recommended Posts

Lurch987

Lurch987

Posted
Posted

Hey Guys,

I've been cleaning up a friends computer and there was a lot of nasty stuff.

I seem to be missing something because I'm still getting various pop up ads.

Anyway here's the log

Logfile of HijackThis v1.99.1

Scan saved at 6:19:53 PM, on 14/09/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: (no name) - {10990D5B-D686-4CD2-81EB-C7540450A1BA} - C:\WINDOWS\system32\jkkIAtsq.dll (file missing)

O2 - BHO: (no name) - {2DF74DB3-9990-4535-ABC2-B5DE34B1C82F} - C:\WINDOWS\system32\cbXQHXpQ.dll (file missing)

O2 - BHO: (no name) - {4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\hgGVpoLe.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: {19c8b2cf-d02f-fa8b-7b54-40fbf84ac42a} - {a24ca48f-bf04-45b7-b8af-f20dfc2b8c91} - C:\WINDOWS\system32\uafmed.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O2 - BHO: (no name) - {C31E85DE-8C2F-4035-AC49-5B6062B62CAD} - C:\WINDOWS\system32\ljJASijJ.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: gksraemq - {7C74C1B1-81FB-4105-B304-80A12EC6E73D} - C:\WINDOWS\gksraemq.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Crazy Vegas Poker - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\crazyvegasMPP\MPPoker.exe (file missing) (HKCU)

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.4.4.27/cana...a-ob-assets.cab

O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.4.3.28/domi...o-ob-assets.cab

O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.5.1.24/hold...oldem-en_US.cab

O16 - DPF: Video Poker by pogo - http://game1.pogo.com/applet-6.4.3.36/vide...r-ob-assets.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Virtual%20Villagers%202/Images/stg_drm.ocx

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v45/sol/sol.cab

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B45E4E22-E6A8-4B58-88FA-F2E4726DC95E} - http://scanner.vav-scan.com/setup/demo/setup.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Virtual%20Villagers%202/Images/armhelper.ocx

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab

O16 - DPF: {D27CDB6E-AE6D-12CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin9.valueactive.com/Register/Br...018/flashax.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/in...aploader_v6.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: uafmed.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: fceadd7f382 - C:\WINDOWS\system32\__c0022362.dat (file missing)

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll

O20 - Winlogon Notify: hgGVpoLe - hgGVpoLe.dll (file missing)

O20 - Winlogon Notify: jkkIAtsq - jkkIAtsq.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O20 - Winlogon Notify: __c002CCEE - C:\WINDOWS\system32\__c002CCEE.dat (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe" Start=service (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Link to post
Share on other sites
Andro1d

Andro1d

Posted
Posted

Hello and Welcome to the forums. :)

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please visit this web page for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan; you may re-enable them after the scan.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Link to post
Share on other sites
Lurch987

Lurch987

Posted
  • Author
Posted

Here's the Combofix log and the new HJT log.

ComboFix 08-09-16.01 - Katie 2008-09-17 0:49:02.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.193 [GMT -4:00]

Running from: C:\Documents and Settings\Katie\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\BMffd9ee4c.txt

C:\WINDOWS\BMffd9ee4c.xml

C:\WINDOWS\cookies.ini

C:\WINDOWS\Downloaded Program Files\setup.dll

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\elat.exe

C:\WINDOWS\hosts

C:\WINDOWS\system32\AutoRun.inf

C:\WINDOWS\system32\bisoqped.ini

C:\WINDOWS\system32\fudvnkmh.ini

C:\WINDOWS\system32\jdmtxo.dll

C:\WINDOWS\system32\JjiSAJjl.ini

C:\WINDOWS\system32\JjiSAJjl.ini2

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\mqymrmsk.ini

C:\WINDOWS\system32\MSINET.oca

C:\WINDOWS\system32\pac.txt

C:\WINDOWS\system32\pcvpmted.dll

C:\WINDOWS\system32\pveexsnq.dll

C:\WINDOWS\system32\QpXHQXbc.ini

C:\WINDOWS\system32\QpXHQXbc.ini2

C:\WINDOWS\system32\tnvajiad.ini

C:\WINDOWS\system32\uafmed.dll

C:\WINDOWS\vanwxemgfwn.dll

C:\xcrashdump.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))

.

2008-09-14 13:25 . 2008-09-14 15:13 <DIR> d-------- C:\Program Files\a-squared Free

2008-09-11 14:39 . 2008-09-11 14:40 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-09-11 14:39 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL

2008-09-11 13:17 . 2008-09-11 13:17 <DIR> d-------- C:\VundoFix Backups

2008-09-11 11:55 . 2008-09-11 12:10 2,958 --a------ C:\WINDOWS\system32\tmp.reg

2008-09-10 22:00 . 2008-09-10 22:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7

2008-09-10 19:45 . 2008-09-10 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-09-10 19:44 . 2008-09-10 19:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-09-10 19:30 . 2008-09-10 19:30 <DIR> d-------- C:\Program Files\CodeStuff

2008-09-06 02:37 . 2008-09-06 00:39 94,208 --a------ C:\WINDOWS\sxmaokgf.exe

2008-09-03 00:28 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-09-03 00:15 . 2008-09-03 00:15 <DIR> d-------- C:\Program Files\Common Files\Java

2008-09-01 12:22 . 2008-09-01 12:22 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Talkback

2008-08-28 21:17 . 2008-08-28 21:17 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\GamesCafe

2008-08-27 18:45 . 2008-08-27 18:45 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Eyeblaster

2008-08-27 18:42 . 2008-08-27 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom

2008-08-27 10:44 . 2008-08-28 19:10 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\GameHouse

2008-08-27 10:44 . 2008-08-27 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9

2008-08-22 17:32 . 2008-08-22 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PBGsavesDirectory

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-17 04:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-09-17 04:40 --------- d-----w C:\Documents and Settings\Katie\Application Data\OpenOffice.org2

2008-09-17 04:39 --------- d-----w C:\Documents and Settings\Katie\Application Data\AVG7

2008-09-14 15:15 456,617 ----a-w C:\WINDOWS\java\Packages\8HRV3NBR.ZIP

2008-09-14 15:12 --------- d-----w C:\Program Files\Dynamic Gaming Systems

2008-09-11 13:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-09-11 01:26 --------- d-----w C:\Program Files\MSN Messenger

2008-09-10 23:45 --------- d-----w C:\Program Files\Lavasoft

2008-09-10 22:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-09-03 04:28 --------- d-----w C:\Program Files\Java

2008-09-03 04:06 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-09-03 02:13 --------- d-----w C:\Documents and Settings\Katie\Application Data\Microgaming

2008-09-02 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-08-27 15:53 --------- d-----w C:\Program Files\Oberon Media

2008-08-27 13:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo

2008-08-23 23:02 --------- d-----w C:\Documents and Settings\Katie\Application Data\PlayFirst

2008-08-23 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst

2008-08-20 01:27 --------- d-----w C:\Program Files\Apple Software Update

2008-08-16 16:10 --------- d-----w C:\Documents and Settings\Katie\Application Data\Pogo Games

2008-08-16 14:50 --------- d-----w C:\Program Files\Canon

2008-08-15 23:27 --------- d-----w C:\Program Files\Kodak

2008-08-15 23:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak

2008-08-14 22:16 --------- d-----w C:\Documents and Settings\Katie\Application Data\Go-Go Gourmet Chef of the Year

2008-08-13 23:11 --------- d-----w C:\Documents and Settings\Katie\Application Data\Gogii Games

2008-08-13 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii Games

2008-08-12 03:32 --------- d-----w C:\Program Files\LimeWire

2008-08-11 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Astar Games

2008-08-10 22:55 --------- d-----w C:\Documents and Settings\Katie\Application Data\Friday's games

2008-08-06 21:49 --------- d-----w C:\Documents and Settings\Katie\Application Data\BrandX Games

2008-08-03 00:31 --------- d-----w C:\Program Files\Gnuf

2008-08-02 03:39 --------- d-----w C:\Program Files\QuickTime

2008-07-30 16:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DivoGames

2008-07-28 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microgaming

2008-07-28 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\MGS

2008-07-22 22:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games

2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 22:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll

2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-04-12 07:34 61,224 ----a-w C:\Documents and Settings\Katie\GoToAssistDownloadHelper.exe

2008-02-25 03:19 5,180 ----a-w C:\Documents and Settings\Katie\Application Data\mindhabits.dat

2007-10-05 02:26 2,103,064 ----a-w C:\Documents and Settings\Katie\Application Data\PerformanceoptimizerFreeSetup[1].exe

2007-01-15 07:09 774,144 ----a-w C:\Program Files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 4841472]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-27 579584]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-08-01 413696]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-02 219136]

C:\Documents and Settings\Katie\Start Menu\Programs\Startup\

OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispSettingPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-04-12 03:36 10536 C:\Program Files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=uafmed.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"C:\\StubInstaller.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

S3 GoToAssist;GoToAssist;C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe Start=service [ ]

S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 18176]

S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 7680]

S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [ ]

S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 23680]

S3 VICAMUSB;3Com HomeConnect USB Camera;C:\WINDOWS\system32\drivers\vicamusb.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

BHO-{2DF74DB3-9990-4535-ABC2-B5DE34B1C82F} - C:\WINDOWS\system32\cbXQHXpQ.dll

BHO-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\hgGVpoLe.dll

BHO-{a24ca48f-bf04-45b7-b8af-f20dfc2b8c91} - C:\WINDOWS\system32\uafmed.dll

BHO-{C31E85DE-8C2F-4035-AC49-5B6062B62CAD} - C:\WINDOWS\system32\ljJASijJ.dll

Toolbar-{7C74C1B1-81FB-4105-B304-80A12EC6E73D} - C:\WINDOWS\gksraemq.dll

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

HKCU-Run-Vidalia - C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe

HKLM-Run-BO1HelperStartUp - C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE

HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe

HKLM-Run-StandardInstall - (no file)

ShellExecuteHooks-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\hgGVpoLe.dll

Notify-fceadd7f382 - C:\WINDOWS\system32\__c0022362.dat

Notify-__c002CCEE - C:\WINDOWS\system32\__c002CCEE.dat

Notify-hgGVpoLe - hgGVpoLe.dll

Notify-jkkIAtsq - jkkIAtsq.dll

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Katie\Application Data\Mozilla\Firefox\Profiles\8a0rjdg3.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-17 00:56:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.bin

C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe

.

**************************************************************************

.

Completion time: 2008-09-17 1:11:54 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-17 05:10:49

Pre-Run: 61,423,730,688 bytes free

Post-Run: 61,592,387,584 bytes free

223 --- E O F --- 2008-08-16 21:01:19

Logfile of HijackThis v1.99.1

Scan saved at 1:13:44 AM, on 17/09/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Crazy Vegas Poker - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\crazyvegasMPP\MPPoker.exe (file missing) (HKCU)

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.4.4.27/cana...a-ob-assets.cab

O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.4.3.28/domi...o-ob-assets.cab

O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.5.1.24/hold...oldem-en_US.cab

O16 - DPF: Video Poker by pogo - http://game1.pogo.com/applet-6.4.3.36/vide...r-ob-assets.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Virtual%20Villagers%202/Images/stg_drm.ocx

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v45/sol/sol.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B45E4E22-E6A8-4B58-88FA-F2E4726DC95E} - http://scanner.vav-scan.com/setup/demo/setup.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Virtual%20Villagers%202/Images/armhelper.ocx

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab

O16 - DPF: {D27CDB6E-AE6D-12CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin9.valueactive.com/Register/Br...018/flashax.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: uafmed.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe" Start=service (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Link to post
Share on other sites
Andro1d

Andro1d

Posted
Posted

Hello again,

Step 1

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O20 - AppInit_DLLs: uafmed.dll

Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

Step 2

Open notepad and copy and paste the following code box in it starting with @echo off

@echo off
echo Delitor by wng_z3r0 >deleteOutput.txt
echo. >>deleteOutput.txt
echo Files to delete: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
echo "C:\WINDOWS\sxmaokgf.exe" >>deleteOutput.txt
attrib "C:\WINDOWS\sxmaokgf.exe" -h -r -s
del /f /q "C:\WINDOWS\sxmaokgf.exe"
echo. >>deleteOutput.txt
echo END Files to delete: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
echo. >>deleteOutput.txt
echo. >>deleteOutput.txt
echo. >>deleteOutput.txt
echo Files remaining after deletion: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
if exist "C:\WINDOWS\sxmaokgf.exe" echo "C:\WINDOWS\sxmaokgf.exe" is STILL present >>deleteOutput.txt
if exist "C:\WINDOWS\sxmaokgf.exe" dir /q "C:\WINDOWS\sxmaokgf.exe" >>deleteOutput.txt
echo. >>deleteOutput.txt
echo END of file: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
start notepad "%cd%\deleteOutput.txt"
exit

Save this as replace.bat , choose to save as *all files and place it on your desktop.

It should look like this:bat.gif

(In case you are unsure how to create a bat file, take a look here with screenshots.)

* Reboot into Safe Mode: ( without networking support !)

°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.

Choose Safe Mode from the menu that will appear and press Enter.

Once in Safe mode, doubleclick replace.bat you created previously.

The data needed then should be merged.

Then please boot back to normal Windows.

Step 3

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step 4

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites
Lurch987

Lurch987

Posted
  • Author
Posted

Here's the MBAM report:

Malwarebytes' Anti-Malware 1.28

Database version: 1166

Windows 5.1.2600 Service Pack 3

18/09/2008 1:39:26 AM

mbam-log-2008-09-18 (01-39-26).txt

Scan type: Full Scan (C:\|)

Objects scanned: 138729

Time elapsed: 1 hour(s), 7 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 12

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 21

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{450b9e4d-4014-4de3-b34e-014a81468293} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\gksraemq.bvxd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\gksraemq.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\WINDOWS\system32\kBin15 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\QooBox\Quarantine\C\WINDOWS\elat.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\QooBox\Quarantine\C\WINDOWS\system32\jdmtxo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\QooBox\Quarantine\C\WINDOWS\system32\pcvpmted.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\QooBox\Quarantine\C\WINDOWS\system32\pveexsnq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\QooBox\Quarantine\C\WINDOWS\system32\uafmed.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1197\A0318600.dll (Trojan.Vundo) -> Delete on reboot.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1197\A0318601.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1197\A0319576.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1197\A0319835.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1197\A0319870.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1197\A0319876.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1200\A0322396.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1200\A0322404.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1201\A0322453.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1201\A0322454.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1201\A0322455.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1201\A0322456.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1201\A0322463.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1161\A0311130.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FA5ACB9A-D9FD-4551-8583-54F1E9191F4D}\RP1161\A0311131.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Katie\Desktop\Smart Antivirus-2009.lnk (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.

Link to post
Share on other sites
Andro1d

Andro1d

Posted
Posted

Nice job your log looks clean!

Please use the following suggestions to help prevent reinfection.

Also, you may delete any tools I had you download during the cleaning process.

System Restore maintains a backup of your programs and may also backup infections, so please reset it to make a clean Restore Point.

Please do this:

On the Desktop, right-click My Computer > click Properties > click the System Restore tab.

Check Turn off System Restore.

Click Apply > a window will pop up and ask if you really want to turn it off > click Yes.

Please wait a few moments to let it clear.

Now please remove the check from Turn off System Restore.

Click Apply, and then click OK.

System Restore will be working again and will have a new Restore Point.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. As a note, all of the tools and utilities mentioned are either free or have free versions available.

Malwarebytes' Anti-Malware - A very powerful tool which searches and kills malware that infects your system.

**Tutorial on installing & using this product can be found HERE**

SpywareBlaster - Great prevention tool to keep malware from installing on your system.

**Tutorial on installing & using this product can be found HERE**

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

**Tutorial on installing & using this product can be found HERE**

ZonedOut - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out malware that like to reside in the temp folders.

Firewall A firewall is very important, in order to protect your computer from hackers. I notice that you don't have one installed! Therefore I recommend Comodo, Online Armor, or Outpost.

**Tutorial on Firewalls can be found HERE**

It is important to run only one of each type of protection program in resident mode at a time since conflicts can make them less effective. This would mean only one resident antivirus, firewall and scanning type of anti-spyware. Programs like SpywareBlaster and IE-Spyads do not conflict with any of these since they don't have a real time scanning engine that would conflict.

Windows Updates - It is highly recommended to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

It is also highly recommended to stay on top of your updates at all times, for Windows and all the above mentioned applications. This will ensure that you stay protected at the maximum level possible.

Finally, I strongly recommend action-smiley-036.gifHow did I get infected in the first place? (by Tony Klein)

Good luck and safe surfing :)

Link to post
Share on other sites
Andro1d

Andro1d

Posted
Posted

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Followers 0
Go to topic listing